Journal Wrap Error on Single DC Domain

  • Thread starter Thread starter Dwight
  • Start date Start date
D

Dwight

I am trying to replicate AD info from an old Windows 2000 Server (SP4) to a
newer Windows Server 2003 machine (to start as backup DC but plan to migrate
to the Win2k3 as Operations Master soon) but it fails -- evidently because of
Journal Wrap Error on the Win2k box (13568).

Documentation all states that a non-authoritative restore is required to
clear the Journal Wrap Error but doesn't that require another DC to restore
from? We have a small network with only a single DC and are trying to
migrate to the newer Win2k3 box.

Evidently, I can't create a backup DC because of the journal wrap error, but
it seems to me I can't correct the error without a backup DC. Can anyone
help with a solution to this circular problem? Is there another way to clear
the Journal Wrap Error condition?
 
Dwight said:
I am trying to replicate AD info from an old Windows 2000 Server (SP4) to a
newer Windows Server 2003 machine (to start as backup DC but plan to
migrate
to the Win2k3 as Operations Master soon) but it fails -- evidently because
of
Journal Wrap Error on the Win2k box (13568).

Documentation all states that a non-authoritative restore is required to
clear the Journal Wrap Error but doesn't that require another DC to
restore
from? We have a small network with only a single DC and are trying to
migrate to the newer Win2k3 box.

Evidently, I can't create a backup DC because of the journal wrap error,
but
it seems to me I can't correct the error without a backup DC. Can anyone
help with a solution to this circular problem? Is there another way to
clear
the Journal Wrap Error condition?


Dwight,

In a generalized summary, a Journal Wrap indicates it's trying to replicate
to another DC and the DC with the error's FRS service may have been shut off
for some reason. The Wrap error is based on the USN log or known as the USN
Journal. Everything and anything that gets replicated has a USN, or Update
Serial Number. Each DC has it's own, and other DCs keep track of them so
they know whether they have the other DCs' latest changes and are up to date
on their own end. So generally, the USN Journal keeps track of changes made
to any NTFR drive, whether for DFS, DC replication of SYSVOL, etc. If
changes are made while the FRS service is shut down, it may get to a point
where the last time something was changed, and when the FRS service is
started, the last USN it's aware of no longer exists (because that much time
has passed by).

A System State restore means to restore the System State on a specific
machine from it's most recent backup, not from another machine. The System
State contains the operating system's, as well as if it is a DC, specifics.
That in conjunction with a full C: drive restore (or whatever drives the
system and the AD database exist on), will restore a machine to it's state
at time of the backup.

Where there ever additional DCs in the source domain you are trying to
replicate, or did this issue just come up after you promoted (assuming
that's what you performed) the machine to a DC?

Also, I'm trying to understand your terminology. I assume you mean you
promoted a Windows 2003 machine into a replica DC in the current Windows
2000 domain. Is my assumption correct? If my assumption is incorrect, please
correct me and elaborate on exactly what you did. Please provide specific
steps, mouse clicks, etc, to get a better understanding.

In addition, please post an unedited ipconfig /all from both machines, as
well as any Event log errors that exist on each machine, please. This
information, in conjunction with your explanation, will help to gain a
better understanding, as well as a possible diagnosis.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
 
Hello Dwight,

Please give some more infos about the existing environment, amount of DCs
in total, OS version SP/patch level and how they are located.

How do you add the 2003 DC to the domain, please describe in detail.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
First of all, thank you for the prompt responses. I appreciate the advice.
I’ll attempt to answer both of your questions to give you the bigger picture
of how I arrived at the dilemma.

Existing/current environment was a single domain with Windows 2000 (Win2k)
SP4 as Operations Master, the one & only DC for the domain. I inherited this
network and I wasn’t around when it was originally set up. The desire is to
migrate to the Win2k3 box and demote the legacy Win2k DC / move the FSMO
Roles after we verify that we can authenticate with the Win2k3 server. We
believe the Win2k box will still need to stay around as a backup for another
year or so due to legacy tools installed on it.

