Forum Discussion
Solved
DFS replication issues
Hello everyone, We are running Windows Server 2016 as a Primary Domain Controller. We don't have DFS management tool installed however I'm getting 6002 errors in event viewer. Please advise on h...
Thanks, Nikita. That helped a great deal and saved a lot of time.
I'll start at the end and work backwards.
You want to run these commands to clean up what is a very broken DFS-R configuration. I'll provide an in-depth explanation after the commands
Remove-ADObject -Identity "CN=45d9316b-1098-408e-a65d-8ce8449f0aaa,CN=DFSR-LocalSettings,CN=UZTASSRV01,OU=Domain Controllers,DC=sm,DC=local" -Recursive -Confirm:$false; Remove-ADObject -Identity "CN=a7297769-fdcd-4490-ae1c-c80808f44d36,CN=DFSR-LocalSettings,CN=UZTASSRV01,OU=Domain Controllers,DC=sm,DC=local" -Recursive -Confirm:$false; Remove-ADObject -Identity "CN=DFS,CN=DFSR-GlobalSettings,CN=System,DC=sm,DC=local" -Recursive -Confirm:$false; Remove-ADObject -Identity "CN=DFS_IT,CN=DFSR-GlobalSettings,CN=System,DC=sm,DC=local" -Recursive -Confirm:$false; Remove-ADObject -Identity "CN=UZTASSVR02,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=sm,DC=local" -Recursive -Confirm:$false;Overview
What the JSON output you provided showed is:
- There are no DFS namespaces configured;
- The DFS replication group definitions are badly broken in places;
- The "built-in" SYSVOL DFS-R definition is fine but contains an orphaned reference to a domain controller no longer in existence (UZTASSVR02);
- Three DFS replications groups are defined:
- DFS;
- DFS_IT;
- Domain System Volume.
Approach
There were two options I could have pursued:
- Add the missing "MemberReference" values onto the existing "msDFSR-Subscriber" objects; or
- Delete the DFS and DFS_IT DFS replication groups.
I have chosen option 2 since:
- There is no associated DFS namespace;
- The replication groups would only have a single member, which is pointless;
- It provides you with the cleanest outcome, since you can always create new DFS namespaces and replication groups if you decide to later on, and you won't have to worry about old, corrupt data lingering around.
Explanation of each command
Line Comment 1 Removes the orphaned subscription to the "DFS" replication group from UZTASSRV01. 2 Removes the orphaned subscription to the "DFS_IT" replication group from UZTASSRV01. 3 Removes the "DFS" replication group. 4 Removes the "DFS_IT" replication group. 5 Removes the orphaned UZTASSVR02 reference from the "Domain System Volume" replication group. Once you have removed these objects, it will take DFS-R a little while to recognise the changes.
If you want to hurry the process up, you can do any one of the following:
- Restart UZTASSRV01 (since it's the only remaining host); or
- Restart the the "DFSR" service on UZTASSRV01; or
- Run the following command on UZTASSRV01 (it may not be installed though, which is fine):
dfsdiag polladAnyhow, once you've either waited a bit or hurried things up, you should find the Event Viewer errors stop.
Cheers,
Lain
Thanks a lot for your detailed response!
I have tried to run the PowerShell script and it doesn't return any values. And I didn't clearly understood how I can delete it now?
Okay, given you didn't get any values returned from that command, just delete the object listed in the Event Viewer error.
In other words, delete the following object from AD (make sure you check I haven't typed the GUID incorrectly - you can copy-and-paste it from the Event Viewer error if you like):
CN=c3b24e94-239f-4621-b82b-b356d6cc9bed,CN=Topology,CN=DFS,CN=DFSR-GlobalSettings,CN=System,DC=sm,DC=local
Cheers,
Lain
I still don't understand how I can delete the object if it doesn't appear either in AD or ADSI editor.
CN=c3b24e94-239f-4621-b82b-b356d6cc9bed,CN=Topology,CN=DFS,CN=DFSR-GlobalSettings,CN=System,DC=sm,DC=local
If you can't see it then the error doesn't make any sense, either.
