Sunday, 30 March 2014

How to rectify Journal wrap errors, Event id 13568 sournce NtFrs

Understanding Journal wrapper

Journal wrap errors occur if a sufficient number of changes that occur while FRS is turned off in such a way that the last USN(Update sequence number counter) change that FRS recorded during shutdown no longer exists in the USN journal during startup. The risk is that changes to files and folders for FRS(File replication service) replicated trees may have occurred while the service was turned off, and no record of the change exists in the USN journal. To guard against data inconsistency, FRS asserts into a journal wrap state. Let me simplify the statement, FRS has an internal database that contains all the files and folders it is replicating and each of these has a unique global ID (GUID).  The database also contains a pointer to the last NTFS disk operation (in the USN Journal/NTFS Journal) that the FRS service processed.
If a user changes a file or folder on a disk, the following happens:
  1. the operation is picked up by NTFS and an entry is made in the NTFS Journal
  1. FRS monitors the NTFS Journal for changes and notes that a change has been made to that file
  1. FRS keeps a record of the last NTFS Journal event that it processed and checks if it has processed it already
  1. If it hasn’t processed it already, it looks at whether it is a file that it should replicate
  1. If it should be replicated, the file goes into the normal process of staging, replicating, etc.
  2. FRS increments the entry in its database about the NTFS Journal event that it has processed so it won’t consider it again

If there is a situation that the replication files has got few changes and the DC's doesn't communicate with each other because replications partners was shutdown for a long time, FRS was not running or because of a communication failure in the network. When the communication is reestablished, FRS still knows the last NTFS Journal entry that it processed and it will compare this with the current NTFS Journal the next time it restarts.
The next time the FRS service starts, it sees that it has missed NTFS operations on the disk(It compares the its last processed NTFS operation and current NTFS journal database). This is when FRS complains it has reached a Journal Wrap state, the NTFS Journal log has wrapped around and it doesn’t know the current state of things on the disk.

Identifying the replication errors

1)As discussed above when there is a replication failure you will see the journal wrapper errors in the event logs.

2)There is one more method which you can confirm the replication is failed by using the native windows component 'replmon'. In order to check this follow these steps,(Remember that you do not have 'replmon' in Windows server 2008. However you can install it by following the link 

  1. Start->Run->type 'replmon' ENTER, This will open the replication monitor window.
  1. Now add the servers one by one to observe the status of replication. Once it is added right click on each server and select the option 'show group policy object status'.
  1. It will show you a windows that indicates the status of GPO replication for the particular server.
  1. Here you can find out the servers that has the good SysVol and corrupted as well. When the replication is success on a server it will have a blank 'Synch Status' Column, in addition the 'Version' and 'SysVol Version' columns will have identical numerical values.

  1. When there are issues in replication you may find the group policy object status as below.

In my case I have three GPOs that are failed to replicate to second server(Serer-2). Namely that are 'Clients', 'serverlabs test' and 'new group policy object'.  A good copy of sysvol will have a blank 'Synch Status' Column, in addition the 'Version and 'SysVol Version' columns will have identical numerical values. Here on the corrupted policies you can see the Synch status with a cross mark and its Version and SysVol versions are different or ERROR.

Restoring FRS replicas

Please make sure that you have a full backup of all your domain controllers before continuing with this process, this will help us to restore from backup if we do not have a good copy of SysVol in any of the servers. Generally there are two methods which you can consider to resolve the replication errors.
  1. Non-authoritative mode restore
  2. Authoritative mode restore

Let us consider these one by one.

Non-authoritative mode restore
This method is used when individual members of FRS replica sets that are having difficulty like assertions in the FRS service, corruption of the local jet database, journal wrap errors  or FRS replication failures. It is recommended to perform a non-authoritative restore before you consider the authoritative restore. Note: Performing the below steps will reinitiate the replication again from its replication partner. So make sure that the replication partner of affected server has a good copy of SysVol. Perform the below step on the server which is affected with replication issues.

  • Click Start, and then click Run.
  • In the Open box, type cmd and then press ENTER.
  • In the Command box, type 'net stop ntfrs'.

  • Click Start, and then click Run.
  • In the Open box, type regedit and then press ENTER.
  • Locate the directory 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup'.
  • In the right pane, double-click 'BurFlags'.
  • In the Edit DWORD Value dialog box, type D2 and then click OK.

  • Quit Registry Editor, and then switch to the Command box, type net start ntfrs and close it.

              The above steps performs the below actions.