I ran ADPREP/FORESTPREP and ADPREP/DOMAINPREP on the Win2k DC before adding
the Windows 2003 (Win2k3) box. The newer server is Windows 2003 R2 Standard
Edition SP2. I did a clean install of Win2k3 R2, installed SP2, set up the
DNS role by having it replicate DNS from the existing DC (Secondary Zone
option), pointed it to itself for DNS, and used DCPROMO to set it up as
backup DC. Connecting it to a test network (the server & a client PC on a
hub), the client PC was unable to authenticate and event log indicated it
could not locate a DC (event ID 5719. I verified the SVR records were in DNS
on Win2k3 and while on the network, I pointed to the Win2k3 box as my only
DNS server on my client workstation and ran for several days with no problems
so basic DNS was working on the Win2k3 box. The DNS was set up to NOT
forward requests so I know it was correctly returning the resource records.

At this point, I could login interactively on the Win2k3 box using any of
the domain accounts whether or not it’s connected to the network but a client
PC could not authenticate using it (as described above). I ran NETDIAG
/TEST:DSGETDC and all passed and I ran a couple of other similar NETDIAG
tests and they passed. Then I ran NETDIAG /TEST:DNS with all OK EXCEPT the
Domain Membership Test FAILED. It said “WARNING: The system volume has not
been completely replicated to the local machine. This machine is not working
properly as a DC.†That’s where I went to the Win2k server to examine event
logs looking for a possible reason. I observed periodic Event ID 13568
entries dating all the way back to 2006 (I assume they correspond to reboots
of the server which the admins would do when certain tools stopped working).

With NETDIAG telling me the system volume had not been “completely
replicated†and the Event ID 13568 entries on the Primary Win2k server, and
documentation that suggested replication would not work while in the Journal
Wrap Error state, I arrived at the conclusion that this was at least one of
the main problems.

Among possible relevant security details, security policies require us to
rename the built-in Administrator account and to always run Antivirus (AV).
I did read to exclude AV from scanning %sysvol% as it can cause problems with
Ntfrs. Would you suggest I do that or check to see if it’s already being
done? Do you think there’s another problem I should look into or some other
diagnostic I should run?

--
Thanks,

-Dwight
 
Dwight said:
First of all, thank you for the prompt responses. I appreciate the
advice.
I’ll attempt to answer both of your questions to give you the bigger
picture
of how I arrived at the dilemma.

Existing/current environment was a single domain with Windows 2000 (Win2k)
SP4 as Operations Master, the one & only DC for the domain. I inherited
this
network and I wasn’t around when it was originally set up. The desire
is to
migrate to the Win2k3 box and demote the legacy Win2k DC / move the FSMO
Roles after we verify that we can authenticate with the Win2k3 server.
We
believe the Win2k box will still need to stay around as a backup for
another
year or so due to legacy tools installed on it.

I ran ADPREP/FORESTPREP and ADPREP/DOMAINPREP on the Win2k DC before
adding
the Windows 2003 (Win2k3) box. The newer server is Windows 2003 R2
Standard
Edition SP2. I did a clean install of Win2k3 R2, installed SP2, set up
the
DNS role by having it replicate DNS from the existing DC (Secondary Zone
option), pointed it to itself for DNS, and used DCPROMO to set it up as
backup DC. Connecting it to a test network (the server & a client PC on a
hub), the client PC was unable to authenticate and event log indicated it
could not locate a DC (event ID 5719. I verified the SVR records were in
DNS
on Win2k3 and while on the network, I pointed to the Win2k3 box as my only
DNS server on my client workstation and ran for several days with no
problems
so basic DNS was working on the Win2k3 box. The DNS was set up to NOT
forward requests so I know it was correctly returning the resource
records.

At this point, I could login interactively on the Win2k3 box using any of
the domain accounts whether or not it’s connected to the network but a
client
PC could not authenticate using it (as described above). I ran NETDIAG
/TEST:DSGETDC and all passed and I ran a couple of other similar NETDIAG
tests and they passed. Then I ran NETDIAG /TEST:DNS with all OK EXCEPT
the
Domain Membership Test FAILED. It said “WARNING: The system volume has
not
been completely replicated to the local machine. This machine is not
working
properly as a DC.†That’s where I went to the Win2k server to examine
event
logs looking for a possible reason. I observed periodic Event ID 13568
entries dating all the way back to 2006 (I assume they correspond to
reboots
of the server which the admins would do when certain tools stopped
working).

