This guy lays it all out:
http://adfordummiez.com/?p=61
And here is a copy/paste in case he ever takes it down:
Environment:
- Windows 2000/2003/2008 domain controllers using FRS (not DFSR).
- More than one Domain Controller
- Atleast one DC with a healthy SYSVOL
Why do Journal Wraps occur?
Instan at the AD Troubleshooting blog made an excellent blog entry about:
You should give it a read to understand what is going on under the hood.
Symptoms that might occur:
- Event ID 13568 is logged in the NtFrs event log
- A generic Event ID 1058 may be logged
- You make changes to a logon script but not all users got the change
- Changing a GPO or creating a new GPO is not applied to all users or computers
- Missing SYSVOL share
- A RSoP or gpresult report that data or policy object is missing or corrupt
If you take a look at the 13568 event you’ll see that there is a “solution” to this problem:
Set the “Enable Journal Wrap Automatic Restore” registry parameter to 1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters”
Restart ntfrs service.
This is not a good solution for post-Server 2000 SP3.
I don’t know why Microsoft still have this “how-to-fix” in event 13568, but they say in KB 290762:
Important: Microsoft does not recommend that you use this registry setting, and it should not be used post-Windows 2000 SP3. Appropriate options to reduce journal wrap errors include…
Update: I had to ask around about this since it was nagging me:
The event was never changed because the product group didn’t want to pay for the localization cost, nor admit that this registry setting caused more problems than it fixed. It actually came down to ego – the developer of FRS was a real piece of work. So instead the public docs were updated to state not to use that autorecovery registry setting.
Instead you should go for the Burflags method. This will kick start your SYSVOL up and running. Most often a “non-authoritative” (D2) approach will fix you up.
The “D2″ key can be set two places in registry:
Global re-initialization:
HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
or
Replica set specific re-initialization:
HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID
If you’re using DFS replica sets that holds a large amount of data that is healthy, go for the “Replica set specific re-initialization”. If you set the Global Burflags, FRS will re-initialize all replica sets, including the DFS namespace the member holds. If they hold a large amount of data… that might take some time.
To find the GUID of SYSVOL, look for the “Replica Set Name” named “Domain System Volume (SYSVOL SHARE)” under the subkey “HKLM\..\..\Replica Sets”:
This screenshot have only one GUID since I don’t use DFS in my lab.
Change the value of Burflags to D2 (hex).
If you don’t uses DFS you could just set the Global Burflags to D2. It will not make any difference under what subkey you set it. This will re-initialize all replica sets the member holds (in this case the SYSVOL).
After you have set the Burflags key to D2, you have to restart the NTFRS service on the affected DC.
Overview of what happens:
1. The Burflags is set to 0
2. Event ID 13565 is logged. non-authoritative restore has started
3. The content of SYSVOL are moved to the pre-existing folder
4. Event ID 13520 is logged
5. The local FRS database is rebuilt
6. It re-join (vvjoin) the replica set
7. The “bad DC” will compare all files (file ID and MD5 sum) it has in the Pre-existing folder with the files from an upstream partner.
8. If a match is found, it will copy the file from the Pre-Existing folder to the original location. If they don’t match, it will pull the file from the upstream partner.
9. Event ID 13553 is logged
10. FRS notifies (SysvolReady reg.key = 1) the Netlogon service that SYSVOL is ready and can be shared.
11. The Netlogon service will share SYSVOL and Netlogon.
12. Event ID 13516 is logged (finished)
When you have verified that SYSVOL is shared and in sync, you can delete the content in the Pre-Existing folder to free up space.
Authoritative restore (D4):
If your SYSVOL is all messed up on every DC’s, you might have to do an “authoritative restore” using both the D4 and D2 values.
By the way you should never, ever use the D4 flag on more than one DC as you will have a lot of collisions and morphed folders. The D4 flag should only be set like Microsoft says, as a last resort.
Quick overview:
1. Stop the NtFrs service on every DC
2. Set the D4 flag on one DC that will be authoritative for the replica set(s). The SYSVOL content will not be moved to the pre-existing folder on the authoritative member.
3. Set the D2 flag on the other DC’s (non-authoritative)
4. Start the NtFrs service on the “D4″ DC.
5. Check that Event ID 13553 and 13516 is logged.
6. If step 5 is ok, start NtFrs on the “D2″ DC’s.
For detailed steps, see “How to rebuild the SYSVOL tree and its content in a domain”
References:
