Els's blog

Wednesday, December 13, 2006

File Replication Service Problems

Your Active Directory environment seems to be working fine. Yet you discover that policies are not always being executed. Sometimes they are, sometimes they're not.
When you check AD replication everything is ok and new objects are replicated to all of the domain controllers. But when you check the Sysvol, one of your DCs seems to be out of date.
After testing Sysvol replication (by adding a file to the sysvol on a good DC and forcing replication to the outdated DC) you discover that this domain controller never receives group policy updates.

When you check the Event Viewer on the problem DC, you see the following error message:

Event Id 13561: The File Replication Service has detected that the replica set "Sysvol" is in JRNL_WRAP_ERROR.

A replica set hits JRNL_WRAP_ERROR when the record it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons: ...

You will have to remove the server from the Replica Set and then add it again. This will cause the DC to replicate the entire Sysvol again. To accomplish this, do the following:

1. Start Registry Editor.

2. Find the following key: HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\Ntfrs\Parameters

3. Add a new Dword value: Enable Journal Wrap Automatic Restore

4. Set the value to 1.

5. Wait for the Sysvol to get replicated. During this time you will see the following events in the Event Viewer:

13560: FRS is deleting the computer from the replica set.
13553: FRS has added the computer to the replica set.
13516: FRS is no longer preventing the computer from becoming a DC.

At that moment everything should be fine again!

Do not forget to change the value of the Journal Wrap Automatic Restore back to 0!

Monday, December 04, 2006

Bitlocker for Data Partitions

Vista does not support encryption of data partitions using BDE. (Longhorn server will have full support for this feature.)

But if you really want to protect your data with Bitlocker, there is a way! You have to use the same method as described in my previous post: manage-bde.

And what about unlocking this encrypted data drive?
That will not happen automatically. If you reboot your machine after the encryption process, you will no longer be able to access your files.

Your decryption options:

  1. Manually
    cscript manage-bde.wsf -unlock E: -rk "path to encryption key (.bek file)"
    You will have to run this command after every reboot.
  2. Automatically
    cscript manage-bde.wsf -autounlock -enable E:
    This command will create an external key protector on the data volume and stores the associated external key onto the bitlocker-protected OS volume. For this to work, your OS volume has to be encrypted with BDE too.

Happy encrypting!