  • The value for BurFlags registry key returns to 0.
  • An event 13565 is logged to signal that a nonauthoritative restore is started.
  • The FRS database is rebuilt.
  • The member performs an initial join of the replica set from an upstream partner or from the computer that is specified in the Replica Set Parent registry key if a parent has been specified for SYSVOL replica sets.
  • The reinitialized computer runs a full replication of the affected replica sets when the relevant replication schedule begins.
  • When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

Authoritative FRS restore

This is recommended on if the above steps does not resolve the issue. The following list of requirements must be met when before you perform an authoritative FRS restore:
  • The FRS service must be disabled on all downstream partners (direct and transitive) for the reinitialized replica sets before you restart the FRS service when the authoritative restore has been configured to occur. So on all affected server and stop FRS service by following the steps:
                       Open command prompt and type 'net stop ntfrs' which will stop the services.
  • Events 13553 and 13516 have been logged in the FRS event log. These events indicate that the membership to the replica set has been established on the computer that is configured for the authoritative restore.
  • The computer that is configured for the authoritative restore is configured to be authoritative for all the data that you want to replicate to replica set members.

Perform these steps to start authoritative restore on the server which has good copy of SysVol

  • Click Start, and then click Run.
  • In the Open box, type cmd and then press ENTER.
  • In the Command box, type 'net stop ntfrs'.

  • Click Start, and then click Run.
  • In the Open box, type regedit and then press ENTER.
  • Locate the directory 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup'.
  • In the right pane, double-click 'BurFlags'.
  • In the Edit DWORD Value dialog box, type D4 and then click OK.

  • Quit Registry Editor, and then switch to the Command box, type net start ntfrs and close it.

  • Start the FRS service on all other servers that where having bad copies of SysVol and it will start replication.

              Performing the above will make changes as listed below:

  • The value for the BurFlags registry key is set back to 0.
  • An event 13566 is logged to signal that an authoritative restore is started.
  • Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.
  • The FRS database is rebuilt based on current file inventory.
  • When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

             Now add the servers to replication monitor and make sure that there is no replication issues.
             Below article will help you with troubleshooting Journal wrap errors

Saturday, 29 March 2014

How to integrate SEPM with Active directory

Understanding the concept

There are few cases that we need to integrate our SEPM with active directory which may help us to :

1) You can import  your Organizational unit(OU) structure which helps you to get all your predefined groups so that its easy for you to create policies and assign to necessary OU. In a normal scenario we will have all your computers under the OU. So apart from applying Active directory policies you can attach the SEP policies easily to the same group.
2) You can set up AD authentication for SEPM- You can create a new user under SEPM and use the AD password authentication.

Integrating AD with SEPM

1.Open SEPM console and locate the tab 'Clients'.
2.Create a group under clients with a specific name, Clients-> Right click 'My company'-> 'Add a group'.

3.Now select the tab 'Admin'-> 'servers'-> You can see the servers are listed in the left hand side. Select the server name and click on 'Edit the server properties'.

4.On the appearing prompt select the tab 'Directory servers'. Here you need to add your AD server and its details.

Click on 'Add' button and specify your active directory primary server details and click 'OK'. Please make sure that the user that you have specified is having proper privilege to fetch the data from Active directory. If you wish to make the communication as secure you can put a tick mark on 'Use secure connection'. It is mainly require when your AD server and SEPM servers are at different networks. In the Replication Servers tab add the replicating Domain Controllers if any(The redundant DC's will allow automatic fail over in case a primary DC becomes unavailable).

5.You can specify the synchronize  details as manual or automatic. If you would like to set it to automatic put a tick mark on 'Synchronize with directory servers' and mention the details as required. If you wish to synchronize manually you can do it after adding the OU under clients tab.

Performing the above steps will help you to add directory server details in SEPM console, once it is added you can import the users from AD and add the organizational unit as a group. You can perform the below actions as required.

Perform the below steps if you would like to import the AD users to SEPM

1.Now click on 'Clients' tab and select the option 'Import active directory or LDAP users'.

2.On the next window it will be listed under 'Directory server'. Select it from the drop down box and it will automatically list the server details.
It uses the port 389/636 to communicate between server based on the none-secure/secure communication that you specify. Hence make sure that the particular port is open in your network. You can confirm the same by performing the telnet to directory server. Open command prompt and type 'telnet <directory server name/IP><space>389/636'. if that gets connected that indicates the port is open and you can continue with the below operations else make sure that you have you open this port wherever it is blocked(Firewall/proxy).