With NETDIAG telling me the system volume had not been “completely
replicated†and the Event ID 13568 entries on the Primary Win2k server,
and
documentation that suggested replication would not work while in the
Journal
Wrap Error state, I arrived at the conclusion that this was at least one
of
the main problems.

Among possible relevant security details, security policies require us to
rename the built-in Administrator account and to always run Antivirus
(AV).
I did read to exclude AV from scanning %sysvol% as it can cause problems
with
Ntfrs. Would you suggest I do that or check to see if it’s already
being
done? Do you think there’s another problem I should look into or some
other
diagnostic I should run?

Parts of this is confusing. You stated you chose a Secondary zone option
before promoting the 2003 machine? This option doesn't work with
replication, rather it works with a zone transfer. Nonetheless, once
promoted, it should have changed over automatically to an AD Integrated
zone. When you look at the zone properties, is it AD integrated now?

I would also exclude the c:\windows\NTDS folder.

I would suggets to point both machines to the Windows 2000 machine for DNS
for now, then restart the 2003 DC. Check the logs again. Let us know what
you find.

Otherwise, I'm starting to think there may be a duplicate zone in AD,
depending if the scope was changed.

Ace
 
Oh, not sure if you forgot or not, but we need to see an unedited ipconfig
/all from both machines. That will help us, as well for us to take a closer
look at the configuration of both DCs. Believe it or not, the ipconfigs tell
us numerous things. What we're looking for is:

DNS relationship
ISP's DNS
Possible Single Label Name
Possible Multihomed DCs and/or RRAS on a DC
Disjointed Namespace

Are there any services disabled, such as the DHCP CLIENT Service (not the
Server service)?

You'll also want to run the following and post them, please.
repadmin /showrepl
netdiag /v /fix
dcdiag /v /fix

I hope you will provide this info to better help you.

More info below, but keep in mind, if any of the conditions exist that I
mentioned above, it may still not work.
---
One way to overcome a Journal Wrap, that is if the ipconfigs confirm
'normal' parameters, is to physically copy the Sysvol

How to rebuild the SYSVOL tree and its content in a domain.
If you set Burflags to D4 on a single domain controller and set Burflags to
D2 on all other domain controllers in that domain, you can rebuild the
SYSVOL ... I've

also seen folks copy over the Sysvol folder, then set the Burflag options as
mentioned, it worked.
http://support.microsoft.com/kb/315457

How to Troubleshoot the File Replication Service
Check FRS event logs on both computers.
If Event ID 13508 is present, there may be a problem with the RPC service on
either computer
http://support.microsoft.com/kb/272279

Troubleshooting journal_wrap errors on Sysvol and DFS replica sets
http://support.microsoft.com/?id=292438

Ace
 
Let me clarify a couple of things. I will run the diagnostics and report
what I can later today.

First, this is a closed, internal network so there is no ISP involved, etc.
Secondly, and unfortunately, this network was set up with a single label
domain name (e.g., "company" instead of "company.com" or "company.local")
long before I inherited it.

And to answer your question about the DNS, I did later change it on the new
Win2k3 AD to Primary and yes, it currently says it's AD Integrated.

I plan to try to exclude SYSVOL and Windows\NTDS from AV scanning and then
(per MS documentation) try the "Enable Journal Wrap Automatic Restore"
registry option, stop ntfrs, start ntfrs, change registry entry back, wait,
and then examine the event logs. I will report what I find along with
results from some or all of the requested diagnostics later.

I appreciate your continued help in resolving this problem.

--
Thanks,

-Dwight
 
Additionally, here are the relevant results from ipconfig /all on the current
Operations Master AD. Remember, this is a closed, internal network. We also
use static IP addresses (no DHCP).

