First published on TechNet on Dec 15, 2008
Hi all, Rob Newhouse again, and today I am talking about errors that you may see while running
ADPREP
.
Normally I do not like to create a laundry list of errors, however I believe it should be beneficial and save you some time and (maybe) money by posting these common errors. This is a follow up to my previous post
So You Want to Upgrade to Windows 2008 Domain Controllers (ADPREP)
.
So you have run
ADPREP
and it has failed. The first thing that you need to do is open your
C:WindowsDebugAdprepLogs
folder. There will be a separate file each time that you run
ADPREP
.
At the bottom of the file, you will see what the problem is. Common failures include:
Errors Running Adprep /Forestprep
Adprep Was Unable to Extend the Schema
Adprep was unable to extend the schema.
[Status/Consequence]
The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.
[User Action]
Verify that the schema master is connected to the network and can communicate with other Active Directory Domain Controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.
Solution
This error indicates that there are AD replication problems in the environment. In order to continue the replication issue must be resolved.
To check what replication problems you are having install your Windows Support tools and run
Repadmin /Showrepl or Repadmin /Showreps
on the Schema Master. This should show you which DC’s you are having problems with.
Once you have determined the DC (s) that has the problem, check to see if you can connect to
server
(servername) and
FQDN(servername)
If both are unsuccessful then you may have a networking problem, a broken secure channel or a 5 minute time difference between the two machines.
If one is unsuccessful you have a networking problem involving DNS or Netbios name resolution.
If both are successful:
On both the DC that is not replicating with the Schema Master as well as the Schema Master:
- In the TCPNic properties point DNS to a single DNS server
- At a cmd prompt type
- Netdiag /fix
On the Schema Master
- Open Active Directory Sites and Services
- Expand the site that the Schema Master is in
- Right click on the NTDS settings under the Schema Master and choose All TasksCheck Replication topology.
- Refresh the view
- Right click on each replication object and attempt a replication
These are just some basic troubleshooting steps. If you get an error message, go to
Support.Microsoft.com
and in the search type in the error message in quotes.
User Not a Member of Required Groups
Adprep detected that the logon user is not a member of the following groups: Enterprise Admins Group, Schema Admins Group and Contoso.localDomain Admins Group.
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Verify the current logged on user is a member of Enterprise Admins group, Schema Admins group and Contoso.localDomain Admins group.
— Or —
Adprep was unable to check the current User’s group membership
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Verify the current logged on user is a member of Domain Admins Group, Enterprise Admins group and Schema Admins group if /forestprep is specified, or is a member of Domain Admins group if /domainprep is specified.
Adprep encountered a Win32 error.
Error code: 0x5 Error message: Access is denied
Solution
Check your group membership. If you are a member of many nested groups, you may experience the problem due to your token size. In this case, you may choose to create a new account in Active Directory Users and computers, make the new account a member of the Domain Admins, Enterprise Admins, and Schema Admin groups only, logon to the Schema Master as that account and rerun the Adprep /ForestPrep command.
As an alternative to creating a new account you can
1. Increase Maxtokensize in the registry
a) Open Regedit
b) Navigate to HKLMSystemCurrent Control SetControlLsaKerberosParameters
c) Add a new Dword
d) MaxtokenSize
e) Value 65535
or
2. Remove all unnecessary groups
ADPREP not Running on Schema Master
ADPREP WARNING:
Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.
[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.
C
Forest-wide information can only be updated on the Active Directory Domain Controller that holds the schema operations master role.
[Status/Consequence]
Adprep has stopped on this Active Directory Domain Controller and must be run on the current schema operations master, which is Rob731.Contoso.local.
[User Action]
Log on to the Rob731.Contoso.local Active Directory Domain Controller, change to the directory of adprep.exe on the installation media, and then type the following command at the command prompt to complete the forest update: adprep /forestprep
Solution
On rare occasions you may experience this message when you are on the schema master. In these cases transfer the schema master to another DC and then transfer it back to the original and run Adprep /Forestprep again. See also
How to view and transfer FSMO roles in the graphical user interface
.
