Posted: 07-June-2010 at 11:43 | IP Logged

Fix JRNL_WRAP_ERROR single DC

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

This is the procedure I generated:
Perform and SYSTEMSTATE backup to file on the domain controller

1. Set the relevant Netlogon key to 1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\P arameters\Enable Journal Wrap Automatic Restore = 1
(DWORD)

2. Restart FRS service

3. NAvigate to your SYSVOL (C:\WINDOWS\SYSVOL) and copy the entire sysvol folder to a different location (you will need some the content later)

4. Upon restarting the FRS service, you will find that the sysvol and netlogon are empty. Stop FRS service. Set BURRFLAGS to D4 (authorative restore) as per http://support.microsoft.com/kb/290762/en-us
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\P arameters\Backup/Restore\Process at Startup\BurFlags = D4
(Dword value, in hex)

5. Copy the content from the previously backed up file as follows:
from the backed up location of sysvol, copy \SYSVOL\domain\NtFrs_PreExisting___See_EventLog\Scripts and \SYSVOL\domain\NtFrs_PreExisting___See_EventLog\Policies to your live SYSVOL (ie, C:\WINDOWS\SYSVOL\DOMAIN), as well as SYSVOL\sysvol\<yourdomain>\NtFrs_PreExisting___See_Eve ntLog\Policies and SYSVOL\sysvol\<yourdomain>\NtFrs_PreExisting___See_Eve ntLog\scripts to your live SYSVOL (i.e. C:\WINDOWS\SYSVOL\sysvol\<yourdomain>\). ENsure that the folder SCRIPTS exists under your live SYSVOL, i.e C:\WINDOWS\SYSVOL\SYSVOL\<yourdomain>\scripts.

6.Start FRS and restart Netlogon. FRS should report OK and you should see sysvol shared when you issue net share command. HOwever, netlogon will present an error <The Netlogon service could not create server share C:\WINDOWS\SYSVOL\sysvol\yourdomain\SCRIPTS> . Also, your member computers will fail seeing the group policy objects.

7. Let's restore the security on SYSVOL. Open MMC/Security Configuration and analysis wizard, open a new DB, load DC Security.inf. CONFIGURE the security on the DC. As you will see, ONE of the steps is to apply File System configuration, which includes SYSVOL.

8. At the end of the process, we've restarted the DC. Verify using both methods bellow:
a) using GPMC, ensure you can see and edit groop policies
b) on the DC , and member servers/workstations, issue gpupdate /force.

If you still get errors (Windows cannot querry a list of group policies), make sure that the following folders exist (or copy them from the SYSLOG backup you have previously made):
C:\WINDOWS\SYSVOL\domain\Policies
C:\WINDOWS\SYSVOL\domain\Scripts
C:\WINDOWS\SYSVOL\sysvol\<yourdomain>\Policies
C:\WINDOWS\SYSVOL\sysvol\<yourdomain>\Scripts.
You might need to re-run Secedit as per step 7.

PS- You can always do an authorative restore using the NTBACKUP SYSTEMSTATE we've recommended you take prior to step1

Hope this helps.