DFSR event ID 4004, Error 9075

Ulrik Sieverts 0 Reputation points
2023-01-28T13:28:47.3233333+00:00

I have two Windows 2012 servers, SVR1 and SVR2.

Initialy SVR1 was PDC, and SVR2 DC.

Then due to NTDS database errors on SVR1 that caused Azure AD Sync to stall, SVR2 got promoted to PDC and SVR1 was demoted and removed from the AD.

When the problem with Azure AD Sync was identified as successfully solved, SRV1 was reinstalled as a DC but it's SYSVOL folder is remaining empty and is not being shared.

The Sysvol shares DFRS replication state on SVR1 is 2 ('Initial Sync'), on SVR2 it is 5 ('In Error'), and the DFSR Replication eventlog on SVR2 shows this error:

The DFS Replication service stopped replication on the replicated folder at local path C:\Windows\SYSVOL\domain. 
 
Additional Information: 
Error: 9075 (The content set is read-only and can't be a primary) 
Additional context of the error:   
Replicated Folder Name: SYSVOL Share 
Replicated Folder ID: 90D03954-301C-4C2E-8BA9-96DBACF396CD 
Replication Group Name: Domain System Volume 
Replication Group ID: 6AF91133-D1E5-4767-8BC3-54CCC6CEF7D7 
Member ID: 6FCC89FE-3F11-4119-8EAF-B16F8A86F958

I have tried my best google-fu but have so far come up short.

At this point I am inclined to just remove SVR1 (again), and promote some new freshly installed 2016 server, but I hope there maybe is an other solution, and I can keep the current servers running.

Regards

Ulrik

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,526 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,109 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.1K Reputation points MVP
    2023-01-28T13:40:10.0433333+00:00

    You could try following along here.

    How to troubleshoot missing SYSVOL and Netlogon shares

    but I agree standing up a new one for replacement may be the simpler / safer method. After demotion just make sure domain health is 100% before adding new one again by checking dcdiag, repadmin, system and drs replication event logs are free of errors.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

  2. Ulrik Sieverts 0 Reputation points
    2023-02-01T10:48:42.6366667+00:00

    @Dave Patrick , thank you for the respons.

    I had already followed that guide, and done a D4/D2 restore (How to force authoritative and non-authoritative synchronization for DFSR-replicated sysvol replication), but the 4004 event from my original post is logged when the DSFR service is started on the PDC (SVR2), and the SYSVOL isn't being synced to the DC (SVR1).

    I demoted the DC (SRV1), and removed it from the AD. A freshly installed 2019 server was the joined and promoted to DC.

    As I somewhat expected this hasn't changed anything. The new DC stalls DFSR replication with state 2 ('Initial sync'), and the PDC (SVR2) is remaining in state 5 ('In Error').

    When I open the DFS management console I see this:

    User's image

    This supports what the 4004 event tells me: Error: 9075 (The content set is read-only and can't be a primary).

    Any ideas how to solve this?

    0 comments
  3. Dave Patrick 426.1K Reputation points MVP
    2023-02-01T14:39:55.46+00:00

    I just reread this from the top and it may be that SRV2 was never confirmed healthy after the initial failure of SRV1. You may want to look for a recent known good backup.

    --please don't forget to upvote and Accept as answer if the reply is helpful--