Forum Discussion
Leavii
Aug 28, 2023Brass Contributor
SYSVOL Subscription Missing
Morning,
I had an issue with a GPO not updating on a client. Long story short, I tracked it back to a secondary DC not having a SYSVOL subscription in ADSI. I tried using LDIFDE as suggested here, but I would get an error about a security issue or something. So, I decided to just make it manually via ADSI and enter the hex keys, etc... Now it half works, kinda... On reboot it updates and it keeps files in sync from the PDCe for a bit, but then just stops working again, but if I restart that server it starts working again for a bit. Of course not ideal at all as also clients aren't updating their GPO and gpupdate /force just hangs endlessly.
Circling back to it not being there. I have no idea how it happened, and no clue when it did. Last GP I know that was synced was over a month ago. I have backups up to 30 days but restoring to over a month ago doesn't seem viable. I am leaning more to remove this one bad DC as I have a 3rd DC and DFSR is working just fine between it and the PDCe.
However, if someone more knowledgeable has any suggestions I am all ears.
Errors from the defective DC are 6404 in the event log.
`The DFS Replication service failed to replicate the replicated folder at local path because the local path is not the fully qualified path name of an existing, accessible local folder.`
I wouldn't spend any time trying to fix this. Much simpler / safer method is to stand up a new one for replacement.
- LeaviiBrass Contributor
I have a monitor that watches changes in the domain, and it shows the system removed the objects...?
I wouldn't spend any time trying to fix this. Much simpler / safer method is to stand up a new one for replacement.
- LeaviiBrass Contributor
Dave Patrick Agreed.
These hacks are very risky. How long has this been going on? If the tombstone has been exceeded then you'll need to move roles off, do cleanup to remove the remnants and rebuild the failed one from scratch.
- LeaviiBrass Contributor
Dave Patrick completely forgot about tombstones, but I went through them and found someone deleted the objects on 7/19/23. I restored these and going to do some checking/testing.
Thanks for the reply. I probably shouldn't have been working on this at midnight and then maybe I'd remember to check the basics 🤦
The tombstone lifetime refers to how long a domain controller can be in a disconnected state. Since the sysvol was never shared it is likely since this one was deployed.
- LeaviiBrass Contributor
Dave Patrick not sure how long it has been gone. Last week I noticed a GP I created 2 weeks ago wasn't applied to a few PCs. Got around to checking it Thurs and found my issue Friday. Decided to wait till off hours to mess with it, Sunday, and did all this.
So, try and demote that server, and when it doesn't remove itself, delete the faulty DC from my PDCe, metadata cleanup, etc...? This is what I was thinking as well, but wanted to see if anyone else had any other ideas. FSMO roles are not on the server that I am having an issue with so no worries there.
Are you referring to the SYSVOL's Subscription Object's tombstone or?