Azure Hybrid & Cloud Migration Blog

Tag: Missing Host/Glue Registrations | Event ID 13568, NtFrs, FRS in Journal Wrap | Password Policy Allows Blank Passwords | FRS is Stopped or Disabled |  SYSVOL Replication Partners Failing to Replicate | Event ID 24, W32Time, Failed to Synchronize Time | Password Policy Allows Simple Passwords| Password Complexity is not applying on users | Invalid FSMO Role Owner for Application Partition

I’m sure most of you would super-like this article, as it will cover majority of the most common issues around Active Directory Domain Services infrastructure. Over period of time, I have seen people ignore the importance of their Active Directory health, until and unless there is a Domain Controller either crashes or goes into journal wrap state. As a best practice it is always recommended to monitor the Active Directory health for its partition and replication among all the DC.

In this article, we will discuss the solutions, for the following stated Active Directory health related issues, which I recently applied on one of the site. These solution might not work for you, in the case where the root-cause of the problem is not same as mine.
OK, so let’s start discussing each of the above tagged issues, and their solution.

1. Missing Host/Glue Registrations

Problem / Cause:
It happens when the DNS Name Resolution settings are not configured correctly for the server and DNS zone settings.

Solution:
To fix the missing Host/ Glue registration problem for DCs within your DNS infrastructure, follow the below steps:

a)      Correction DNS Server Address orders on the DC/DNS Server for your Active Directory Infrastructure. A DNS server should always point to itself, and then the second
available DNS server in its own respective AD-Domain.

b)      Ensure that DCs/DNS servers for the same domain, should be added into their DNS Server addresses.

c)       Forwarders should be configured on each child domain for its respective parent domain.

d)      There should not be a single forwarder configure for a specific domain, there should be redundant forwarders should be configured.

2. Event ID 13568, NtFrs, FRS in Journal Wrap | FRS is Stopped or Disabled | SYSVOL Replication Partners Failing to Replicate

 Problem / Cause:

FRS in journal wrap is a state, where domain controllers mark themselves as a restricted Active Directory database copy. And during this state, DCs don’t play role in the AD replication for receiving and sending data changes. This problem sometime also happens due to few of these common problems, such as frequent power-failures, keeping DFS with non-SYSVOL related folders, and other normal server OS health related issues, you might get your File Replication Service not starting.

Solution:
For fixing this problem, we need to set a registry entry, which will perform a restore of AD data while taking it from a running domain controller.  Follow the below listed steps for overcoming this situation:

a)      Stop File Replication Service on the DC

b)      Open Registry Editor

c)       Go to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup]

d)      Set the value for “BurFlags” to “d2”

e)       Start the File Replication Service, and wait for the time DC take to fully sync its AD database.

Note: You may also have few other partition under the same registry path, you may also try to set the or create the “BurFlags” entry, and set the value to “d2”, to see if it solves your problem.

3. Event ID 24, W32Time, Time Synchronization and Replication Problem on Domain Controller

Problem / Cause:

If your PDC Emulator FSMO role holder domain controller is not set as a “NTP” for the W32Time parameters, then you might face this problem.

Solution:

a)      Go to your PDC Emulator FSMO role holder DC, and open registry editor to verify and make necessary change in the below Registry Path:

b)      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

c)       Check for the registry entry “Type”, if it is set to “NT5DS” then change it to “NTP”.

d)      On all other FSMO role holder and DCs, make sure that they are set to “NT5DS”.

4. Invalid FSMO Role Owner for Application Partition

 Problem / Cause:

During schema extension or your Active Directory upgrade, sometimes FSMO role owner for application partner, gets corrupted values.

Solution:

To know more about this problem, you can read this KB article.

a)      Run the script provided in the KB article, in the below step from the command prompt on the Domain Controller with the Enterprise and Schema Admins rights.

b)      cscript “fixfsmo.vbs” DC=ForestDnsZones,DC=domain,DC=com

c)       cscript “fixfsmo.vbs” DC=DomainDnsZones,DC=domain,DC=com

d)      cscript “fixfsmo.vbs” DC=DomainDnsZones,DC=child-domain,DC=domain,DC=com

Note: Make sure you keep the script name as “fixfsmo.vbs”, as it is hard-coded in the script itself.

5. Password Policy Allows Simple Passwords |  Default Domain Policy Filtering:  Not Applied (Unknown Reason) | Active Directory Password Complexity is not working | AD Password policy is not applying correctly

 Problem / Cause:

First of all, let me tell you in a Non-Fine-Grained Password Policies environment, where you tried to take out the password policy settings from Default Domain Policy, and set it up in a new custom GPO. Then you might run into a problem where, Active Directory would allow simple password policy, and it won’t correctly apply it on the users.

Active Directory password policies are hard-coded in a way, that Domain Controllers and systems sees the password policies to be there in the default domain policy. If for any reason you take out the password policy from default domain policy, or block inheritance of the Default Domain Policy from being applied on Domain Controllers OU, then password policy will not be applied “especially the password complexity enabling policy” .

Solution:

a)      First of all, ensure that your password policy is included and part of the Default Domain Policy.

b)      Default domain policy in any case should not be restricted or blocked for inheritance on any of the OU, especially on the Default Domain Controllers OU.

c)       Also verify that on a Domain Controllers, they should see password policy from Default Domain Policy. You can verify this with RSOP.MSC while running on DCs.

Also, as we said earlier in this article, we would also talk about the Monitoring Tools for Active Directory Health and Replication, we can use the below recommended tool.
SONAR – Read more about sonar here.

After mentioning all of the above, we have now reached to the end of this blog post. And I hope this article may work for few of the common Active Directory health related problems, I shared here and wish you all the best.

Cheers