Post by kj [SBS MVP]
How old was the system state you restored and when was the last time you
verified that replication completed between the two DC's?
Also, when you 'rebuilt' the SBS server did you join the existing domain
or create a new one?
Suggest using the SBS scpecific groups which I'm adding for you.
Post by Brad Pears
We have an SBS 2000 server and another win2k3 domain controller in our
environment. The two were replicating and have been for many years now.
Last week our SBS server crashed and I had to rebuild it. The last
step was to restore the system state - which restores AD among other
As soon as the machine came back up, I started testing to see if it
was actually fully functional again. Right away I noticed that I
could not access ANY shares - not even administrative shares using
the server name (\\server\share). I could only access them by
specifying the ip address of the SBS like this \\ip_address\share.
I then noticed that when I went into the active dir users and
computers app, it was now connecting automatically to the other
domain controller's AD database - NOT the one on this SBS machine -
which is supposed to be the "primary" DC. I was able to select
"Connect to a domain controller" and had to manually enter the SBS
machine name as it was not listed in the window at the bottom to
select from - jsut the win2k3 DC was in there... After I entered the
SBS machine name I was able to connect to it's AD.
I then realized that replication was not happening between the two
machines anymore. I am seeing ID 13508 in the File Replication
Service event log. ("THe file replication service is having trouble
enabling replicating from TRUE5 to TRUE3" etc... please note that
TRUE5 is the win2k3 DC and TRUE3 is the SBS machine.) As well, If I
go to Active Dir Sites and Services and try to force a replication, I
am getting "Replication Access was denied". I am also seeing id's
1126 and 1655 in the "Directory Access" event log. 1126 is an "unable
to communicate with global catalog" error. 1655 is "an attempt to
communicate with the global catalog failed - reason ...replication
access was denied"
Where should I start to troubleshoot AD replication errors?? I really
believe the root of the issue is somehow related specifically to
screwed up permissions on the SBS machine that for some reason got
screwed up during the recovery process.
I have never really had to worry about an AD issues before - just set
it up and it works fine... so I am a complete newbie to this.
This issue is leading to many other issues - for example I am unable
to setup new users with exchange mailboxes and have them access them
etc... Exchange doesn';t even see my SBS machine as a domain
controller - it only shows the other win2K3 dc!
PS.. I recreated the SYSVOL and NETLOGON shares that were missing -
not sure if I should have or not...
How old is the backup that was used to restore the DC?
Did you use a backup, or an image restoration?
This sounds like an NTFRS Journal Wrap issue. See if the following will
Using the BurFlags registry key to reinitialize File Replication Service
Here are my notes on Journal Wraps from past troubleshooting steps ... I
hope you find them helpful.
Journal Wrap - What does it mean?
Troubleshooting journal_wrap errors on Sysvol and DFS replica sets
In a generalized summary, a Journal Wrap indicates it's trying to replicate
to another DC and the DC with the error's FRS service may have been shut off
for some reason. The Wrap error is based on the USN log or known as the USN
Journal. Everything and anything that gets replicated has a USN, or Update
Serial Number. Each DC has it's own, and other DCs keep track of them so
they know whether they have the other DCs' latest changes and are up to date
on their own end. So generally, the USN Journal keeps track of changes made
to any NTFR drive, whether for DFS, DC replication of SYSVOL, etc. If
changes are made while the FRS service is shut down, it may get to a point
where the last time something was changed, and when the FRS service is
started, the last USN it's aware of no longer exists (because that much time
has passed by).
For your convenience, the steps are:
1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If
the DWORD Value does not exist, create a new one with the exact spelling as
above, including spaces but without the quotes.
3. Stop the NTFRS Service (open a command prompt and type "net stop ntfrs")
4. Start the NTFRS Service (net start ntfrs)
5. Monitor the File Replication Service Event Logs for events:
13553 The DC is performing the recovery process
13554 The DC is ready to pull the replica from another DC.
13516 - At this point go to step 6. (the problem is resolved if you
receive this event)
6. Using a command prompt type: "net share" and look for the Netlogon and
Sysvol Shares to appear. The Journal Wrap error is only fixed after the
Domain Controller receives the new SYSVOL replica from a peer Domain
Controller. This may take a period of time depending on where your peer DC
is located and on bandwidth.
7. Change value for "Enable Journal Wrap Automatic Restore" from 1 to 0.
Now if it continues after these steps, then you would need to run an
Authoratative Restore, that is if you have a recent backup. Do you have a
backup? If not, and nothing else is running on it, and you have other DCs, I
would force demote it, then re-promote it back into a DC. If this is SBS,
this part won't work, and you need to fix it, period.
Using the BurFlags registry key to reinitialize File Replication
How to rebuild the SYSVOL tree and its content in a domain.
If you set Burflags to D4 on a single domain controller and set Burflags to
D2 on all other domain controllers in that domain, you can rebuild the
SYSVOL ... I've also seen folks copy over the Sysvol folder, then set the
Burflag options as mentioned, it worked.
How to Troubleshoot the File Replication Service
Check FRS event logs on both computers.
If Event ID 13508 is present, there may be a problem with the RPC service on
Troubleshooting journal_wrap errors on Sysvol and DFS replica sets
How to disable the requirement that a global catalog server be available to
validate user logons
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.