If your schema master was on another machine that was removed from Active Directory then you will have to seize the schema master Role using Ntdsutil. See also
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
.
In your Adprep log you see “Error 0x80070020 (Error_sharing_Violation)”
Solution
This is normally caused by antivirus programs’ on-demand scanning. To resolve the issue, disable the antivirus software on-demand scanning feature.
Adprep /Forestprep Fails Due To OID Conflict On Any Schema Attribute
“OID will not be changed resulting in probable failure to add a new class.”
Solution
This error happens when custom schema changes have been made, or when a third-party software makes schema changes that conflict with Microsoft’s.
What you will see is “OID will not be changed resulting in probable failure to add a new class.”
To resolve this issue, open the
ADPREP
log to see what the failed object is. If you know the third-party software that is using the attribute, contact them and determine if there is a fix. Otherwise I would recommend opening a case with Microsoft for assistance resolving this issue.
Schema update failed: An attribute with the same link identifier already exists.
This error occurs when you are trying to update/add an object in the schema and the link identifier already exists for another attribute. Some third party apps will modify the schema with a link identifier set that is owned by the OS.
You will see the following in the CMD prompt window. The key here is the message about link identifier.
Connecting to «Machine»
Logging in as current user using SSPI
Importing directory from file «D:SourcesadprepschXX.ldf»
Loading entriesAdd error on line 249: Unwilling To Perform
The server side error is «Schema update failed: An attribute with the same link identifier already exists.»
15 entries modified successfully.
An error has occurred in the program
…………….
Opened Connection to Machine
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 44
ERROR: Import from file D:Sourcesadprep sch34.ldf failed. Error file is saved in ldif.err.34.
When you look in the ldif.err.XX log you will see the attribute we are trying to add:
Entry DN: CN=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=Contoso,DC=local
Add error on line 249: Unwilling To Perform The server side error is «Schema update failed: An attribute with the same link identifier already exists.»An error has occurred in the program.»
Solution
In this instance please contact Microsoft for a resolution. This error indicates that there is a link identifier that is already in use that shouldn’t be there.
Errors Running Adprep /Domainprep
Forestprep Not Run Or Not Recognized As Having Been Run
Running domainprep …
Forest-wide information needs to be updated before the domain-wide information can be updated.
[User Action]
Log on to the schema master Rob731.Contoso.local for this forest, run the following command from the installation media to complete the forest update first: adprep.exe /forestprep and then rerun adprep.exe /domainprep on infrastructure master again.
Solution
This problem can happen if you haven’t run Adprep /Forestprep yet, or if replication is broken and you are running it on a different DC or Domain than you ran the Adprep /Forestprep on. To resolve this issue either run Adprep /Forestprep or resolve the replication issue depending on the situation.
Not In Windows 2000/2003 Native Mode
Adprep detected that the domain is not in native mode
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Configure the domain to run in native mode and re-run domainprep
Raise the domain functional level to 2000 Native mode
To raise Windows 2003 to native mode
1) Open Active Directory Users and computers
2) Right click on your domain name and select Raise Domain Functional Level
3) Use the drop down to select Windows 2000 Native Mode
4) Click Raise
Unable To Contact Infrastructure Master
Adprep was unable to check the domain update status.
[Status/Consequence]
Adprep queries the directory to see if the domain has already been prepared. If the information is unavailable or unknown, Adprep proceeds without attempting this operation.
[User Action]
Restart Adprep and check the ADPrep.log file. Verify in the log file that this domain has already been successfully prepared.
Adprep encountered a Win32 error. Error code: 0x3a Error message: The specified server cannot perform the requested operation..
Check connectivity to the Infrastructure Master.