If this is the first time that you are doing the AD integration you can tick or un-tick the option 'Only show users that are not added to any group'. If it was already done you can tick this option so that it will list out all the users that are not even added to SEPM previously. Click on 'List users' to see the users as per your selection. Select the group where you would like to add the users. Here I have selected 'AD' and you can either select the individual users or all the users by the buttons 'Add' or 'Add All'. Please note that upon adding the users to group it will disappear from the 'users list'. Perform as you require and click close.

3.Now expand the group that you have added and make sure that the users are listed as expected.

Perform the below steps if you would like to import the Organizational Unit or container

  1. Make sure that you have added the directory server details in SEPM as described in the first section.
  1. As initial step from the Clients tab select the particular clients group that you would like to add the OU and select 'Import organizational unit or containers'
  2. Since we have already added the directory server in SEPM console if you click on the 'Domain' drop down box you can select the server.
  3. It will list out all the OU that is present in the Active directory, you can select the required OU and click on 'OK'.

  1. Based on the objects in the particular OU it will take few second and once it is added you can see the OU and its contents computers in this list.

                         When we have added the directory server we have set it to synchronize the groups every 24 hours. If you would                                 like to do it manually you can right click and select the option 'Sync Now'.

                         In case of issues with AD Sync check following logs in 'C:\Program Files\Symantec\Symantec Endpoint Protection                              Manager\Tomcat\logs\ADSITask-0.log' (for a 64 bit machine the location would be C:\Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\Tomcat\logs\ADSITask-0.log). Search for "Error Code" and next few lines for the reason.

Troubleshoot WSUS clients and server

When you consider the issues of WSUS there are multiple thing to refer. These two parts are mainly the communication of WSUS server and communication of client computers. Let us consider the parts one by one.

Communication of WSUS server

1. When you have an issue with WSUS it is really necessary to make sure that WSUS server is working correctly, then only the clients will get the updates properly. In order to make sure that the WSUS is working correctly we have the in built MS utility called as 'wsusutil' which will help you to manage the server using command line. Since we need to make sure that WSUS is working correctly we can check the health of WSUS and make sure that it is working as expected.

a) Open command prompt and redirect to the below directory using the command 'cd C:\Program Files\Update Services\Tools'
b) Now type the command 'wsusutil.exe checkhealth' and ENTER. It will take few seconds to complete and once it is completed open the application event viewer and make sure that it has generated 'Event id 10000, source: Windows server update' which indicates that WSUS is working correctly. Search for any error messages in the Microsoft Knowledge Base for more troubleshooting information or post a comment on this article.

Note: You may fail to perform check health by the error message update service is not running. In this case open 'services.msc' from 'run' and make sure that the service 'update service' is running and startup type as 'automatic'. If you would like to more details about using 'wsusutil' follow the below link to get it.
2. If the initial step is success you can continue with remaining steps. WSUS server and its details are specified through GPO hence it is really necessary to make sure that there are no GPO errors reported in server. Review the application and system logs to make sure that there are no Active directory or GPO related errors. If you found anything resolve the same and continue with the investigation.
3. Check whether the server can reach the WSUS client by pingWSUSClient and make sure that the client is listed under 'Computers' in WSUS server console.
If you are unable to ping the clients make sure that the firewall or proxy servers does not prevent the communication. And make use of the 'telnet' command to trace the route.

         Communication of client computers

When we consider the WSUS clients there are multiple thing , perform the below steps to confirm the clients have got proper details of WSUS.

1. Make sure that there are no AD and GPO related errors in your domain controllers and affected clients(Check through System and application logs of event viewer). It is really necessary to do this since the clients are pulling the WSUS server details through group policy and any errors related to this may not allow those to get correct details.
2. Run a rsop and make sure that under Microsoft update service WSUS settings are defined properly.
Open Run-> Type 'rsop.msc' and ENTER. It will generate the group policy result which indicates the policies that are applied to this computer.
Expand Computer configurations->Administrative tools->Windows components and locate the policy 'specify intranet Microsoft  update service  location' is pointed to WSUS server.
That is the WSUS server will be specified as 'http://WSUSservername:8530 '. If the settings are incorrect make the necessary changes in server GPO and make sure that it receives in clients.

