Event ID 13508 source NtFrs on newly added DC Windows 2012 R2

July 30, 2018

I have been moving my environment to Windows 2012 R2 from Windows 2003 network recently. One of server roles I was moving was domain controllers. I had two of them, both running Windows 2003 SP2. After a fresh installation of Windows 2012 and adding 2 new VMs to domain I installed Adtive Directory Domain Services and promoted them to be domain controllers. All forest and domain preparations are made by the wizard, so only thing you do is to raise forest and domain functional level to be equal to 2003. Then I waited a bit (1 hour?) and moved all FSMO roles to new servers.  And that was the time I saw these warnings coming up on both Win 2012 machines:

Warning 13508 with NtFrs source on Windows 2012 R2

So I did some digging and I found out there is neither SYSVOL nor NETLOGON share on these servers, so they weren’t actually acting as domain controllers.. Further more dcdiag /q showed me a couple of failed tests on new machines and on old ones!

So after a day of research I found the solution, so here is what you need to do in this kind of situation:

  1. Perform a backup of your SYSVOL and NETLOGON shares.
  2. Get you PDC emulator back to old machine (in my case: Windows 2003 SP2). Open Active Directory Users and Computers console on your old PDC emulator, right-cklick on your domain and choose operations masters, then switch to PDC tab and click change. Check if it is propagated to all your DCs by typing netdom query fsmo on each of your DCs.
  3. Stop File Replication Service on all of your DCs. Use services.msc or type net stop ntfrs in a console.
  4. Go to your current PDC emulator (should be old machine now), open regedit and go to registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Paramaters\Backup/Restore\Process at Startup
  5. Change BurFlags value to “D4” using hex format.
  6. On all other controllers change the same value to “D2”. Please don’t make a mistake by typing wrong values on wrong DCs.. D4 on PDC, D2 on other DCs.
  7. Now start File Replication Service on your PDC emulator machine by typing net start ntfrs or through services.msc. Do it on all other DCs of your environment.
  8. Now you should get Warning 13565 which means your DC is trying to establish FRS connections. After a while check if there are NETLOGON and SYSVOL shares on DCs by typing net share. It should be now fine,

Remember that you are doing it on your own risk. And if you are not completely sure what you are doing I suggest to do some more reading:



ALL CREDIT GOES TO http://przemekflorek.pl/