Subscribe Feed (RSS)SBS2008 Migration: Active Directory replication is taking longer than expected.
December 25th, 2008 by Paul Sterley | Filed under Migration, Not in the Windows Box, Windows Server.Scenario: You are doing an SBS 2008 Migration from an SBS 2003 domain. You’ve created your answer file, you’ve gotten partway through setup, but it seems to sit forever at this screen:
Eventually, you get this pop-up dialog telling you at it is taking longer than expected, and asking if you want to keep waiting.
What now? Maybe you’ve clicked the yes button once or twice already and waited another 20 minutes with no positive results.
Well, this is what happened to me, and I’ll tell you what I found out about it. Your situation may be different, but check out what I found out, and look for it in yours. If it matches, you might want to give it a try. Hopefully you have a good backup.
After sitting at this screen for way too long, I decided to do some digging. I sent a ctrl-alt-del to the SBS 2008 server and brought up the Task Manager. From there, I opened a CMD prompt, and found my way to C:\Program Files\Windows Small Business Server\Logs. I copied the file to a UNC share on the source SBS server to read it (but you can just use the “type” command in the CMD window and read the last few lines if you want).
The last few lines looked like this:
[3212] 081225.202335.1592: Task: There are 0 pending replication operations. [3212] 081225.202335.2530: Setup: Attempting LDAP bind. [3212] 081225.202335.2530: Setup: Bind failed with: A local error occurred. [3212] 081225.202335.2530: Task: Waiting for replication to finish
That sequence repeated a few times. Definitely the choking point. I googled the hell out of that, and only found one item that looked remotely relevant. That guy was having the same symptom. He solved his problem by throwing away his SBS2003 domain and starting from scratch.
After MUCH digging, rebooting, retrying, and other things that I will spare you the pain of, I typed “eventvwr” at the CMD prompt, and looked through the event logs. I found, among other things, this event:
Source; GroupPolicy
Event ID: 1006
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller (LDAP Bind function call failed).
Now we’re getting somewhere. I found numerous search results for that one, including a forum where some guys had this error, received a hotfix from Microsoft, and the problem went away. Apparently the problem is caused if you have ever done an authoritative restore on your 2003 domain. When that happens, the msDS-KeyVersionNumber property from the user object “krbtgt” is increased. Windows Server 2008 is not expecting this. Any 2008 DCs that are added to this domain have trouble binding to LDAP and authenticating to AD because of this.
There is a Microsoft KB article about a seemingly completely unrelated topic, with a hotfix link available for download. Microsoft PSS sent these guys this hotfix, and it made that problem go away. It needs to be installed on all Windows 2003 DCs.
I am doing this upgrade on a virtual server, I have a snapshot, so I figured “What the heck, let’s try it!” and downloaded the hotfix. I ran it on my SBS 2003 server, and said No to the reboot. Lo and Behold, my SBS 2008 migration is proceeding past the error point! It’s looking good!
Use this fix with caution. Your mileage may vary. Make sure you have backups and/or a snapshot before you do it. Best of luck!
Tags: Group Policy, Hotfix, LDAP, Migration, SBS 2008
You sir, are the man. I was having exactly the same problem, but during the install my AD was trashed and I had to restore the system state.
Tried again, same problem. Installed the fix linked to in your post and BAM, the installer continued past the point it had been stopping at.
Now I just have to find out why Exchange 2007 wouldn’t install.
Once again, thanks for your help!
Shane:
You’re most welcome. Thanks for leaving feedback! It’s good to know others are getting some benefit from my struggles.
Hi Paul
Thank you very much! I was having the same problem with the dialog popping up saying that replication is taking too long!
My solution to the problem was for different reasons (problems with File Replication Services) and slightly more complex, however your idea about looking at the entries in Event Viewer and SBSSetup.log helped me resolve the problems!
Scary that even though I had followed the Microsoft SBS Migration guide right down to every last step I encountered countless problems!
Thank you very much once again!
Ivan
You’re most welcome! Any time you join a new DC, especially one with a different OS, there are bound to be some systems that have replication problems. It’s understandable that MS wants this process to appear streamlined, but they really should have supplied some links in the “is taking longer than expected” page to help people with troubleshooting.
Tried this, didn’t work for me. Still would hang at the same point.
To Ivan: I have some errors about FRS not being able to replicate properly – was this what you were getting? Also, if it was, can you post your solution? Thanks!
Hi bbq
Well, my problem was that FRS was disabled and stopped on my 2003 box (don’t ask me why, certainly not something I did). Upon enabling it I found it was throwing some errors, which I picked up in Event Viewer. I read the KB article on how to fix those errors, restarted FRS and everything worked fine after that.
I doubt you are experiencing the same problem. The idea here is to hit CTRL+ALT+DEL on the 2008 box start task manager, event viewer and cmd. After which you can look at SBSSetup.log and Event Viewer and see what errors are being reported and act upon them.
Paul, I agree, I am just so glad I was patient and I kept clicking yes on the replication is taking longer than expected, do you want to wait box.
Had the same issues but the hotfix didnt work I changed the DNS on the SBS2008 box by hitting ctrl alt del and starting explorer and changing the dns on the nic to itself. went through fine after that.
thank you. You saved me alot of Googling!
[...] Yes. I was also facing the same problem. So, I followed the method which is explained in the below article. It worked for me. So, you also give a try. Hope, it may help you also. SBS2008 Migration: Active Directory replication is taking longer than expected. [...]
I was having the same issue- turned out to be a much simpler fix- The dual nic system had the static from the answer file on the nic that was not plugged in. (we had a 50/50 chance getting it right) swapped cables with the NIC and it worked. I then disabled the other NIC. Strange thing is – the first NIC got a DHCP address and set the DHCP address as secondary DNS and primary was the existing SBS 2003 server- so it worked fine at first.
Hey, that’s a good one. I’ll have to remember that.
We’ve had the same problem today whilst using the Swing Migration route and found that the problem to be that we had our TEMPDC (SBS 2003 box) to be pointing to the router for it’s DNS. Once we changed this back to 127.0.0.1 the installation progresses!
I ran into another scenario like this today.
I suspect that the issue was caused by the servers being out of time sync. Once I got them in sync, I did get them to replicate, but SBS 2008 was still not happy.
The SBS setup logs indicated that it was unhappy because the “nltest /dsgetdc:dzns.local” command returned the SBS 2003 server name instead of the SBS 2008 server name. In short, it was unhappy because SBS08 was not being recognized as the primary domain controller yet.
The reason it was not being recognized as a DC is because NTFRS (File Replication Service) had not yet made a replica of the SYSVOL folder and created the SYSVOL share. It had tried, and it had gotten an “Access is denied” error (Kerberos failure) because the clocks were out of sync. I suspect it would have gotten there eventually once I fixed the clock, but I jump-started that process by using a “net stop ntfrs & net start ntfrs” command on SBS08, whereupon it replicated the SYSVOL folder, and created the share.
Then the SBS migration proceeded smoothly.
Paul thank you so much for posting this, and thanks to the others that have contributed to this discussion!
Same symptom and like others it was NTFRS error on the source server that were the issue. I corrected those using the instructions in event viewer (wow! they actually worked) for the NTRFS error. I had to manually add the registry value for the NTRFS rebuild.
Guys, thanks a million! I am stuck out at a client’s shop right now and this saved the day!
Great article. It helped me track down the follwoing error:
The File Replication Service had a “Journal Wrap Error” on my source DC. To my surprise, the error in the event log gave precise instuctions on how to set a registry key to add/remove the source DC for replication and after having cleaned up the error, the migration continued on! It also mentioned some issue with SYSVOL…
I had already installed the hotfix so I am not sure if that also was part of the problem, but bottom line is check the SBSSetup.log on the destination DC and check the Event Logs on the source DC.
Thanks again!
My problem was that File Replication Service was turned off. Once turning on I had the same issue Salomon describes. Again following the instructions provided by the event viewer proved to solve my issues.
I did NOT install the hotfix before restarting the replication service so I can say it may not be required in all instances.
I would have been clicking Yes for days had it not been for this post!
Thanks!
Yes, the hotfix is only necessary for the specific scenario where an authoritative restore was done at some point on the 2003 server. It seems there are a number of problems which can cause this symptom, and we’re building a good respository of them here. Thanks to everyone who has posted their results. It’s very helpful!
This page saved the day for me, my very poorly SBS2003 system is on it’s last legs and the migration had got stuck at the Active Directory point. I had to apply both the hotfix and the replication registry key and all is good. Many thanks to the OP and those who discovered the replication fault.
Thank you Paul and Co. This is the only useful information I found relating to this issue. The Microsoft patch helped mye in my migration from Server 2003 to SBS 2008 after a bodged upgrade by the previous IT guy from SBS 2003. Thanks again
I found that I hade to disable all NIC’s but the One I wanted to Use. Then I noticed the dns was incorrect set all to dhcp and all is good.
