Issue after AD upgrade from 2000/2008

[scj6771]

We just recently introduced a new Windows 2008 R2 DC into our Windows 2000 environment and promoted it using this method here, since then we have had a few issues, the one that concerns me the most is after creating a new policy on the new 2008 DC I noticed that clients were getting the following error in Event Viewer:

“Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=xxxxxx,DC=c om. The file must be present at the location <\\xxxxxx.com\sysvol\xxxxxx.com\Policies\{31B2F3 40-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy processing aborted.”

I then took a look at one of the 2000 DC's and noticed the following error in it's Event Viewer under File Replication:

"The File Replication Service has detected that the replica root path has changed from "c:\winnt\sysvol\domain" to "c:\winnt\sysvol\domain". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path.

This was detected for the following replica set:

"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"

I have read much about clearing up this issue (including the creation of the NTFRS_CMD_FILE_MOVE_ROOT file) but have yet to make any changes.

My question is, why would the replication root still be "c:\winnt\sysvol\domain"? That path does not exist on 2008, would it not be "c:\Windows\sysvol\domain" at this point?

These Windows 2000 DC's have yet to be "demoted" but all primary functions have been changed to the new Windows 2008 DC.

[scj6771]

Well I was finnaly able to check the Event Viewer File Replication log on the new 2008 DC after some access denied issues and discoverd that the error was the same except sure enough this one has the "c:\windows\sysvol\domain" instead of "c:\winnt\sysvol\domain" message.

"The File Replication Service is having trouble enabling replication from "OLD_DC.DOMAIN.NET: to "NEW_DC" for c:\windows\sysvol\domain using the DNS name "OLD_DC.DOMAIN.NET. FRS will keep retrying.
Following are some of the reasons you would see this warning."

[YeOldeStonecat]

Download the gpotool from the 2003 resource kit.....
Also do some quick reading on how to use "sonar.exe" tool to check on sysvol 'n replication issues.
Manually been replicating via AD sites 'n services management?...and then check event viewer and each back 'n forth manual replication?

[scj6771]

After I used GPOTOOL I noticed (and seems to be confirmed from reading the file replication error logs on the new DC) that it's not the old 2000 PDC but the other two that are having issues, for example, below is a Remote Assistance policy I setup before we introduced the new DC, looks like the other two DC's are having issues.

Code: Select all

Policy {FC3AF2EC-4DCB-4E40-BCE3-E5EC048A2A9A}
Friendly name: Remote Assistance
Error: Cannot access  \\OLD_DC_1.DOMAIN.DOMAIN.net\sysvol\DOMAIN.DOMAIN.net\policies
\{FC3AF2EC-4DCB-4E40-BCE3-E5EC048A2A9A}, error 2
Error: Cannot access \\OLD_DC_2.DOMAIN.DOMAIN.net\sysvol\DOMAIN.DOMAIN.net\policies
\{FC3AF2EC-4DCB-4E40-BCE3-E5EC048A2A9A}, error 2
Details:

It seems like the new DC is having issues talking to the old DC's (except for the old PDC), which seems to make sense from these errors on the the new DC.

Code: Select all

"The File Replication Service is having trouble enabling replication from "OLD_DC.DOMAIN.NET: to "NEW_DC" for c:\windows\sysvol\domain using the DNS name "OLD_DC.DOMAIN.NET. FRS will keep retrying.

Could this be a DNS issue?

[YeOldeStonecat]

Is the IP of the old DC set as a secondary DNS server in the new servers TCP/IP DNS?

Old DC went through all the "prep" stuff, right? adprep /domainprep /gpprep

What happens in event logs when you manually replicate in both directions from ad sites/services MMC?

How fast was all this done? I've done this stuff in 1/2 a day....with 1x old server to 1x new server networks..small networks. But if it's a larger network with many servers/clients, and multiple DCs....I'd spread it out over a few days. I like to have many hours pass between certain steps since server to server communication/replication and other AD related stuff takes more time on larger networks.

[scj6771]

I just realized after running nslookup for the two problem DC's on the new DC that the "Server" and "address" is giving the name of the only old DC I do not have an issue with. (old primary).

[scj6771]

Disregard last post, it's doing so because that is our DNS server (old primary), and yes the DNS is entered correctly on the new DC.

[scj6771]

After struggling with this for a couple of days, I finally decided to create the file NTFRS_CMD_FILE_MOVE_ROOT (no extension) in the C:\WINNT\SYSVOL\DOMAIN folder on each of the old DC's, restarted the File Replication Service on all DC's and it seems to be working now?

I read that the above method would work but at what cost I am not sure at the moment, I am assuming that C:\WINDOWS\SYSVOL\DOMAIN is really where I want this?, these old DC's will be demoted soon, I ran the GPO tool and it looks perfect now, but I am not calling this a success by any means, for me this was just a quick fix but as I stated, I have no idea at the moment what (if any) issues this may have caused.

[scj6771]

Not to get off topic but do you have any advice on cleaning up old and lingering GPO's and polices? And many when running GPOTOOL of which have only the name "New Group Policy Object"?

[YeOldeStonecat]

On messy old existing servers or leftover stuff on networks I've taken over...I've documented what's in place...and then wiped them all out...removed/deleted. Re-created fresh new ones from the 2k8 DC with its better GP management. Start fresh, start clean.