Errors Running Adprep /Domainprep
If you have already run Adprep domain prep, there is really only one error that you can get. When you run the Adprep /Domainprep /Gpprep after you have done the normal Domainprep you are only setting permissions on the policies folder. Below is the error that you will receive if they are inaccessible.
Group Policies Missing Or Inaccessible
Adprep was unable to complete because the call back function failed.
[Status/Consequence]
Error message: (null)
[User Action]
Check the log file ADPrep.log, in the C:WINDOWSdebugadpreplogs20080806171216 directory for more information
Solution
Check to make sure that your sysvolsysvolpolicies{6ac…………..} and {31b…………….} folders exist and are accessible. If either or both are missing and you have a backup of these folders, restore the folders. If you do not have a backup and the folders are not in an NTFRS_Policies folder, then contact Microsoft for assistance in recreating the folders.
Errors Running Adprep /Rodcprep
Adprep /Rodcprep Fails Due To Insufficient Permissions
Adprep connected to the domain FSMO: Rob731.Contoso.local.
Adprep found partition DC=ForestDnsZones,DC=Contoso,DC=local, and is about to update the permissions.
Adprep connected to a replica DC Rob731.Contoso.local that holds partition DC=ForestDnsZones,DC=Contoso,DC=local.
Adprep was unable to modify the security descriptor on object DC=ForestDnsZones,DC=Contoso,DC=local.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
[User Action]
Check the log file ADPrep.log in the C:WINDOWSdebugadpreplogs20080813153240 directory for more information.
Adprep encountered an LDAP error. Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151D54, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Adprep failed the operation on partition DC=ForestDnsZones,DC=Contoso,DC=local. Skipping to next partition.
Solution
You will see other partitions DC=domainDnsZones,DC=Contoso,DC=local as well. To fix this issue make sure you are in the Domain Admins and Enterprise Admins groups.
Adprep /Rodcprep Fails Because It Cannot Connect To Domain Naming Master
Adprep could not contact the Domain Naming FSMO to read the partitions. The Domain Naming FSMO must be reachable for this operation to proceed.
[Status/Consequence]
The Active Directory Domain Services DNS partitions are not prepared for Read Only DCs.
[User Action]
Check the log file ADPrep.log in the C:WINDOWSdebugadpreplogs20080813175105 directory for possible cause of failure.
Adprep encountered a Win32 error. Error code: 0x54b Error message: The specified domain either does not exist or could not be contacted..
Solution
This error indicates that there is a problem with the domain naming master. Verify that you can contact the Domain Naming Master for the forest. You can check the operations master role in Active Directory Users and Computers.
Adprep /Rodcprep Fails Because It Cannot Connect To Infrastructure Master
Adprep found partition DC=Contoso,DC=local, and is about to update the permissions.
Adprep could not contact the Infrastructure FSMO for domain DC=Contoso,DC=local. The Infrastructure FSMO must be reachable for this operation to proceed.
[Status/Consequence]
The Active Directory Domain Services DNS partitions are not prepared for Read Only DCs.
[User Action]
Check the log file ADPrep.log in the C:WINDOWSdebugadpreplogs20080814090356 directory for possible cause of failure.
Adprep encountered a Win32 error. Error code: 0x3a Error message: The specified server cannot perform the requested operation..
Adprep failed the operation on partition DC=Contoso,DC=local. Skipping to next partition.
Adprep completed with errors. Not all partitions are updated. See the ADPrep.log in the C:WINDOWSdebugadpreplogs20080814090356 directory for more information. To successfully update all partititions, the current logged on user needs to be a member of Enterprise Admins group. If that is not the case, please correct the problem, and then restart Adprep.
Solution
On the Schema Master run the following command:
Netdom Query FSMO
You should see the five FSMO roles including the Infrastructure Master. Once you have determined who the Infrastructure master is type
Server
name and
FQDN(servername)
. Ensure that you can connect to the Infrastructure master
If you need to transfer or seize the Infrastructure master for any reason follow:
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
Or
How to view and transfer FSMO roles in the graphical user interface
This concludes this post on many of the errors that you may encounter while running
ADPREP
. For those reading this after running into an error, I hope that it helped to resolve the issue.