 3. If the clients are receiving GPO correctly those details will be listed in registry as well. Make sure the server details are present on the registry as well.
Open run command and type 'reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' which should return the value with your server details and looks like this:

WUServer    REG_SZ  http://WSUSServerName
WUStatusServer      REG_SZ  http://WSUSServerName

Note: You will have the above output only if your clients are configured to get updates  from WSUS server.
Else you can manually locate the registry directory and view the information are correct.
Open registry editor and locate 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' and see the WSUS server details are correct.

 4. Verify that clients can reach the WSUS server by performing the below steps:
Open the web browser and type' http://<WSUSServerName>/' if the results prompt you for downloading a file named as '' you can safely cancel it and it shows the client is able to communicate with WSUS server and there is no connectivity issue. If the webpage fails to respond and does not ask for the file to download it indicates that may be a communication issue, name resolution or WSUS server is not configured properly. One of the useful link in this situation is(self update issues)
5. Determine the last time that the clients has updated. This can be done in two ways either through report of WSUS administration console or from the registry values present in clients. It is more convenient to use the second option if you have the direct access to affected clients.
a) If you want to get the details using report viewer follow these steps:
Open the Update Services console on the WSUS server. Click the Reports icon and then click Computer Detailed Status. Browse the computers to find the problematic computer and examine the updates that have been successfully installed, as well as those that have not yet been installed.
b) To get the details directly from the client computer open the registry editor and locate the directory,  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results now each folders determine the status of WSUS updates like 'Detect' shows the last time the client detected on server and checked for updates. 'Download' will show the last date and time the updates installed and 'Install' says the last date and time that it has successfully installed the updates.

6. Download and install the  windows update troubleshooter which can fix most of the common issues.
7. When clients are not receiving the updates, determine whether its because of a problem that is affected the entire functionalities of Windows updates on clients or because of WSUS. So manually locate the 'Windows Updates' and click on 'Check for updates' to make sure that it is reporting that there are updates to install. If it is listed as there are updates pending to install do not initiate to install because by these steps we are checking whether there is any cryptographic service provider errors or a file Windows Update requires (named catalog store) is corrupted.
If there are error reported for this follow the below links to find the solution for some of the error codes.
8. All the client windows updates action details are stored locally named as 'WindowsUpdate.log'. Verify these logs and check whether there is any issue reported in logs. Follow these methods to get the latest logs.
The below link will help you to read the windows logs:
For server 2003\XP the - C:\winnt\WindowsUpdate.log
For 2008\Windows 7- C:\windows\WindowsUpdate.log
Else on Run command you can simply type 'WindowsUpdate.log' to open it.
9. Allow the affected client to reestablish the connection once again with WSUS . In order to achieve that, locate the affected client in the 'Computers' list of WSUS console  and delete it(Right click->Delete). Now on affected client open command prompt and type 'wuauclt /detectnow' wait for 30 minutes and check the logs that is available in client. Check the windows update logs from the time of doing these steps and see whether it reported any errors.
Search for any error messages in the Microsoft Knowledge Base for more troubleshooting information.
10. I have seen in may cases deleting  and regenerating the SUS client ID on affected clients will provide a solution for update errors.
On the affected client open command prompt and type the below commands,
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f
net start wuauserv
The first and last command will stop and start the Windows update service on this computer. The other two will delete the SUS client ID. Now wait for another 15 minutes and observe the status.
11. There are many WSUS troubleshooting tools available through MS. Please follow the below link to get those and check whether it help you to resolve the issue.

Sunday, 23 March 2014

How to install and configure WSUS in windows server 2008

Understanding the concept

Windows server update service(WSUS) is one of the server roles which allows IT administrators to deploy  latest Microsoft product updates to computers that are running the Windows operating system. Using this service will allow administrators to fully manage the updates that are released by Microsoft by setting up hierarchies of wsus service and wsus client computers group. They can  Let us consider the scenario,

  1. In an organization it may not be important to have internet on all the clients and it is necessary to keep the       clients secured with windows update as well. WSUS will help you to control this ie, you can download all the windows updates to the centralized server and push the updates automatically/manually to the clients.
  2. When there are customized applications developed for your organization, it is necessary to check windows updates before installing on all clients and make sure that it will not affect our internal applications. In this case you can manually install each updates on a test clients and observe the status. If the updates are compatible with your network you can allow only the relevant applications to install and remaining updates to decline.
  3. You can schedule the update to install at the convenient time to install, create the reports for updates installation and receive the e-mail notifications about the newly downloaded the updates and installation status.

Installing and configuring WSUS

  1. Either you can install it from server roles or download the latest standalone version. When you initiate the installation from server roles it requires internet connection to complete since it will automatically search for updates. If the server does not have the internet at the moment you can mention download the standalone version from MS download center(KB972455).