Thanks everyone. I had the same problem, just sitting there waiting for the replication to complete. Checking the NTFRS logs on the source server showed a journal wrap error. I created new registry DWORD HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Enable Journal Wrap Automatic Restore and set value to 1. Restarted NTFRS service on source and waited about 10 minutes. The SBS Migration continued without any intervention on the destination server. Happy Days!
Thanks Paul the hotfix worked for us!
To anyone wondering, we only had to install the hotfix on our old 2003 sbs while the 2008 setup was still running.
We didn’t reboot the 2003 or the 2008 sbs. It simply started trucking on after the hotfix had been installed on 2003.
Also if you want to see the log files you should be able to use the UNC path to access the C$ share of your new 2008 SBS even while it’s still setting up. No need to ctrl+alt+del.
UGH I am having this problem but the log file is point to it being a CA issue…NO clue on this one…anyone?
I had the same problem with NTFRS replication “Journal Wrap Error”. The information in this site will put you on the right track for troubleshooting. Great insight guys – thanks!
All I did was go to the source server and change the DNS to point to the destination server and all went through without a problem.
Thank u guyz…. save my day…
1. I did install the hotfix to the source server (SBS 2003)
2. Edit the registy on SBS 2003 (thanks ZIPPY)
3. Stopped and started the service on SBS 2008 (net stop ntfrs & net start ntfrs” command on SBS08)
4. Change the Network cable to the 2nd.
Prgress Bar is moving…. Thanks Paul Sterley & Ur Valuable Team…
Worked for me too! Thanks
Your the best!
I had to do the following.
1. install hotfix
2. Add NTFRS_CMD_FILE_MOVE_ROOT to the SYSVol
3. restart ntfrs on 2003
4. restart ntfrs on 2008
the it worked!
links
http://www.petri.co.il/forums/showthread.php?t=21679
DUDE, THANK YOU!!!!!
I had the NTFRS replication “Journal Wrap Error”. I added the suggested registry key on the source 2003 server then restarted the ntfrs service on both servers. Now i am back on my way to making progress.
Cheers,
John
You. Guys. Are. Legends.
I owe you guys lunch…
I had exactly similar issues. The logs looked the same. You will notice that when you check the operation masters on 2003 SBS server they will show and ERROR on operation master and in AD sites and services the replication link will be missing on the 2008 server.
Out of frustration I rebooted the 2008 server during the setup and hell crashed on me. The source server was in the middle of migration and schema had been changed to a no comming back stage. I did a restore on the source server once when it crashed and started setup again with image on the source server.
I tried to do the install manaully without the answerfile but the same issue. The server is happy until I promote it to a Domain Controller. Then I get the following error message regarding Group Policy:
“The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.”
I started the setup again and got stuck at excatly the same spot. I pressed ctrl+alt+del on 2008 and started eventvwr from task manager. It showed the following errors.
Source; GroupPolicy
Event ID: 1006
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller (LDAP Bind function call failed).
I then installed the hotfix from MS as mentioned in the article and everything was fine.
Thanks guys.
This is what I have learnt.
1. Check clocks are in sync.
2. Check FRS, DNS and DHCP on Source Server ( Some idiot had DNS set it to manual on my server).
3. I was prompted for 2003 SP1 not installed where as I had SP2 on it. ( I added the reg key manually on the 2003 ! Setup is dumb.
HKLM\SOFTWARE\Microsoft\SmallBusinessServer\ServicePackNumber ( = 1) )
4. Check Sysvol permissions.
5. Install the hotfix FIX 226580
http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=939820&kbln=en-us
6. Always take an image backup of source before you start anything. There are things that can go terribly wrong as they went worng with me.
Cheers
Riddhim
Had the same issue with active directory replication taking longer than expected. LDAP bind ok but would keep saying it was trying to finish replication.
To cut a long story short this is what I had to do:
Aborted migration, restored sbs2003 box from backup and started again.
File replication service on sbs 2003 box had been set to manual: Set to automatic and started service. This created a journal wrap error condition because FRS had been disabled for so long. Implemented registry fix as specified in the event log.
Also installed MS hotfix with regards to problem being caused by previous authoritive restore. I have no idea if one had been done in the past but as MS say that it will stop the condition from occuring as well as fix the issue I thought better safe than sorry.