— Rob Newhouse
- Remove From My Forums
-
Question
-
Hi,
I have a Windows 2012 running as Primary Domain controller(PDC), i a month ago setup another server as Windows 2012 as Backup Domain Controller(BDC) for redundancy purpose, after setting up the BDC i checked all the DNS replication,AD User & Computer
Settings all were working normally in both PDC & BDC, i even tried unlocking,disable,enabling AD user account through my BDC everything worked fine, i realized the replication are happening with no issues, yesterday i were ghosting my PDC in Windows
PE mode,one of the user complained her User account got locked, when i tried to unlock the account through BDC accessing the AD User & Computer, the console showed error attached, also the event viewer showed ADDS,DNS error «»The DNS server has
encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is «». The event data contains the error.»»The replication between the PDC & BDC are happening fine, i even manually executed repadmin /syncall /Adep also under Active Directory sites and Service, still when i temporarily disabled the NIC of my PDC domain controller, BDC doesn’t gets operated,
it working as a normal Domain client instead of a replicator..When i check «NET SHARE» in BDC sysvol and netlogon folder both are not listing as shared, i manually checked the sysvol folder in BDC, there is no myserver.compolicies or script available..
Any help please..
Mohammed…
-
Edited by
Saturday, February 10, 2018 10:23 AM
inclusion
-
Edited by
Уважаемые разработчики, добрый день.
Версия программы 5.0, установлена как служба на Windows Server 2016. Пользователь, под которым запускается служба, входит в группу локальных администраторов. Служба Exiland Backup запускается.
Задание не выполняется, журнал выполнения ниже:
Выполнение задания «УТ 2012»
Версия: Exiland Backup Professional 5.0
Задание выполняется под учетной записью «Domainbackup»
Способ запуска: Вручную30.11.2019 15:07:31 Начало выполнения задания.
30.11.2019 15:07:31
30.11.2019 15:07:31 Тип резервной копии: Полный (Full)
30.11.2019 15:07:31
30.11.2019 15:07:31 Сканирование исходных файлов …
30.11.2019 15:07:31 Папка «D:1C_Bases8_2Torg 2012Bin», Объем данных: 2 662 722 байт
30.11.2019 15:07:31 Файл «D:1C_Bases8_2Torg 20121Cv8.1CD», Объем данных: 11 733 299 522 байт
30.11.2019 15:07:31 Сканирование завершено. Время операции: 0 сек.
30.11.2019 15:07:31 Исходных данных: 10,93 Гб (11 733 299 522 байт), файлов: 11
30.11.2019 15:07:31
30.11.2019 15:07:31 Создание временной теневой копии диска D ..
30.11.2019 15:07:31 Error: See details in «c:tempExiland Backupvshadow.txt».
30.11.2019 15:07:31 Error: Операция завершилась неудачей
30.11.2019 15:07:31
30.11.2019 15:07:31 Error: Резервная копия не была создана.
Содержимое файла «c:tempExiland Backupvshadow.txt»:
VSHADOW.EXE 3.0 — Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.(Option: No-writers option detected)
(Option: Persistent shadow copy)
(Option: Generate SETVAR script ‘c:tempExiland Backupvars.cmd’)
(Option: Create shadow copy set)
— Setting the VSS context to: 0x00000019
Creating shadow set {c196c340-96d3-4a92-895d-3245d01d88bf} …
— Adding volume \?Volume{2f40ba71-0000-0000-0000-103e49000000} [D:] to the shadow set…ERROR: COM call «m_pVssObject->AddToSnapshotSet((LPWSTR)volume.c_str(), GUID_NULL, &SnapshotID)» failed.
