Hello,
recently we have started with process of migration old domain controllers. I will try to explain the situation and steps I have already proceeded with.
Old DCs:
- DC1 (main1): Windows Server 2012
- DC2 (main2): Windows Server 2012 (FSMO roles)
Sysvol replication: DFSR
Newly added DCs:
- DC3 (ad1): Windows Server 2022
- DC4 (ad2): Windows Server 2022
Before promoting new DCs I have only checked status of synchronization repadmin /showrepl and dcdiag for DNS. Not the dcdiag against old DCs.
Note: We have only two testing group policy apllied in our domain.
After I have added new DCs, there were no SYSVOL and NETLOGON shares.
From dcdiag:
- Warning: DsGetDcName returned information for \MAIN2..., when we were trying to reach AD2. SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
- There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
- Unable to connect to the NETLOGON share! (\AD2\netlogon) [AD2] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
In both DFS Replication Logs on new DCs was warning ID: 5014
- (The DFS Replication service is stopping communication with partner MAIN2/MAIN1 for replication group Domain System Volume due to an error).
So I have gone through this article: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-missing-sysvol-and-netlogon-shares
And did force non-authotitative synchronization for DC3 and DC4. Unfortunately that did not help.
Then I realized that I did not read the previous article properly and I found out that both old DC1 and DC2 had in DFS Replication logs (event ID 2213).
This event was there for a long period of time. Every time, the backup with Windows Server Backup was made, it logged this ID 2213.
So I have proceeded with recovery steps as it was stated in log. Firstly on DC2 (which holds FSMO roles).
wmic /namespace:\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" call ResumeReplication
Output returned value 0.
So I went check the logs and first there was warning Event ID 2212 and followed with Event ID 4012.
- This server has been disconnected from other partners for 650 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60).
After that I have tried to proceeded with recovery steps on DC1.
wmic /namespace:\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" call ResumeReplication
Checked the logs and ID 2012 was followed with ID 2214 (The DFS Replication service successfully recovered from an unexpected shutdown on volume C:.)
So I thought at least one SYSVOL recovered.
One SYSVOL recovered (main1), one disconected from partner for too long (main2), 2 new ones without SYSVOL and NETLOGON.
So I read through couple of articles and thought I should now proceed again with non-authotitative synchronization of DFSR-replicated SYSVOL.
So at the same time I have modified in ADSIEDIT the main2, ad1 and ad2 to be value msDFSR-Enabled=FALSE.
Then forced replication on all three Domain Controllers with: repadmin /syncall /AeD
Then run: DFSRDIAG POLLAD
Change value back to msDFSR-Enabled=TRUE
Again forced on all three domain controllers replication: repadmin /syncall /AeD
Then run: DFSRDIAG POLLAD
On all three domain Controllers I saw in DFSR log: ID 4614 (The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication),
but after that, nothing happened. In article it says it should follow with ID 4604, but 4604 did not happened.
I have checked the DFSR Replication State and all 4 domain controllers are in state 2 = Initial Sync
I dont know what I can do now. Could someone please advice me, what should be next steps to make my new DC to have SYSVOL and NETLOGON? So I can then decomission old DCs?
Thank you in advance for any advice.
Best Regards
JU