| Author | Messages | |
ChrisClemson
Posts:0
 | | 09/28/2007 10:07 AM |
| Hi everyone,
I have been trying to track down the source of a load of NTFRS 13562
errors in the event log on one of our DCs.
This has been happening since April :( and it seems to only have copied
200 out of around 400 GPOs into the Policies directory.
I've checked all i can think of (and seen on various web pages):
Disk Space - it has 11gb free on each of it's 2 partitions!
DNS - normal and reverse lookups work on the DC itself, it can
resolve our main DC and our main DC can resolve it
RPC - rpcping doesn't complain when i run it from this problem
dc to our main DC
Restarted NTFRS
NETBIOS - I can browse our main DCs shares from the problem dc
Even though this hasn't been working for months, general AD replications
are working, as I can log in with my account, and this was only created
a few weeks ago (on a different DC).
netdiag reports quite a lot of "[WARNING] Failed to query SPN
registration on DC 'xxxx'" messages for various DCs, although our main
DCs aren't listed.
the only errors in dcdiag are:
Starting test: frsevent
There are warning or error events within the last 24 hours
after the
SYSVOL has been shared. Failing SYSVOL replication problems
may cause
Group Policy problems.
which is to be expected for this problem, and
Starting test: VerifyReferences
Some objects relating to the DC [problemdc] have problems:
Ώ] Problem: Missing Expected Value
Base Object:
CN=NTDS
Settings,CN=[problemdc],CN=Servers,CN=[problemdclocalsite],CN=Sites,CN=C
onfiguration,DC=Corp,DC=Local
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
In this article it mentions running ADSIEdit, which sounds a bit scary,
and i could't find anything missing in this area when comparing it
against other DCs that do replicate properly.
Running ntfsutl creates a large amount of info (due to the number of DCs
we have) and I'm not really sure what to look for. There are a lot of
"WhenChanged" dates of both this month, and also back in march/april,
but I'm not sure if this is significant.
Disturbingly, running "ntfrsutl sets" results in an empty list:
ACTIVE REPLICA SETS
DELETED REPLICA SETS
Unfortunately, even though the event log goes back to 16th March for the
NTFRS log, there's nothing useful logged before the start of the daily
13562 events except the usual 13501 and 13565 events.
Do you clever chaps know what else I should be checking?
Thank you!
chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| amulnick
Posts:143
| | 09/28/2007 1:41 AM |
| Understood. But before you take this one too far consider getting them involved. If needed or otherwise possible, you may just want to demote it and bring up a new one. I hesitate to go that route, but it's not like you're going to miss it or anything.
On 9/28/07, Clemson, Chris (IHG) wrote:
netdiag reports quite a lot of "[WARNING] Failed to query
SPNregistration on DC 'xxxx'" messages for various DCs, although our
mainDCs aren't listed.? Can you restate that in a
different way? Your main DC's don't have SPN's? Or ?
No, I
mean there were no warning messages listing the main DCs, so i'm guessing there
isn't a problem with them.
If you're not
comfortable with ADSIEDIT, you may want to consider an assist from product
support at Microsoft. It may save you a lot of time and effort and help
you to find the root cause so it won't happen to you again.
True,
although I've already got 2 open calls with them already (for different
problems), so would like to resolve those first before I create any new
ones!
One
thing I missed on my list was that i've checked the permissions on the profile
directory under sysvol, and they look the same on both this problem DC and other
DCs that are replicating properly.
thanks,
chris | | | |
| amulnick
Posts:143
| | 09/28/2007 11:34 AM |
| netdiag reports quite a lot of "[WARNING] Failed to query SPNregistration on DC 'xxxx'" messages for various DCs, although our mainDCs aren't listed.? Can you restate that in a different way? Your main DC's don't have SPN's? Or ?
If you're not comfortable with ADSIEDIT, you may want to consider an assist from product support at Microsoft. It may save you a lot of time and effort and help you to find the root cause so it won't happen to you again.
On 9/28/07, Clemson, Chris (IHG) wrote:
Hi everyone,I have been trying to track down the source of a load of NTFRS 13562errors in the event log on one of our DCs.This has been happening since April :( and it seems to only have copied200 out of around 400 GPOs into the Policies directory.
