Active Directory replication not working ?

[TPreston]

I did a new deployment of Server 2012 with a high availability TMG Deployment. I created a DC

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

IPv4 Address. . . . . . . . . . . : 10.0.0.2(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.0.6

DNS Servers . . . . . . . . . . . : 10.0.0.3

10.0.0.2

and then another

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

IPv4 Address. . . . . . . . . . . : 10.0.0.3(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.0.6

DNS Servers . . . . . . . . . . . : 10.0.0.2

10.0.0.3

127.0.0.1

NetBIOS over Tcpip. . . . . . . . : Enabled

I used the server manager to join the 10.0.0.3 to the domain and replication appeared to work (I saw it replicating some ous and gpos I made)

Afterwards I continued with my deployment of Central Store,TMG, KMS and WSUS and making group policy objects (nothing special sofar just policys for file explorer and the taskbar) I did however disable the media player, play to and homegroup firewall rules.

I then start to experience issues with gpupdate

The processing of Group Policy failed. Windows attempted to read the file \\ \SysVol\ \Policies\{ }\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

With the new gpo's and browse \\Dc2.mydomain.com\SYSVOL\mydomain.com and discover that the scripts folder is empty and that the policys folder only contains the default domain controller policy.

None of the gpos that were replicated by the server manager are there.

After manually copying the gpos to dc2 from dc1 I can access eventlog looking through the logs. The errors I see since deployment are (in order of oldest first)

The server { } did not register with DCOM within the required timeout.

The processing of Group Policy failed. Windows could not locate the directory object OU=Domain Controllers,OU=mynetbiosnameServers,OU=mynetbiosname Computers,DC=mynetbiosname,DC=us. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

and then The processing of Group Policy failed. Windows attempted to read the file starts again every 15 min multiple times

Moving to the eventlog for dfs replication I see

The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:

Error: 1355 (The specified domain either does not exist or could not be contacted.)

The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Additional Information:

Error: 160 (One or more arguments are not correct.)

Can anyone suggest what might be the issue ?

[Vinny4]

I would double check if all is good on the DNS side of things, what's your domain called?

I would get rid of 127.0.0.1 and would point your SDC's 1st DNS to 10.0.0.2

What kind of router R u using?

[sc302 Veteran]

Point to itself for primary dns and the other server for secondary, that should fix some of your replication issues. Also take out the reference to 127.0.0.1 in dns.

[TPreston]

Ok so I changed the dns with netsh as requested.

C:\Users\Raymond>winrs -r:DC1.mydomain.us ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : DC1
   Primary Dns Suffix  . . . . . . . : mydomain.us
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mydomain.us
Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-00-01-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.6
   DNS Servers . . . . . . . . . . . : 10.0.0.3
									   10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\Raymond>winrs -r:DC2.mydomain.us ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : DC2
   Primary Dns Suffix  . . . . . . . : mydomain.us
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mydomain.us
Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.6
   DNS Servers . . . . . . . . . . . : 10.0.0.2
									   10.0.0.3
C:\Users\Raymond>
[/CODE]

The router at the moment is just a bog standard Netopia one with practically everything disabled (no rpc filtering) but I will be reverting back to the cisco one after this deployment.

After rebooting first dc2 then dc1 everything seems fine however after I make a new gpo I discover a new

The processing of Group Policy failed. Windows attempted to read the file {gpo path} and it hasn't been replicated to dc2 :wacko:

in the event log for dfs I see

The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.

which is strange because it was a clean reboot in hyperv. I run ResumeReplication and get the following event log

The DFS Replication service successfully recovered from an unexpected shutdown on volume C:.This can occur if the service terminated abnormally (due to a power loss, for example) or an error occurred on the volume. No user action is required.

but the new gpo still hasn't been replicated. So I copy it manually and make a new gpo.... And im back at square one DFS replication isn't working ?

[Guest]

You mention TMG. Is this installed on one of the DC's?

[TPreston]

No the servers are server 2012 which TMG wont install on. They're different vms.

I disabled ip6 on the DC's NIC's as its an ipv4 only network and on all the other servers.

[sc302 Veteran]

server ip 10.0.0.2

primary dns 10.0.0.2

secondary dns 10.0.0.3

server ip 10.0.0.3

primary dns 10.0.0.3

secondary dns 10.0.0.2

switch it to this....have it look to itself for dns resolution. I have never had an issue with it being itself, but I have had replication issues with the primary pointing to a different server. Let active directory do its thing to replicate dns across to other servers. Don't try to use possibly an outdated dns server to manage dns (outdated could be as little as 10 seconds). Let it reside on itself and talk to itself and replicate to the other servers as needed. Replication by default can happen up to 15 minutes later, but most of the time we see instantaneous replication in small environments. You are better off splitting the fsmo roles than you are trying to force dns lookup on another server....if that other server were to go down, your dns would fail anyway.

also after you have fixed your dns primaries and secondaries, run this command.

Repadmin /replicate /AePdq

This will force a replication. Post any event log entries that occur if there are any failures.

[TPreston]

server ip 10.0.0.2

primary dns 10.0.0.2

secondary dns 10.0.0.3

server ip 10.0.0.3

primary dns 10.0.0.3

secondary dns 10.0.0.2

switch it to this....have it look to itself for dns resolution. I have never had an issue with it being itself, but I have had replication issues with the primary pointing to a different server. Let active directory do its thing to replicate dns across to other servers. Don't try to use possibly an outdated dns server to manage dns (outdated could be as little as 10 seconds). Let it reside on itself and talk to itself and replicate to the other servers as needed. Replication by default can happen up to 15 minutes later, but most of the time we see instantaneous replication in small environments. You are better off splitting the fsmo roles than you are trying to force dns lookup on another server....if that other server were to go down, your dns would fail anyway.

also after you have fixed your dns primaries and secondaries, run this command.

Repadmin /replicate /AePdq

This will force a replication. Post any event log entries that occur if there are any failures.

looks good thanks for the help I made a new gpo and it replicated to dc2 ok no gpupdate or eventlog errors.

Note to self used

netsh interface ip set dns "Ethernet" static 10.0.0.x

netsh interface ip add dns "Ethernet" 10.0.0.x index=2

to set the dns in server core