Rather than trying to work through checking each object individually, I've written a quick script (inserted at the bottom of this post) to pull some of the DFS (-N and -R) configuration information from Active Directory.
If you can save it as "Get-DfsConfiguration.ps1", then run it as shown below and upload the JSON, that would help with the cross-referencing.
You can direct-message me the results if you'd prefer not to post them here, but there's nothing confidential about it, meaning others here may be able to offer insight if you choose to paste the results in here.
.\Get-DfsConfiguration.ps1 | ConvertTo-Json -Depth 3If the script throws an error, let me know and I'll fix it as I didn't spend much time quality assuring it. But if it behaves, the output will help with both of your TechCommunity threads.
It does not need any special rights and can (and should) be run as a normal, unprivileged user.
Also, can you check that the DFS service is running on your domain controller? (i.e. "Get-Service -Name Dfs")
Cheers,
Lain
[cmdletbinding()] Param() #region Class definitions. class DfsrSubscriber { [string] $Status; [guid] $ObjectGUID; [string] $ObjectClass; [string] $Name; [string] $DistinguishedName; [string] $MemberReference; DfsrSubscriber([guid] $ObjectGUID, [string] $Name, [string] $DistinguishedName, [System.DirectoryServices.PropertyValueCollection] $MemberReference) { $this.ObjectGUID = $ObjectGUID; $this.ObjectClass = "msDFSR-Subscriber"; $this.Name = $Name; $this.DistinguishedName = $DistinguishedName; if (($MemberReference.Count -gt 0) -and ([adsi]::Exists("$($Script:AdsPrefix)/CN=SYSVOL Subscription,$DistinguishedName"))) { $this.Status = "Okay"; $this.MemberReference = $MemberReference[0]; } else { $this.Status = "Unhealthy"; $this.MemberReference = $null; } } } class DfsrSubscription { [string] $Status; [guid] $ObjectGUID; [string] $ObjectClass; [string] $Name; [string] $DistinguishedName; DfsrSubscription([guid] $ObjectGUID, [string] $Name, [string] $DistinguishedName) { $this.Status = "Okay"; $this.ObjectGUID = $ObjectGUID; $this.ObjectClass = "msDFSR-Subscription"; $this.Name = $Name; $this.DistinguishedName = $DistinguishedName; } } class DfsrReplicationGroup { [string] $Status; [guid] $ObjectGUID; [string] $ObjectClass; [string] $Name; [string] $DistinguishedName; DfsrReplicationGroup([guid] $ObjectGUID, [string] $Name, [string] $DistinguishedName) { $this.ObjectGUID = $ObjectGUID; $this.ObjectClass = "msDFSR-ReplicationGroup"; $this.Name = $Name; $this.DistinguishedName = $DistinguishedName; if ([adsi]::Exists("$($Script:AdsPrefix)/CN=Topology,$DistinguishedName")) { $this.Status = "Okay"; } else { $this.Status = "Unhealthy"; } } } class DfsrMember { [string] $Status; [guid] $ObjectGUID; [string] $ObjectClass; [string] $Name; [string] $DistinguishedName; [string] $ComputerReference; [string] $ServerReference; [string] $MembershipBL; DfsrMember([guid] $ObjectGUID, [string] $Name, [string] $DistinguishedName, [System.DirectoryServices.PropertyValueCollection] $ComputerReference, [System.DirectoryServices.PropertyValueCollection] $ServerReference, [System.DirectoryServices.PropertyValueCollection] $MembershipBL) { $this.ObjectGUID = $ObjectGUID; $this.ObjectClass = "msDFSR-Member"; $this.Name = $Name; $this.DistinguishedName = $DistinguishedName; $this.Status = "Okay"; $this.MembershipBL = $MembershipBL; #region Validate ComputerReference. if ($ComputerReference.Count -gt 0) { $this.ComputerReference = $ComputerReference[0]; } else { $this.Status = "Unhealthy"; $this.ComputerReference = $null; } #endregion #region Validate ServerReference. if ($ServerReference.Count -gt 0) { $this.ServerReference = $ServerReference[0]; } else { $this.Status = "Unhealthy"; $this.ServerReference = $null; } #endregion #region Validate MembershipBL. if ($MembershipBL.Count -gt 0) { $this.MembershipBL = $MembershipBL[0]; } else { $this.Status = "Unhealthy"; $this.MembershipBL = $null; } #endregion } } class DfsNamespaceV2 { [string] $Status; [guid] $ObjectGUID; [string] $ObjectClass; [string] $Name; [string] $DistinguishedName; [System.Collections.Generic.List[DfsNamespaceV2Target]] $Targets; DfsNamespaceV2([guid] $ObjectGUID, [string] $Name, [string] $DistinguishedName, [System.DirectoryServices.PropertyValueCollection] $Targets) { $this.ObjectGUID = $ObjectGUID; $this.ObjectClass = "msDFS-Namespacev2"; $this.Name = $Name; $this.DistinguishedName = $DistinguishedName; $this.Targets = Get-DfsV2Target -TargetListV2 $Targets; if ($this.Targets.Count -gt 0) { $this.Status = "Okay"; } else { $this.Status = "Unhealthy"; } } } class DfsNamespaceV2Target { [bool] $Online; [string] $Target; DfsNamespaceV2Target([string] $Status, [string] $Target) { $this.Online = $Status -eq "online"; $this.Target = $Target; } } #endregion #region Function definitions. function Get-DfsV2Target([System.DirectoryServices.PropertyValueCollection] $TargetListV2) { $Targets = [System.Collections.Generic.List[DfsNamespaceV2Target]]::new(); if ($TargetListV2.Count -gt 0) { $Xml = [xml]::new(); $Xml.LoadXml(([System.Text.Encoding]::Unicode.GetString($TargetListV2[0])).SubString(1)); foreach ($Entry in $Xml.DocumentElement.target) { $Targets.Add([DfsNamespaceV2Target]::new($Entry.state, $Entry.InnerText)); } } return($Targets); } #endregion #region Preamble. $RootDSE = [adsi]"LDAP://RootDSE"; $Server = $RootDSe.dNSHostName[0].ToLowerInvariant(); $DefaultNamingContext = $RootDSE.defaultNamingContext[0]; $AdsPrefix = "LDAP://$Server"; Write-Verbose "Connected to domain controller: $Server"; Write-Verbose "Default naming context: $DefaultNamingContext"; #endregion #region Enumerate domain controllers for SYSVOL DFS-R memberships. These represent the forward references pointing to the replication groups. Write-Warning "Enumerating domain controller SYSVOL DFS-R memberships:"; $SysvolTopology = [adsi]"$AdsPrefix/OU=Domain Controllers,$DefaultNamingContext"; foreach ($DomainController in $SysvolTopology.Children) { if (-not [adsi]::Exists("$AdsPrefix/CN=DFSR-LocalSettings,$($DomainController.distinguishedName)")) { continue; } foreach ($DfsrSubscriber in $DomainController.Children.Find("CN=DFSR-LocalSettings").Children) { $DfsrSubscriberSummary = [DfsrSubscriber]::new($DfsrSubscriber.objectGUID[0], $DfsrSubscriber.Name[0], $DfsrSubscriber.distinguishedName[0], $DfsrSubscriber.Properties['msDFSR-MemberReference']); $DfsrSubscriberSummary; if ($DfsrSubscriberSummary.Status.Equals("Okay", [System.StringComparison]::Ordinal)) { foreach ($DfsrSubscription in $DfsrSubscriber.Children) { # Arguably, this