— Returned HRESULT = 0x8004230f
— Error text: VSS_E_UNEXPECTED_PROVIDER_ERROR
— Please re-run VSHADOW.EXE with the /tracing option to get more details
Подскажите, что сделать, чтобы резервное коирование заработало?
Михаил
Тех.поддержка Exiland Backup
Посмотрите список провайдеров, который у вас в системе.
Для этого откройте Командную строку под Администратором и выполните команду:
vssadmin list providers
Сообщите, что выдаст.
Помимо Microsoft Software Shadow Copy provider случайно нет еще чего?
Если есть — проблема в этом.
Здравствуйте.
вывод команды «vssadmin list providers»
C:Exiland Backup ProfessionalBackupServicevss7x64>vssadmin list providers
vssadmin 1.1 — Программа командной строки для администрирования службы теневого копирования томов
(C) Корпорация Майкрософт (Microsoft Corportion), 2001-2013.Имя поставщика: «Hyper-V IC Software Shadow Copy Provider»
Тип поставщика: Программное обеспечение
Id поставщика: {74600e39-7dc5-4567-a03b-f091d6c7b092}
Версия: 1.0.0.0Имя поставщика: «Microsoft File Share Shadow Copy provider»
Тип поставщика: Общая папка
Id поставщика: {89300202-3cec-4981-9171-19f59559e0f2}
Версия: 1.0.0.1Имя поставщика: «Microsoft Software Shadow Copy provider 1.0»
Тип поставщика: Системный
Id поставщика: {b5946137-7b9f-4925-af80-51abd60b20d5}
Версия: 1.0.0.7
Михаил
Тех.поддержка Exiland Backup
Exiland Backup использует утилиту vshadow.exe из подпапки /vss, а она использует провайдер для теневых копий «Microsoft Software Shadow Copy provider 1.0»
Если провайдеров в системе проинсталлировано несколько (ваш случай), то утилита конфликтует с ними.
Самое надежное и пока что единственное решение — удалить из вашей системы провайдеры:
Hyper-V IC Software Shadow Copy Provider
Microsoft File Share Shadow Copy provider
оставив только
Microsoft Software Shadow Copy provider 1.0
Вот только есть опасность что что-то при этом отвалится, если используете службы, связанные с провайдерами, которые вы удалите.
Итак, откройте реестр Windows (команда regedit).
Далее HKEY_LOCAL_MACHINE –> SYSTEM –> CurrentControlSet –> services –> VSS –> Providers
Раскрыв ветку «Providers» вероятно у вас 3 подгруппы с названиями типа {b5946137-7b9f-4925-af80-51abd60b20d5}
Правый клик по «Providers» -> Экспортировать … и укажите куда сохранить, например C:TempProviders.reg
Это будет резервная копия ветки, чтобы ее можно было восстановить в случае проблем, просто запустив Providers.reg
Далее из реестра из Providers удалите 2 подгруппы, в которых есть провайдеры «Hyper-V IC Software Shadow Copy Provider» и «Microsoft File Share Shadow Copy provider».
Перезагрузите ПК.
Пробуйте Exiland Backup. Проблема должна уйти.
Не хочется таким путём идти, неправильно это. Почитал в интернете, перезапустил службу под учеткой LocalSystem, попробовал запустить копирование еще раз.
Получил другую ошибку:
02.12.2019 09:50:25 Начало выполнения задания.
02.12.2019 09:50:25
02.12.2019 09:50:25 Тип резервной копии: Полный (Full)
02.12.2019 09:50:25
02.12.2019 09:50:25 Сканирование исходных файлов …
02.12.2019 09:50:25 Папка «D:1C_Bases8_2Torg 2012Bin», Объем данных: 2 662 722 байт
02.12.2019 09:50:25 Файл «D:1C_Bases8_2Torg 20121Cv8.1CD», Объем данных: 11 733 299 522 байт
02.12.2019 09:50:25 Сканирование завершено. Время операции: 0 сек.
