Domain Controller Info
Find all domain controllers in the domain:
- Resolve-DnsName -Type ALL -Name _ldap._tcp.dc._msdcs.$env:userdnsdomain
Testing of Domain Replication between controllers can be done using "repadmin" command
- repadmin /replsummary (Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.)
Get detailed info on domain controller status:
- dcdiag /v /c /e | out-file C:\temp\dctest.txt
Get FSMO Roles held by Domain Controllers
- netdom query FSMO
Domain Controller Troubleshooting
If there is an issue with creating group policy there may be an issue with the sysvol directory. Check for replication issues and any changes to the permissions that might have occurred.
Check for any DNS issues for entries associated with the Domain Controllers.
Sysvol Replication Issues
If there are issues with domain replication use the following tools to diagnose:
- dcdiag - will provide fill diagnostics on the domain controllers use /c to do all tests (dcdiag /c)
- repadmin - will provide details on replication between domain controllers - use eg : repadmin /replsummary
Migrate from FRS to DFS Sysvol Replication
DFSR configuration Rebuild
Use this process to rebuild the sysvol replication group without demoting and promoting domain controllers
To check if this is required look in ADSIedit.msc for the entries for the domain controllers, if they do not have the CN=DFSR-Localsettings in the AD object then it is likely there is no DFSR config.
1: Take backups
2: Shut down DFSR services on all domain controllers
3: On the Domain controller with PDCEmulator FSMO role enter the following Reg keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols] Information Is Committed=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols\<Yourdomain>] Is Primary=dword:00000001 Command=DcPromo Parent Computer="" (entry is blank) Replicated Folder Name=<yourdomain> Replicated Folder Root=C:\Windows\SYSVOL\Domain Replicated Folder Root Set=C:\Windows\SYSVOL\sysvol\<yourdomain> Replicated Folder Stage=C:\Windows\SYSVOL\staging areas\<yourdomain> Replication Group Name=<yourdomain> Replication Group Type=Domain"
Make sure "is primary" is only = 1 on the PDC emulator DC
4:Start DFSR on PDCEmulator domain controller CN=Domain System Volume will be recreated under CN=Dfsr-GlobalSettings,CN=System,DC=<DOMAIN> All created registry keys and values will be deleted DFSR Event 4602 will be written on the PDCE
5:Create the following Reg keys on the other writable domain controllers(not RODC):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols] Information Is Committed=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols\<Yourdomain>] Is Primary=dword:00000000 Command=DcPromo Parent Computer="DC01.yourdomain" (point to FQDN of PDC emulator DC - the previously configured one) Replicated Folder Name=<yourdomain> Replicated Folder Root=C:\Windows\SYSVOL\Domain Replicated Folder Root Set=C:\Windows\SYSVOL\sysvol\<yourdomain> Replicated Folder Stage=C:\Windows\SYSVOL\staging areas\<yourdomain> Replication Group Name=<yourdomain> Replication Group Type=Domain"
6: Start DFSR server on other domain controllers - CN=Domain System Volume will be recreated under CN=Dfsr-GlobalSettings,CN=System,DC=<DOMAIN> All created registry keys and values will be deleted DFSR Event 4614, 6805, and 4804 will be written when the server is replicating SYSVOL successfully Be Patient, it might take few minutes before replication starts
Restore Destroyed DFSR from backup
If the sysvol is damaged but the replication group is still functioning and the dfsr=true flags can be seen for the domain controllers in adsiedit.msc then you may be able to restore from backup and start the replication again from the known good restored sysvol
See the guide below:
https://gist.github.com/RavuAlHemio/00e51d3ea64731be9d43b01eda18734f
Time Service Configuration
ll domain members should use NT5DS domain time. Desktops and member servers sync with any domain controller. Domain controllers sync with PDC emulator (one per domain) PDC emulator in child domain can sync with any domain controller in parent domain. PDC emulator in parent domain syncs with either a hardware clock or possibly an external source. https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-direc... for all domain members (aside from PDCe) should have happened by default but you can confirm by running; w32tm /unregister net stop w32time w32tm /register net start w32time w32tm /config /syncfromflags:domhier /update net stop w32time net start w32time then check w32tm /query /source w32tm /query /configuration ----------------------------------------------- for the PDCe w32tm /unregister net stop w32time w32tm /register net start w32time w32tm /config /manualpeerlist:<preferred ip address> /syncfromflags:manual /reliable:yes /update net stop w32time net start w32time then check w32tm /query /source w32tm /query /configuration
If some servers are unable to change the time zone because they are synced via group policy settings but are on the wrong time zone use powershell:
If the time zone is not able to be changed from the GUI open an admin powershell session and use the following cmdlet:
- set-timezone "GMT Standard Time"
Capture FSMO Roles from other domain controller
- Move-ADDirectoryServerOperationMasterRole -Identity <domain controller hostname receiving roles> -OperationMasterRole schemamaster, domainnamingmaster, pdcemulator, ridmaster, infrastructuremaster -Force