Restarted migration and locked up at same location but this time GP couldn’t be processed because of authentication issus (LDAP bind failed). I found a comment above where someone changed the DNS address on the sbs2008 box and thought I’d give it a try.
According to the network settings on the SBS2008 box the primary dns was the sbs2003 server and the secondary was the sbs 2008, I swapped these around making the SBS2008 box the primary for itself and hey presto off we go.
Please note though the progress bar didn’t just start moving immediatley afetr making this change, it actually took a good 10mins or more but if you watch the system event logs you should see an entry stating that Group Policy was successful and then a whole bunch of events will follow as things start to progress, so have a little patience after making these changes.
Thanks that helped me out a lot. I had to do the registry hack with SP1 as well because it wouldn’t let me past it. I was so frusterated I was about to reboot the SBS2008 server, glad I didn’t. Thanks again.
Did the hotfix and didn’t reboot the SBS2003 server and it kept going. What a hassle.
Karl
The hotfix and, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Enable Journal Wrap Automatic Restore registry entry did the trick for me!
Thanks all!
thank you so much guys, i tried the hotfix but finaly it was my dns that i set to 127.0.0.1
i’m installing for about ~24h now..customers are back and ..
anyways i’m just tired xD
THANK YOU !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
DUDE!
You just saved my butt. After 2+ hours at a client site struggling with this exact same scenario I found this page and all of these suggestions. Not sure which one worked (I did em all, lol), but something worked and the progress meter came to life. THANK YOU!
Yup….Journal Wrap Errors struck again. Glad I found this though. Otherwise it would have been sleeping bag and cozy up to google.
Thanks!
All I can say is thank God for Google…without which I wouldn’t have found your article and saved myself from years of headaches…
We had restored our server last year after a RAID array problem lost our drive, so this was the exact problem you had described. The progress bar is moving again, although I wait with baited breath to see how far it moves before stopping again.
Cheers
Hello,
The regitry key “enable Journal Wrap Automatic Restore” only (without apply hotfix) worked for me. after restarting ntfrs service on both servers, SBS 2K8 migration continues.
Many thanks to all of you, guys. you were really helpful.
Bye.
Hello again Guys,
ANOTHER MIGRATION ANOTHER ERROR
In addition to following I had set DNS for both servers to IP address of new server!
I have just copied the following from a website: ( Credits to them)
Replication Issues.
AD replication is taking longer than normal, do you want to wait for replication
This one happens sometimes. You will install, the AnswerFile gets picked up, and after a few reboots you get a message stating that the AD replication is taking longer than normal, do you want to wait for replication? You have two problems now. First, the Source isn’t replicating properly and you need to fix that problem, and secondly, many times the Destination server has stopped trying to replicate because of the failure.
Source server:
Check that these services are running, this is the most common cause of failure to replicate:
Computer Browser
File Replication Service
Remote Procedure Call (RPC) (and I always start the Locator too, don’t know if it helps but I do)
Server
Workstation
Disable Firewall! If you don’t make a habit of doing so already, the Firewall can really muck up a migration. You probably have a better firewall in your AV program already anyway.
So now you have the problem figured out, let’s get the two to start talking again. There is one registry key on the Source, and two on the Destination which need to be fixed.
Source:
HK_LM\System\CurrentControlSet\Services\NTFrs\Parameters\Backup/Restore\Process at Startup
Change the BurFlags key to D4 on the old server
Dest:
Obviously there is no run, so you need to bring up either Task Manager or a command prompt. I know there is another hotkey for CMD but I don’t remember what it is most of the time, so I just use CTRL+SHIFT+ESC, which brings up Task Manager. File>New Task will get you a run so you can open up the registry. Now change the same BurFlags key to D2 on the new server
Also go find the key HK_LM\System\CurrentControlSet\Services\Netlogon\Parameters and make sure the SysvolReady key says 1, if not change it.
Now stop the NTFrs service on both servers, and start the Source first, then the Destination, and on the Destination server click Yes to wait for the AD replication. If it worked, you should see almost immediate results.
OK, gonna echo all the happy sysadmins here and say… THANKS!!! This saved my bacon, not from the client, but my wife!! I may actually get home tonight..
Thank you so much Riddhim Dhawan for the step by step. Good god after wasting 2 hours and almost pulling the plug this fixed it and progress has continued! Thanks!
This article was so good, all I had to do was read it. When I glanced back to the console (I had already said “YES” wait) the progress bar had come to life.
I think this counts toward my score of things I’ve fixed by simply walking into the room.