Windows 2000 IP Configuration

Host name : <name_of_server>
Primary DNS Suffix : ABC (not exactly but it's a 3 letter, single label
domain name)
Node Type : Broadcast
IP Routing Enabled : No
WINS Proxy Enabled : No
DNS Suffix Search List : ABC

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix :
Description : Linksys blah blah blah
Physical Address : <MAC_Address>
DHCP Enabled : No
IP Address : 100.100.100.202
Subnet Mask : 255.255.255.0
Default Gateway :
DNS Servers : 100.100.100.202
 
I excluded %sysvol% and C:\winnt\ntds from AV. Let M=Legacy Windows 2000
server and Q=Newer Windows 2003 server. I used the "Enable Journal Wrap
Automatic Restore" to try and clear the journal wrap error per MS
documentation. As I had suspected, it's trying to replicate from Q but Q is
NOT a healthy AD. Recall that NETDIAG /TEST:DNS on Q said "WARNING: The
system volume has not been completely replicated to the local machine. This
machine is not working properly as a DC." This is that circular problem I
spoke of originally.

Q is currently disconnected from the network. The question now is, will it
be detrimental to M, our legacy server, if I reconnect Q and let NTFRS on M
try to replicate SYSVOL? Since Q isn't working properly as an AD, will that
spread to M and thus, M would stop working correctly as the DC? We can't
afford any down time. Thanks for your advice on this.

If I can be sure it won't harm functioning of M, I will connect Q back to
the network and run repadmin, netdiag, and dcdiag per your request.
Otherwise, is there a way I can cancel the FRS attempts to replicate from Q
to M?
--
Thanks,

-Dwight
 
Dwight said:
I excluded %sysvol% and C:\winnt\ntds from AV. Let M=Legacy Windows 2000
server and Q=Newer Windows 2003 server. I used the "Enable Journal Wrap
Automatic Restore" to try and clear the journal wrap error per MS
documentation. As I had suspected, it's trying to replicate from Q but Q
is
NOT a healthy AD. Recall that NETDIAG /TEST:DNS on Q said "WARNING: The
system volume has not been completely replicated to the local machine.
This
machine is not working properly as a DC." This is that circular problem I
spoke of originally.

Q is currently disconnected from the network. The question now is, will
it
be detrimental to M, our legacy server, if I reconnect Q and let NTFRS on
M
try to replicate SYSVOL? Since Q isn't working properly as an AD, will
that
spread to M and thus, M would stop working correctly as the DC? We can't
afford any down time. Thanks for your advice on this.

If I can be sure it won't harm functioning of M, I will connect Q back to
the network and run repadmin, netdiag, and dcdiag per your request.
Otherwise, is there a way I can cancel the FRS attempts to replicate from
Q
to M?


It appears from the ipconfig, that you have a Single Label name. That may be
the root of the whole issue. Read teh following for what this condition
really means, and how it affects everything. You've just never noticed it
until trying to add an additional DC.

And I wouldn't simply shutting down or unplug one a DC. The other DC will be
looking for it, because it is aware of it. Never turn off a DC. If you don't
want a DC, demote it. If it won't demote, run the dcpromo /forcedemote
switch. If that doesn't work, then unplug it, wipe it out and rebuild it
from scratch, then perform a Metadata Cleanup procedure on the AD database
from the current DC that you want to keep, to remove references to the old
DC so it won't keep trying to replicate and communicate to it.

But the single label name is the cause of this.

I assume there is only one interface (NIC) on this machine. It appears that
way in the ipconfig, but it seems you typed it in, and not copied/pasted it.
Just making sure you didn;t leave anything out. If more than one NIC, IP or
RRAS on it, it will complicate the whole scenario.

Let us know what you think, and how you plan on addressing it.