could be left out as it currently doesn't add much to the SYSVOL discussion. Only red flag would be if it were missing (given the subscriber implicitly exists.) [DfsrSubscription]::new($DfsrSubscription.objectGUID[0], $DfsrSubscription.Name[0], $DfsrSubscription.distinguishedName[0]); } } } } $SysvolTopology.Dispose(); #endregion #region Enumerate DFS-R replication groups. These contain the topology definitions, which in turn contain back-link references to the server objects' membership definitions. Write-Warning "Enumerating DFS-R replication group topologies:"; $DfsrGroups = [adsi]"$AdsPrefix/CN=DFSR-GlobalSettings,CN=System,$DefaultNamingContext"; foreach ($DfsrGroup in $DfsrGroups.Children) { $DfsrGroupSummary = [DfsrReplicationGroup]::new($DfsrGroup.objectGUID[0], $DfsrGroup.Name[0], $DfsrGroup.distinguishedName[0]); $DfsrGroupSummary; if ($DfsrGroupSummary.Status.Equals("Okay", [System.StringComparison]::Ordinal)) { foreach ($DfsrMember in $DfsrGroup.Children.Find("CN=Topology").Children) { [DfsrMember]::new($DfsrMember.objectGUID[0], $DfsrMember.Name[0], $DfsrMember.distinguishedName[0], $DfsrMember.'msDFSR-ComputerReference', $DfsrMember.serverReference, $DfsrMember.'msDFSR-MemberReferenceBL'); } } } $DfsrGroups.Dispose(); #endregion #region Enumerate DFS-N namespaces. Note: SYSVOL isn't defined here as that's handled differently. Write-Warning "Enumerating DFS-N namespaces:"; $DfsNamespaces = [adsi]"$AdsPrefix/CN=Dfs-Configuration,CN=System,$DefaultNamingContext"; foreach ($DfsNamespaceAnchor in $DfsNamespaces.Children) { if ($DfsNamespaceAnchor.Children.Count -eq 0) { continue; } foreach ($DfsNamespace in $DfsNamespaceAnchor.Children) { [DfsNamespaceV2]::new($DfsNamespace.objectGUID[0], $DfsNamespace.Name[0], $DfsNamespace.distinguishedName[0], $DfsNamespace.'msDFS-TargetListv2'); } } $DfsNamespaces.Dispose(); #endregion $RootDSE.Dispose();Edited: 2022-06-11 to include a serverReference check on msDFSR-Member objects.
Good morning! Please see the script outcome below
WARNING: Enumerating domain controller SYSVOL DFS-R memberships: WARNING: Enumerating DFS-R replication group topologies: WARNING: Enumerating DFS-N namespaces: [ { "Status": "Unhealthy", "ObjectGUID": "4510c737-8c38-495d-aa7b-e1f3ce92fa3b", "ObjectClass": "msDFSR-Subscriber", "Name": "45d9316b-1098-408e-a65d-8ce8449f0aaa", "DistinguishedName": "CN=45d9316b-1098-408e-a65d-8ce8449f0aaa,CN=DFSR-LocalSettings,CN=UZTASSRV01,OU=Domain Con trollers,DC=sm,DC=local", "MemberReference": "" }, { "Status": "Unhealthy", "ObjectGUID": "ea36c86a-ab6b-4648-ad76-16c5f2a21b32", "ObjectClass": "msDFSR-Subscriber", "Name": "a7297769-fdcd-4490-ae1c-c80808f44d36", "DistinguishedName": "CN=a7297769-fdcd-4490-ae1c-c80808f44d36,CN=DFSR-LocalSettings,CN=UZTASSRV01,OU=Domain Con trollers,DC=sm,DC=local", "MemberReference": "" }, { "Status": "Okay", "ObjectGUID": "43d626f7-7496-496a-8cf1-fefa0467c173", "ObjectClass": "msDFSR-Subscriber", "Name": "Domain System Volume", "DistinguishedName": "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=UZTASSRV01,OU=Domain Controllers,DC=sm,D C=local", "MemberReference": "CN=UZTASSRV01,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=sm,DC =local" }, { "Status": "Okay", "ObjectGUID": "43d626f7-7496-496a-8cf1-fefa0467c173", "ObjectClass": "msDFSR-Subscription", "Name": "Domain System Volume", "DistinguishedName": "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=UZTASSRV01,OU=Domain Controllers,DC=sm,D C=local" }, { "Status": "Okay", "ObjectGUID": "3d74223e-5f1f-40c2-bf42-3255fd57227e", "ObjectClass": "msDFSR-ReplicationGroup", "Name": "DFS", "DistinguishedName": "CN=DFS,CN=DFSR-GlobalSettings,CN=System,DC=sm,DC=local" }, { "Status": "Okay", "ObjectGUID": "331bda39-781e-4bb9-ab31-b8432cc2f5ce", "ObjectClass": "msDFSR-Member", "Name": "45d9316b-1098-408e-a65d-8ce8449f0aaa", "DistinguishedName": "CN=45d9316b-1098-408e-a65d-8ce8449f0aaa,CN=Topology,CN=DFS,CN=DFSR-GlobalSettings,CN=Syst em,DC=sm,DC=local", "ComputerReference": "CN=UZTASSRV01,OU=Domain Controllers,DC=sm,DC=local", "MembershipBL": "CN=45d9316b-1098-408e-a65d-8ce8449f0aaa,CN=DFSR-LocalSettings,CN=UZTASSRV01,OU=Domain Controll ers,DC=sm,DC=local" }, { "Status": "Unhealthy", "ObjectGUID": "66a0d320-8b34-4f9e-8dd1-3a93c5c4b7a1", "ObjectClass": "msDFSR-Member", "Name": "c3b24e94-239f-4621-b82b-b356d6cc9bed", "DistinguishedName": "CN=c3b24e94-239f-4621-b82b-b356d6cc9bed,CN=Topology,CN=DFS,CN=DFSR-GlobalSettings,CN=Syst em,DC=sm,DC=local", "ComputerReference": "", "MembershipBL": "" }, { "Status": "Okay", "ObjectGUID": "cbc3347c-ee38-4d15-9737-34a0b9cafa84", "ObjectClass": "msDFSR-ReplicationGroup", "Name": "DFS_IT", "DistinguishedName": "CN=DFS_IT,CN=DFSR-GlobalSettings,CN=System,DC=sm,DC=local" }, { "Status": "Unhealthy", "ObjectGUID": "837b0736-bf19-41ff-a3bd-29c43c0c8c49", "ObjectClass": "msDFSR-Member", "Name": "6819feb2-58e2-4400-a2b0-db0a3c442183", "DistinguishedName": "CN=6819feb2-58e2-4400-a2b0-db0a3c442183,CN=Topology,CN=DFS_IT,CN=DFSR-GlobalSettings,CN=S ystem,DC=sm,DC=local", "ComputerReference": "", "MembershipBL": "" }, { "Status": "Okay", "ObjectGUID": "fbeded44-7272-44d8-bea3-f2e700d68d3f", "ObjectClass": "msDFSR-Member", "Name": "a7297769-fdcd-4490-ae1c-c80808f44d36", "DistinguishedName": "CN=a7297769-fdcd-4490-ae1c-c80808f44d36,CN=Topology,CN=DFS_IT,CN=DFSR-GlobalSettings,CN=S ystem,DC=sm,DC=local", "ComputerReference": "CN=UZTASSRV01,OU=Domain Controllers,DC=sm,DC=local", "MembershipBL": "CN=a7297769-fdcd-4490-ae1c-c80808f44d36,CN=DFSR-LocalSettings,CN=UZTASSRV01,OU=Domain Controll ers,DC=sm,DC=local" }, { "Status": "Okay", "ObjectGUID": "3a3d05c2-7738-4b40-b14c-03af84841594", "ObjectClass": "msDFSR-ReplicationGroup", "Name": "Domain System Volume", "DistinguishedName": "CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=sm,DC=local" }, { "Status": "Okay", "ObjectGUID": "88883960-839e-40b5-962c-f3020f49250d", "ObjectClass": "msDFSR-Member", "Name": "UZTASSRV01", "DistinguishedName": "CN=UZTASSRV01,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=sm, DC=local", "ComputerReference": "CN=UZTASSRV01,OU=Domain Controllers,DC=sm,DC=local", "MembershipBL": "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=UZTASSRV01,OU=Domain Controllers,DC=sm,DC=loc al" }, { "Status": "Unhealthy", "ObjectGUID": "5eb07891-a762-4aab-a04d-9ddefd9c318f", "ObjectClass": "msDFSR-Member", "Name": "UZTASSVR02", "DistinguishedName": "CN=UZTASSVR02,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=sm, DC=local", "ComputerReference": "", "MembershipBL": "" } ]