I've checked all i can think of (and seen on various web pages):Disk Space - it has 11gb free on each of it's 2 partitions!DNS - normal and reverse lookups work on the DC itself, it can
resolve our main DC and our main DC can resolve itRPC - rpcping doesn't complain when i run it from this problemdc to our main DCRestarted NTFRSNETBIOS - I can browse our main DCs shares from the problem dc
Even though this hasn't been working for months, general AD replicationsare working, as I can log in with my account, and this was only createda few weeks ago (on a different DC).netdiag reports quite a lot of "[WARNING] Failed to query SPN
registration on DC 'xxxx'" messages for various DCs, although our mainDCs aren't listed.the only errors in dcdiag are:Starting test: frsevent There are warning or error events within the last 24 hours
after the SYSVOL has been shared.Failing SYSVOL replication problemsmay cause Group Policy problems.which is to be expected for this problem, andStarting test: VerifyReferences
Some objects relating to the DC [problemdc] have problems:Ώ] Problem: Missing Expected Value Base Object:CN=NTDSSettings,CN=[problemdc],CN=Servers,CN=[problemdclocalsite],CN=Sites,CN=C
onfiguration,DC=Corp,DC=Local Base Object Description: "DSA Object" Value Object Attribute Name: serverReferenceBL Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862In this article it mentions running ADSIEdit, which sounds a bit scary,and i could't find anything missing in this area when comparing it
against other DCs that do replicate properly.Running ntfsutl creates a large amount of info (due to the number of DCswe have) and I'm not really sure what to look for. There are a lot of"WhenChanged" dates of both this month, and also back in march/april,
but I'm not sure if this is significant.Disturbingly, running "ntfrsutl sets" results in an empty list:ACTIVE REPLICA SETSDELETED REPLICA SETSUnfortunately, even though the event log goes back to 16th March for the
NTFRS log, there's nothing useful logged before the start of the daily13562 events except the usual 13501 and 13565 events.Do you clever chaps know what else I should be checking?Thank you!
chrisList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx | | | |
| ChrisClemson
Posts:0
| | 09/28/2007 11:46 AM |
| netdiag reports quite a lot of "[WARNING] Failed to query
SPNregistration on DC 'xxxx'" messages for various DCs, although our
mainDCs aren't listed.? Can you restate that in a
different way? Your main DC's don't have SPN's? Or ?
No, I
mean there were no warning messages listing the main DCs, so i'm guessing there
isn't a problem with them.
If you're not
comfortable with ADSIEDIT, you may want to consider an assist from product
support at Microsoft. It may save you a lot of time and effort and help
you to find the root cause so it won't happen to you again.
True,
although I've already got 2 open calls with them already (for different
problems), so would like to resolve those first before I create any new
ones!
One
thing I missed on my list was that i've checked the permissions on the profile
directory under sysvol, and they look the same on both this problem DC and other
DCs that are replicating properly.
thanks,
chris | | | |
| m weerasinghe
Posts:0
| | 09/29/2007 6:52 AM |
| Chris
It would help a lot if you had provided OS and Service Pack level details.
Please reply to group with these details.
I am sure you know this already but FRS uses AD to store a lot of
configuration information. The Q312862 article is merely providing details
for fixing FRS related attributes on objects that are missing them. If you
want to know how FRS uses these values, please read "How FRS Works"
http://technet2.microsoft.com/windowsserver/en/library/7636aede-a944-4765-89
73-40dc1e1f2d561033.mspx
I recommend running something like sonar first to get the status of FRS
across the domain. Sonar is available here
http://www.microsoft.com/downloads/details.aspx?familyid=158CB0FB-FE09-477C-
8148-25AE02CF15D8&displaylang=en . For a long term FRS monitoring solution,
please consider deploying Ultrasound.
http://www.microsoft.com/downloads/details.aspx?FamilyID=61acb9b9-c354-4f98-
a823-24cc0da73b50&DisplayLang=en
For starters to check AD replication is working, please use "repadmin
/replsum /bysrc /bydest /sort:delta" to view the replication status.
Repadmin is a tool in the support tools package.
Rather than use ntfrsutl directly, I recommend using FRSDiag
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=43CB
658E-8553-4DE7-811A-562563EB5EBF at the start. This uses ntfrsutl and then
summarises the info found in them. This is similar to the perl scripts
provided with the support tools. (connstat.cmd topchk.cmd and so forth)
SPN registration query failures of netdiag may be due to DCs been down for
example. Are the DCs reported in the netdiag report up and running?
"Ntfrsutl sets" command is supposed to report the FRS replica set it belongs
and partners it replicates with. I *think* ( i.e. I need to verify this) it
will not report anything in the command if it is not doing any FRS
replication at all.