Ace

==================================================================
Single label names:
By Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MCSA 2000 & 2003, MCSA
Messaging
Compiled 3/2005
---

What is an FQDN?
It stands for "Fully Qualified Domain Name." It is multi-level, or
hierarchal, such as:

domain.com
domain.net
domain.local
childdomainname.domain.local
etc

What is a Single Label DNS Domain name?
They are like the old style NT4 domain NetBIOS domain names, such as:

DOMAIN
CORP
COMPANYNAME
etc

DNS is a hierarchal database. Some call it a "tree" with a root (the 'com'
or 'net', etc, name), then the trunk (the 'domain' portion of it), and the
branches (such as www, servername, etc). The Root domain name, such as com,
edu, net, etc, is also known as the TLD (Tope Level Domain name).

Basically you can look at a DNS domain name as having multiple levels
separated by periods. The minimal requirment for an FQDN domain name, such
as microsoft.com, is two levels. Then of course are your resource names,
such as www, servername, or even child domain names under it.

Notice with a single label name there is only one name for the domain, or
one level? Don't get this confused with the NetBIOS domain name, that we
were familiar with in the NT4 days. AD supports the NetBIOS domain name as
well, but only as a NetBIOS domain name. It's one of the domain names chosen
when a machine is promoted into a domain controller for a brand new domain
in a brand new forest. NT4 wasn't reliant nor did it use DNS for NT4
domains. However, AD is reliant, therefore it must follow DNS naming rules.

Unfortunately tHe old NT4 style names are not hierachal because there is
only one level.

Since AD requires and relies on DNS, and DNS is a hierarchal database, a
single lable name does not follow any sort of hierarchy. DNS fails with
single label names. Windows 2008, Windows 2003, XP and Vista have problems
resolving single label names because it does not follow the proper format
for a DNS domain name, such as domain.com, etc.

Also, Windows 2000 SP4 and all newer machines have problems querying single
label names. It's explained below by Alan Woods. Because clients query DNS
for AD resources (domain controller locations and other services), they may
have difficulty finding resources.

How did it happen? Most cases it's due to lack of research on AD's DNS
requirements, or how it works, or it could have been a simple typo, yet
costly typo, when originally upgrading from NT4 or promoting your new AD
domain.

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain (or any AD upgrade or installation):
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

---
How to fix it? Good question. Glad you've asked.
---

1. The preferred "fix" (in a one line summary), is to install a fresh new
domain properly named and use ADMT to migrate user, group and computer
accounts into the new domain from the current domain.

2. An alternative is to perform a domain rename, (difficulty depends on the
operating system and which version of Exchange is installed).

3. As a temporary resort, you can use the patch/bandaid registry entry to
force resolution and registration that is mentioned in the following link.
This must be applied to every machine. Unfortunately it must be done on
every machine in the domain, including the DCs, member servers, workstations
and laptops.

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names:
http://support.microsoft.com/?id=300684

---

Please read Microsoft's stance on Single Label Names:

---

Single label names, from Alan Woods, MS:

"We really would preffer to use FQDN over Single label name. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]"

---

More Info:

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain
http://support.microsoft.com/?id=555040

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003:
http://support.microsoft.com/?id=825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/?id=291382

Naming conventions in Active Directory for computers, domains, sites, and
OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264
============================================

Ace
 
use BURFLAGS=D2
see:
http://blogs.dirteam.com/blogs/jorg...ting-after-SYSVOL-non_2D00_auth.-restore.aspx
includes the link to KB explaining the use of burflags

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Dwight said:
I am trying to replicate AD info from an old Windows 2000 Server (SP4) to
a
newer Windows Server 2003 machine (to start as backup DC but plan to
migrate
to the Win2k3 as Operations Master soon) but it fails -- evidently because
of
Journal Wrap Error on the Win2k box (13568).

Documentation all states that a non-authoritative restore is required to
clear the Journal Wrap Error but doesn't that require another DC to
restore
from? We have a small network with only a single DC and are trying to
migrate to the newer Win2k3 box.

Evidently, I can't create a backup DC because of the journal wrap error,
but
it seems to me I can't correct the error without a backup DC. Can anyone
help with a solution to this circular problem? Is there another way to
clear
the Journal Wrap Error condition?

--
Thanks,

-Dwight

__________ Information from ESET Smart Security, version of virus
signature database 4507 (20091014) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus signature database 4507 (20091014) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 
Back
Top