From step 2 to 7 shows when you install WSUS using server manager. It is recommended to install using server manger since it will automatically detect the additional roles that are required for WSUS and will install by below steps. If you choose to download and install from MS download center you may fail to install it with the error message that required services are not installed(IIS and its dependent components). So make sure that you have installed these components from server manager before downloading and installing it.

  • Microsoft Internet Information Services (IIS) 7.0. Ensure that the following components are installed:
Windows Authentication, ASP.NET, 6.0 Management Compatibility, IIS Metabase Compatibility
  • Microsoft Report Viewer Redistributable 2005

Follow below steps to install WSUS using server manager

  1. Start->Administrative tools-> Server manager->Select 'Roles'->'Add role'
  2. Select 'Windows server update service'->Upon selecting this you may prompt with other services that are relevant for WSUS to run. Select 'Add required role services'(If you have those services already installed you will not have this prompt)and click 'Next'.

  1. Click 'Next' on IIS introduction window.

  1. Now you will have the list of role services to install for IIS. It will have a list of default features that are required for WSUS to work correctly hence you can simply click 'Next' without making any changes to selected roles.

  1. Now you will have an introductions to WSUS and click on 'Next' to start the installation.

  1. Confirm the installation selections and click on 'Install' which will initialize the installation.

  1. Once the installation is succeeded you will have the success message and you can locate it from Start->Administrative tools-> Windows server update service.

Steps to follow when you have downloaded the latest version directly from MS download center

  1. Double click on the file downloaded which will get you to the below screens, click 'Next'.

  1. Now you need to specify the role of the server, since this is my WSUS server and I need all the services to be installed on this server I have selected the option 'Full server installation including administration console'.
If you need to install only the administration console which will help you to connect with WSUS service installed on a server  and manage it you can use 'Administration console only'(It can be installed on a client or server OS as well).

  1. Accept the license agreement and click 'Next'.

  1. It is necessary to install 'Microsoft report viewer 2008 redistributable' when you want to generate the reports. It can be either installed before installing  WSUS or after installing WSUS. You can download it from the below MS link:

 I will install it after this process so click 'Next' to continue.

  1. You can specify either your updates to store locally or in Microsoft updates itself. It is recommended save the updates locally to improve the client download faster so you can leave the default option and click 'Next'(Note: Your updates will download locally only if the updates are approved else you will have only the names listed in your WSUS console) .

  1. Now you will be asked for the data store which requires to save the details of WSUS server and its clients. You can either specify the windows internal database or SQL database which is installed on this server or remote. We will continue with the default option and click 'Next'.

  1. You need to specify the website that is used for WSUS service. It can be either 'default website' or create another website. I would recommend you to create another website to avoid future port conflicts(Since this service also uses port 80(self update)), Click 'Next'.

  1. Now you will have a summary window and on next step it will install WSUS in your server. Since I don’t have windows internal database installed it will install this feature also, Click 'Next'.

  1. Click 'Finish' to close the window.

  1. Now it will automatically open a window to configure WSUS. Click 'Next' to start configuration(You can complete the below operations later as well).

  1. You can specify to fetch the updates directly from Microsoft or from another WSUS server. Since I dot have another WSUS server and I wish to get the updates directly from MS I have selected the first option 'Synchronize from Microsoft Update'. Click 'Next'.

  1. If you have a proxy server in your network specify the details and click 'Next'.

  1. Now you need to connect to the internet you need to apply your upstream server, proxy server settings and synchronize information about available updates so click on 'Start connecting' and wait for the process to start and click 'Next' once it is completed.

  1. Specify the languages that you want to download the updates. I would recommend you to select the least number of languages since it will increase the disk space utilization. Click 'Next'.

  1. Now you need to specify the updates that are required in your network. Verify each MS products that you have in your network and put a tick mark on the updates that are required.

  1. Select the update classifications that you require either it can be only critical updates and updates or entire classification. Select only the required classification to decrease the disk space utilization. Click 'Next'.

  1. Specify the synchronization details either it can be manual or automatic as per your needs. It will be useful to schedule automatic and synchronize after working hours of your organization which will help you to utilize the bandwidth effectively and without manual synchronization.

  1. You will have success message. Click 'Next' to launch the WSUS console and begin the initial synchronization.

  1. Click 'Finish' on next window. And you can open WSUS from 'Administrative tools'->'Windows server update service'