Miscellaneous fixes to my lab Windows Server 2012

I want to join a new Windows Server 2012R2 server (C) to my existing lab domain as a new domain controller.  The current domain contains only one DC (Windows Server 2012), call it server B.  After the domain controller joined, the policy doesn't replicate.  SYSVOL and NETLOGON were not created.

Root cause:
There were a previous domain controller (Windows Server 2008, called it A) which was not removed from the domain in a proper way.  Therefore, the DFSR is always in error state.  Below is the event error found and resolutions:
    1. Create the below folders if it is not present:
      1. c:\windows\system32\SYSVOL\sysvol\domain.name\Policies
      2. c:\windows\system32\SYSVOL\sysvol\domain.name\scripts
    2. Copy policies files manually:
      1. C:\Windows\SYSVOL\domain\Policies>robocopy \\Old_dc\sysvol\homenet.com\policies . *.* /s /sec
    3. Follow MS KB947022 to trigger NETLOGON service to recreate the SYSVOL and NETLOGON share.
  2. DCx is not advertising as a time server
    1.  When I run dcdiag /q or dcdiag /test:advertising, I found my server is not advertised as time server
    2. Run below command:
      1. On PDC run: w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update
      2. On additional DC, run: w32tm /config /syncfromflags:domhier /update
      3. net stop w32time
        net start w32time
      4. w32tm /config /update
      5. w32tm /resync
      6. dcdiag /q /s:yourDCname
        This time you should see the time advertising error gone.
  3. Event 10149 - Windows Remote Management (WinRM) failed to create SPN
    1. Add NETWORK SERVICE with "“Validated write to service principal name” permission"at ASDI Edit.
    2. Detail steps: Reference: http://www.projectleadership.net/blogs_details.php?id=3154
  4. New domain controller DC joined the domain, but SYSVOL and NETSHARE not created
    1. Used DCDIAG to diagnostic, found there are a lot of issues.
    2. Root cause: The original DC has an issue of  on DFSR
      1. Event ID: 4012 - The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for x days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). 
    3. Root Cause
      1. By following KB2958414 , I found that since I have lost my previous DC without proper removal from domain, the file replication between my old DC and my current DC broke, result and 4012 event.  Thus it won't further sync SYSVOL with my new DC.
    4. Fix:
      1.  install DFSR Management Tools (instruction) to monitor  check the replication status of "Domain System Volume".  You must install DFSR in order to have command line tool dfsrdiag.
      2. Refer to KB2218556 :
        1. On the original DC, perform  authoritative synchronization.
        2. On new DC (which has no SYSVOL), perform  a non-authoritative synchronization.
      3.  If all done successful:
        1. On original DC (authoritative), you should see event ID 4602.
        2. On the new DC (non-authoritative), you should see Event ID 4604.
        3. Use net share on new DC to check if the SYSVOL sharing has been recreated automatically.
      4. Check for any obsolete server/invalid entry can be deleted via ADSI Edit:
        CN=,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=mydomain,DC=com


Popular Posts