Sysvol not propagating to other server and pcs looking to old server for scripts.

**edutech4schools** · 26th May 2012, 12:42 PM

Hi,

I recently added a new 2008r2 server to our 2003 domain and moved all rolls to the new server as the old one 2003 server will be dumped soon.

I ran dcpromo on the new server and all went ok. it has dns active directory and sysvol all populated. I then migrated dhcp and made the setings point to the new server so all computers logging on should and do point to the new server.

Odd thing is, if I make a change to the kix script in netlogon on the new server this does not get copied to the old server. The other odd thing is that all computers still look to the old server for the kix script in sysvol.

Any pointers as to why this might be happening.

**edutech4schools** · 26th May 2012, 12:53 PM

More info.
when I run netdom query fsmo on new server all roles are listed as running on the new server but when I look in AD\domain controllers the old server is listed as DC and the new as GC.

**edutech4schools** · 26th May 2012, 01:26 PM

More info:
Well the propagation issues might be down to DNS setting in network adapters on the old server was still pointing to itself rather than the new server. Will need to wait to see if that helps.

**FN-GM** · 26th May 2012, 01:40 PM

How long did you leave it to replicate? Have you had a look in the event logs?

**edutech4schools** · 26th May 2012, 01:59 PM

How long did you leave it to replicate?

its been about 20 mins since I pointed the old server dns at the new server.

Have you had a look in the event logs?

Had lots yesterday after I rebooted both servers but nothing since that jumps out at me as being an issue.

Just dumped a new text file in the netlogon folder and it replicated almost instantly. but if I make a change in the kix script it does not get replicated.

EDIT - Kix is replicating. I deleted the old file and created a new one. YAY.

**FN-GM** · 26th May 2012, 02:19 PM

I have known replication to take ages to decide to work. I would just leave it and see what happens. Are your other domain controllers looking healthy?

**ricki** · 27th May 2012, 08:38 PM

HI

Have you tried a repadmin /showrepl on both domain controllers. You need to be logged on as admin

Is the time on both servers the same otherwise kerberos will fail.

Have you tried forcing a replication and do you get an error in the event logs or on the screen. After holidays wil have to change a registry setting on devieny partners and allow them to replicate and them put them back as they have been off and have not replicated for a few days.
Event ID 2042: It has been too long since this machine replicated: Active Directory

Check the nic card settings and the ip addresses / subnet etc

Check dns is allowed to replicate to all servers.

I know this will be a silly question but you did to a adprep on the old domain controller before adding the windows 2008 server to prepare the schema Windows Server 2008 ADPREP

Richard

**ricki** · 27th May 2012, 08:40 PM

Sorry

I forget have you done a dcdiag and a netdiag on the windows 2003 server and a dc diag on the windows 2008 server.

Richard

**themightymrp** · 28th May 2012, 08:49 AM

Do you use any subfolders of the Netlogon share to hold software distributions or anything similar? I have a subfolder in mine which contains a few programs that I deploy via GPO. Recently, when I added a new DC, our Anti-Virus (sophos) accidentally identified one of the apps as suspicious and wouldn't let the replication take place. It therefore kept killing the Replication Service. I didn't realise until I went through the anti-virus logs! Once the app was authorized the replication took less than an hour to complete

**edutech4schools** · 28th May 2012, 10:51 AM

Thanks for all the info. It looks like all is ok, just seemed to take much longer to start replicating than normal.

**Geoff** · 28th May 2012, 10:59 AM

Originally Posted by themightymrp

Do you use any subfolders of the Netlogon share to hold software distributions or anything similar? I have a subfolder in mine which contains a few programs that I deploy via GPO. Recently, when I added a new DC, our Anti-Virus (sophos) accidentally identified one of the apps as suspicious and wouldn't let the replication take place. It therefore kept killing the Replication Service. I didn't realise until I went through the anti-virus logs! Once the app was authorized the replication took less than an hour to complete

I wouldn't recommend running on access AV scanning on servers.

**Michael** · 28th May 2012, 12:05 PM

Immediate things to check (as others have mentioned) are DNS settings. Make sure the DCs point to themselves first, then each other second, then any external DNS.

In Active Directory Sites and Services you can manually force the servers to replicate instead of hanging around. Typically it should take seconds unless there's a huge amount of data to replicate. There should be literally a handful of scripts or reg edits possibly, but you could argue you can do most of this using GPO in 2008 R2.

**edutech4schools** · 28th May 2012, 06:54 PM

Just one more question. Why does the old server (which I have not demoted yet) say its a DC and the New server say its a GC. Is this normal?

Notes:
repadmin /showrepl gives the other servers info, as expected.
Replication is working fine now.
All setting such as PDC, Op Master etc all have the new server name.
Yes adprep32 was done

netdom query fsmo = Looks good and lists new server for all roles

DCDIAG on old server = all pass
NETDIAG on old server = all pass

However DCDIAG on new server passes all except this one: (I have changed server and domain names)

Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=LAN
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=LAN
......................... server-SRV01 failed test NCSecDesc

Should I worry about this error and should I worry the the new server is listed as GC?

EDIT. Info about the failed test NCSecDesc

If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

So back to my first question. Why does my new server which has all the roles say its a GC?

**Michael** · 28th May 2012, 08:15 PM

You need at least one GC (Global Catalog) server in your network and typically this can be on the same box as your 2008 R2 DC. Without the GC option enabled, processing logons would not be possible.

**edutech4schools** · 28th May 2012, 09:14 PM

Yep, I moved all roles and GC to the new server but the old one is still listed as DC in Acitve directory and the new one as GC. Is this correct until I demote the old server? I would have thought having all the roles on the new server and none on the old would make the new server the main DC.

LinkBack

Thread Tools

Search Thread

Sysvol not propagating to other server and pcs looking to old server for scripts.

Similar Threads

script to rename computer and join it to domain ...

Code for CMD file to copy folder and contents to other Drive

Script to rename Macs and join them to OD/AD

Spec for server to run Exchange and very little else

vb script to check filesize and copy file not eq...

Thread Information

Users Browsing this Thread

Posting Permissions