02.12.2019 09:50:25 Исходных данных: 10,93 Гб (11 733 299 522 байт), файлов: 11
02.12.2019 09:50:25
02.12.2019 09:50:25 Создание временной теневой копии диска D ..
02.12.2019 09:50:26 Error: Temporary shadow disk «Z:» not connected. See details in «c:tempExiland Backupel.txt». Операция завершилась неудачей, Command=»C:Exiland Backup ProfessionalBackupServicevss7x64vshadow.exe» -el={98923da4-8204-4608-87b2-6df396f5a00e},Z:
02.12.2019 09:50:26
02.12.2019 09:50:26 Error: Резервная копия не была создана.
02.12.2019 09:50:26
02.12.2019 09:50:26 Удаление временных файлов …
02.12.2019 09:50:26 Удалено: Временная теневая копия диска D, ID={98923da4-8204-4608-87b2-6df396f5a00e}
02.12.2019 09:50:26 Операция завершена.
В папке «C:tempExiland Backup» появился файл el.txt со следующим содержимым:
VSHADOW.EXE 3.0 — Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.(Option: Expose a shadow copy)
— Setting the VSS context to: 0xffffffff
— Exposing shadow copy {98923da4-8204-4608-87b2-6df396f5a00e} under the path ‘Z:’
— Checking if ‘Z:’ is a valid drive letter …ERROR: the second parameter to -el [Z:] is a drive letter already in use!
Раз программе нужен именно буква «Z», перекинул CD на другую букву, освободил «Z».
После этого копирование с использованием VSS и без правки реестра прошло успешно.
Но без доступа к локальной сети.
Как я понимаю, учётной записи, имеющей доступ к ресурсам сети (которая не LocalSystem) не хватает каких-то специфических прав (кроме вхождения в группу локальных администраторов).
Вопрос: какие права нужно добавить учётной записи и как?
Михаил
Тех.поддержка Exiland Backup
Ошибку вида «[Z:] is a drive letter already in use!» мы исправили в будущей версии 5.1. Программа неверно определяла первую попавшуюся свободную с конца букву диска.
Что касается учетки: вы писали, что если есть несколько провайдеров VSS в системе и служба стартует от LocalSystem, то проблем нет, vshadow.exe выбирает правильного поставщика «Microsoft Software Shadow Copy provider 1.0» и успешно создает теневую копию, но к сожалению, учетка LocalSystem не имеет доступа к локальной сети. Пока непонятно, как заставить утилиту vshadow.exe выбирать нужного поставщика. Если у вас доменная сеть, то можно попробовать дать право доступа для LocalSystem в локальную сеть, разрешив подключение ПК с установленной программой к другим ПК (дать право доступа не учетке, а компьютеру).
Добрый день.
Права компьютеру проверю и отпишусь. На данный момент вышел из положения, подняв фтп-сервер на удаленной машине, в таком формате с доступом проблем нет.
Михаил
Тех.поддержка Exiland Backup
Хорошо.
Действительно, для доступа по FTP не имеет значения, от какой учетки стартует служба. Можно от LocalSystem. А чтобы учетке LocalSystem дать право сетевого доступа, нужно на удаленном ПК дать право на расшаренную папку не для какого-либо пользователя, а для ПК, с которого осуществляется доступ
https://qastack.ru/server/135867/how-to … em-account
23 June 2022, 00:16
23 June 2022
First of all some stats:
- I stood up my Domain Controller on Fri Sep 13 2013 22:53:26 UTC+0200 (Central European Summer Time). It is a 2012R2 Essentials at first, now its a 2019 Essentials. On the same hardware that still sets next to me.
- 2 HDDs and 1 SSD that had the OS on them have died during that time – the backup was what saved me each time.