ADSIEDIT is the ldap tool that is the most user friendly in this scenarios
for viewing/editing attributes. While any tool can be used dangerously, if
you know what you are doing there is no reason to be scared. To get the
issue resolved quickly, I recommend getting Microsoft PSS involved. But you
can fix it yourself if you want and learn a lot in the process of doing so
;-)
Cheers
M@
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Clemson, Chris
(IHG)
Sent: 28 September 2007 15:08
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO Replication Problems
Hi everyone,
I have been trying to track down the source of a load of NTFRS 13562
errors in the event log on one of our DCs.
This has been happening since April :( and it seems to only have copied
200 out of around 400 GPOs into the Policies directory.
I've checked all i can think of (and seen on various web pages):
Disk Space - it has 11gb free on each of it's 2 partitions!
DNS - normal and reverse lookups work on the DC itself, it can
resolve our main DC and our main DC can resolve it
RPC - rpcping doesn't complain when i run it from this problem
dc to our main DC
Restarted NTFRS
NETBIOS - I can browse our main DCs shares from the problem dc
Even though this hasn't been working for months, general AD replications
are working, as I can log in with my account, and this was only created
a few weeks ago (on a different DC).
netdiag reports quite a lot of "[WARNING] Failed to query SPN
registration on DC 'xxxx'" messages for various DCs, although our main
DCs aren't listed.
the only errors in dcdiag are:
Starting test: frsevent
There are warning or error events within the last 24 hours
after the
SYSVOL has been shared. Failing SYSVOL replication problems
may cause
Group Policy problems.
which is to be expected for this problem, and
Starting test: VerifyReferences
Some objects relating to the DC [problemdc] have problems:
Ώ] Problem: Missing Expected Value
Base Object:
CN=NTDS
Settings,CN=[problemdc],CN=Servers,CN=[problemdclocalsite],CN=Sites,CN=C
onfiguration,DC=Corp,DC=Local
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
In this article it mentions running ADSIEdit, which sounds a bit scary,
and i could't find anything missing in this area when comparing it
against other DCs that do replicate properly.
Running ntfsutl creates a large amount of info (due to the number of DCs
we have) and I'm not really sure what to look for. There are a lot of
"WhenChanged" dates of both this month, and also back in march/april,
but I'm not sure if this is significant.
Disturbingly, running "ntfrsutl sets" results in an empty list:
ACTIVE REPLICA SETS
DELETED REPLICA SETS
Unfortunately, even though the event log goes back to 16th March for the
NTFRS log, there's nothing useful logged before the start of the daily
13562 events except the usual 13501 and 13565 events.
Do you clever chaps know what else I should be checking?
Thank you!
chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| ChrisClemson
Posts:0
| | 10/01/2007 5:22 AM |
| > -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha
> It would help a lot if you had provided OS and Service Pack
> level details.
> Please reply to group with these details.
Yes, that's a good point! Apologies.
It is Windows 2003 Std SP1
> SPN registration query failures of netdiag may be due to DCs
> been down for
> example. Are the DCs reported in the netdiag report up and running?
yes, all but a couple of them, which have tombstone errors (which we
know about and someone else is supposed to be fixing!).
> "Ntfrsutl sets" command is supposed to report the FRS replica
> set it belongs
> and partners it replicates with. I *think* ( i.e. I need to
> verify this) it
> will not report anything in the command if it is not doing any FRS
> replication at all.
Ah ok.
> issue resolved quickly, I recommend getting Microsoft PSS
> involved. But you
> can fix it yourself if you want and learn a lot in the
> process of doing so
> ;-)
Yes. It would be nice to try and fix it myself, as you say, I will learn
a lot this way, but in the end I might have to contact microsoft.
Thank you for the links, I will download the tools and check them out.
I'll also read the How FRS Works article, as i've only used it with
small domains before and never had any problems with it.
I have appreciated your (and others) replies on this.
Chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| amulnick
Posts:143
| | 10/01/2007 9:27 AM |
| Tombstone errors? Can you elaborate? On 10/1/07, Clemson, Chris (IHG) wrote:
> -----Original Message-----> From:
ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matheesha> It would help a lot if you had provided OS and Service Pack
> level details.> Please reply to group with these details.Yes, that's a good point! Apologies.It is Windows 2003 Std SP1> SPN registration query failures of netdiag may be due to DCs
> been down for> example. Are the DCs reported in the netdiag report up and running?yes, all but a couple of them, which have tombstone errors (which weknow about and someone else is supposed to be fixing!).
