Tag Archives: ad

Fix: Missing Sysvol and Netlogon after domain controller promotion

Many cases I found an issue with the newly promoted domain controller is missing the SYSVOL and NETLOGON shares. Most of the cases it would also be a new domain controller for a new forest. In most cases, you would need to update the flag as below.

Open Regedit
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Set SysVolReady from 0 to 1
Close Regedit

This will create the SYSVOL share. If the NETLOGON share is not created you would need to create the folder scripts in C:\Windows\SYSVOL\domain\. When this is done, restart the NETLOGON service.

This is the easy part. In some cases, although the NETLOGON and SYSVOL shares are working, no group policies or scripts are being replicated using the DFS or DFRS.

We can verify the replication by running the following command.

For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

The states should translate as below

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

In my case, I have noticed that the newly promoted server was showing 2 and the main domain controller was showing “No Instance(s) Available” which is quite strange.

Here you would need to look into the original Active Directory server for any problems and you would see a warning on the DFS Replication under Applications with Event ID 2213 as below.

It says that the DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled.

What we need to do here is from the event viewer take note of the volumeGUID and run the below command and replacing GUID-NUMBER with your GUID.

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="GUID-NUMBER" call ResumeReplication

This will restart the replication and recreate the database. This can be seen with an event with ID 2214 saying The DFS Replication service successfully recovered from an unexpected shutdown on volume C:.This can occur if the service terminated abnormally (due to a power loss, for example) or an error occurred on the volume. No user action is required.

If you run the command to see the state of the replication you will see that the servers are all showing state 4 as below and the both Sysvol and Netlogon will be replicated.

(43673)

Fix: Cannot demote server Access is denied

When demoting a server from an existent Active Directory you will be prompted for the credentials with an error saying

The Operation failed because: The attempt at remote directory server to remove directory server was unsuccessful. “Access Denied”.

This issue is due to the fact that the object is set with Protect object against Accidental Deletion

To fix this open Active Directory Sites and Services. Find the server which you are trying to demote and expand it. Right click on NTDS Settings and click on Properties. Click on the Object tab and un-tick the Protect object from Accidental Deletion.

Retry the demotion and it will work. If it doesn’t then check the Active Directory Users and Computers and check if the computer account has the Protect object from Accidental Deletion enabled. Make sure to click on Advanced Features.

(3796)

Fix: AzureAD Sync not working Scheduler is already suspended

You will notice that the AzureAD Sync tool stopped synchronizing and in the Office 365 portal under Health Directory Sync Status you will notice the error message Warning: no recent synchronization  under Password Sync.

In Powershell when you run the Start-ADSyncSyncCycle you will get the below error

Warning: no recent synchronization 

Start-ADSyncSyncCycle : System.InvalidOperationException: Scheduler is already
suspended via global parameters.

To fix this, simply open Powershell and run the below command.

Set-ADSyncScheduler -SchedulerSuspended $false

After it completes, re-run Start-ADSyncSyncCycle and it will work.

(8678)

How To: Disable AD Autodiscover for Office 365 migration

When having a local setup of Exchange and you want to migrate to Office 365 while leaving the local Exchange in place, you will have problems with autodiscover still pointing users to the local Exchange setup. If you don’t do the below, Outlook will still try to connect to the old Exchange server.

To stop the Autodiscover, open ADSIEDIT.MSC from the Active Directory server and delete the below entry so that the local SCP entry is skipped.

Select the “Configuration” naming context
CN=Services\
CN=Microsoft Exchange\
CN=\
CN=Administrative Groups\
CN=Exchange Administrative Groups\
CN=Servers\
CN=\
CN=Protcols\
CN=Autodiscover\
And delete the CN= of class serviceConnectionPoint

Since Outlook uses SCP as well, you might want to run this registry update on the local machines.

(The version number varies depending on your Office application version)
– Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover
– Create new DWord ExcludeScpLookup
– Set the DWord as 1

After this, try to ping autodiscover.mydomain.com to ensure that it’s pointing to the Office 365

Update:

You can also do the following maybe it will help more. These should be created under the AutoDiscover Key

“ExcludeScpLookup”=dword:00000001
“ExcludeHttpsAutodiscoverDomain”=dword:00000001
“ExcludeHttpsRootDomain”=dword:00000001
“ExcludeSrvLookup”=dword:00000001
“ExcludeHttpRedirect”=dword:00000000
“ExcludeSrvRecord”=dword:00000001

(3595)