But right now, it keeps on slowly dying – on the inside. I recently bought new hardware and finally P2Ved the machine and now it seems to bug out more and more. With an Essentials SKU there where many roles installed on this one machine. Standing up more servers wasn’t an option due to costs attached. The issue is that I can no longer install updates. KB5014692 keeps failing with an error, that is very unknown and my google-fu isn’t strong enough. So it is clearly time to set up a new one.
Moving the FSMO roles wasn’t even that much of an issue (shoutout to Argonsys that keep updating their article for that). However, I ran into the issue of not being able to sync group policy objects. A question mark let me know, that the Sysvol folder could not be synchronised (for some objects).
The DFS Replication service is stopping communication with partner <DC Hostname> for replication group Domain System Volume due to an error. The service will retry the connection periodically.
Additional Information:
Error: 9036 (Paused for backup or restore)
Connection ID: A GUID
Replication Group ID: Another GUIDSource: DFSR Event
The solution in PowerShell form
After some digging I found this old technet post and the answer to that is actually the answer to the problem! So I sat down and wrote a quick and dirty PowerShell script to fix it. It needs to be run on the old (hopefully still running) domain controller. Do not create new GPOs on the old domain controller after that, because the issue will appear again. Please make sure you have a valid backup of your server or at least of that folder.
#https://social.technet.microsoft.com/Forums/ie/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016
#########CHANGE THE DOM ADMIN GROUP NAME DEPENDING ON THE LANGUAGE OF YOUR FIRST DC###########
$DomAdminsName = "Domänen-Admins"
$SID = New-Object System.Security.Principal.Ntaccount ($DomAdminsName)
$DomName = (Get-ADDomain).Forest
$GPOs = Get-ChildItem "C:WindowsSYSVOLsysvol$DomNamePolicies"
if($GPOs[0].name -eq "PolicyDefinitions"){$GPOs[0] = ""}
$AccessRuleRemove = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomAdminsName","FullControl","Allow")
$AccessRuleAllow = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomAdminsName","FullControl","Allow")
foreach($Gpo in $GPOs){
if($Gpo -ne ""){
#Remove ACL first
$FolderACL = Get-Acl $GPO.FullName
$FolderACL.PurgeAccessRules($SID)
Set-Acl -Path $GPO.FullName -AclObject $FolderACL
Start-Sleep 1
#Re-Add it afterwards
$FolderACL = Get-Acl $GPO.FullName
$FolderACL.SetAccessRule($AccessRuleAllow)
Set-Acl -Path $GPO.FullName -AclObject $FolderACL
}
}
Don’t forget to re-sync with:
repadmin /syncall
repadmin /syncall /AdePq
After that, you should see the following event.
The DFS Replication service successfully established an inbound connection with partner <DC Hostname> for replication group Domain System Volume.
Additional Information:
Connection Address Used: <FQDN of the original DC>
Connection ID: A GUID
Replication Group ID: Another GUIDSource: DFSR Event
При первоначальном добавлении в Veeam Backup&Replication локального сервера Hyper-V после ввода имени пользователя и пароля для доступа к серверу возникает ошибка:
Access is denied.
—tr:Error code: 0x00000005
—tr:Failed to create persistent connection to ADMIN$ shared folder on host [192.168.13.2].
—tr:Failed to install service [VeeamDeploySvc] was not installed on the host [192.168.13.2]
Ошибка возникла из-за того, что пользователь, который указывался для доступа к серверу, хоть и находится в группе Администраторов, но не является встроенным администратором (Built-in), который создается в системе по умолчанию.
Варианты решения:
- Указать встроенную учетную запись администратора
- Отключить UAC. Это можно сделать через msconfig, или сразу запустив UserAccountControlSettings.
- Установить необходимые пакеты VeeamHvIntegration.msi and VeeamTransport.msi на сервер вручную. Они находятся в папке C:Program FilesVeeamBackup and ReplicationBackupPackages.
- добавить в реестр ключ (regedt32)
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem]»LocalAccountTokenFilterPolicy»=dword:00000001