> "Ntfrsutl sets" command is supposed to report the FRS replica> set it belongs> and partners it replicates with. I *think* ( i.e. I need to> verify this) it> will not report anything in the command if it is not doing any FRS
> replication at all.Ah ok.> issue resolved quickly, I recommend getting Microsoft PSS> involved. But you> can fix it yourself if you want and learn a lot in the> process of doing so
> ;-)Yes. It would be nice to try and fix it myself, as you say, I will learna lot this way, but in the end I might have to contact microsoft.Thank you for the links, I will download the tools and check them out.
I'll also read the How FRS Works article, as i've only used it withsmall domains before and never had any problems with it.I have appreciated your (and others) replies on this.ChrisList info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ma/default.aspx | | | |
| ChrisClemson
Posts:0
| | 10/01/2007 10:59 AM |
| Tombstone errors? Can you elaborate?
It's
just a machine that someoneturned off and hasn't removed from the domain.
(it's in a different domain so theyare supposed to be sorting it
out)
All DCs show this, and there's enough otherDCs
around that they should be getting their updates off them
instead.
Basically, i'm not concerned about this at the
moment.Thanks,
Chris | | | |
| ChrisClemson
Posts:0
| | 10/08/2007 4:50 AM |
| After logging the call with MS, we used ADSIEdit to recreate the
ServerReference entry (which was empty), similar to what the following
KB article says:
http://support.microsoft.com/kb/312862/en-us
After restarting the NTFRS service, the old partly-replicated SYSVOL
directory was renamed to NtFrs_PreExisting___See_EventLog, and
replication started from scratch.
It took around 10-20 minutes before I started seeing replication start
and the proper directories appearing.
This could be due to the amount of files that need to be replicated
(3.4gb - don't ask....).
During this time, the SYSVOL directory will not be shared.
By this morning, replication had finished. the scripts and policies
directories were complete, and the NtFrs_PreExisting___See_EventLog
directory was nearly empty (only 1 old test file has been left in there
for some reason).
MS said not to try and be clever and copy the files over from the
"PreExisting" directory manually or it will get in a mess.
Everything seems to be working ok now, which is cool.
Thanks,
Chris
> Hi everyone,
> I have been trying to track down the source of a load of NTFRS 13562
> errors in the event log on one of our DCs.
> This has been happening since April :( and it seems to only
> have copied
> 200 out of around 400 GPOs into the Policies directory.
> I've checked all i can think of (and seen on various web pages):
>
> Disk Space - it has 11gb free on each of it's 2 partitions!
> DNS - normal and reverse lookups work on the DC itself, it can
> resolve our main DC and our main DC can resolve it
> RPC - rpcping doesn't complain when i run it from this problem
> dc to our main DC
> Restarted NTFRS
> NETBIOS - I can browse our main DCs shares from the problem dc
>
> Even though this hasn't been working for months, general AD
> replications
> are working, as I can log in with my account, and this was
> only created
> a few weeks ago (on a different DC).
>
> netdiag reports quite a lot of "[WARNING] Failed to query SPN
> registration on DC 'xxxx'" messages for various DCs, although our main
> DCs aren't listed.
>
> the only errors in dcdiag are:
> Starting test: frsevent
> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared. Failing SYSVOL replication problems
> may cause
> Group Policy problems.
>
> which is to be expected for this problem, and
>
> Starting test: VerifyReferences
> Some objects relating to the DC [problemdc] have problems:
> Ώ] Problem: Missing Expected Value
> Base Object:
> CN=NTDS
> Settings,CN=[problemdc],CN=Servers,CN=[problemdclocalsite],CN=
> Sites,CN=C
> onfiguration,DC=Corp,DC=Local
> Base Object Description: "DSA Object"
> Value Object Attribute Name: serverReferenceBL
> Value Object Description: "SYSVOL FRS Member Object"
> Recommended Action: See Knowledge Base Article: Q312862
>
> In this article it mentions running ADSIEdit, which sounds a
> bit scary,
> and i could't find anything missing in this area when comparing it
> against other DCs that do replicate properly.
>
> Running ntfsutl creates a large amount of info (due to the
> number of DCs
> we have) and I'm not really sure what to look for. There are a lot of
> "WhenChanged" dates of both this month, and also back in march/april,
> but I'm not sure if this is significant.
>
> Disturbingly, running "ntfrsutl sets" results in an empty list:
>
> ACTIVE REPLICA SETS
>
> DELETED REPLICA SETS
>
>
> Unfortunately, even though the event log goes back to 16th
> March for the
> NTFRS log, there's nothing useful logged before the start of the daily
> 13562 events except the usual 13501 and 13565 events.
>
> Do you clever chaps know what else I should be checking?
> Thank you!
>
> chris
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|