Authoritative SYSVOL restore (DFS-R)

 

In my previous article “Non-authoritative SYSVOL restore (DFS-R)” I showed you, how to do a non-authoritative restore of SYSVOL based on DFS Replication. Today it is time to do an authoritative SYSVOL restore. If you have bigger mess in your domain or you need to restore SYSVOL from backup and replicate to other Domain Controllers.

This action affects all of your Domain Controllers in the entire domain. In the first case (non-authoritative) you only touch SYSVOL on one DC at the time. The rest of your Domain Controllers are running and sharing SYSVOL for users.

The second case (authoritative) is much more visible for users. All of Domain Controllers do not run and share SYSVOL where Group Policies and logon scripts are located. When you decide to do authoritative SYSVOL restore, you need to inform all administrators to not create/modify Group Policies during that time. All other domain services are running except access to SYSVOL. So, this action should be performed out of office business hours.

How to start authoritative SYSVOL restore? What do you need to do first?

You should identify which Domain Controller is holding PDC Emulator operation master role. As you know, one of its functions is to manage and maintain GPOs. When you create or modify existing GPO, it is done directly on this Domain Controller.

If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator operation master role holder, from which you will initiate authoritative SYSVOL restore.

So, let’s see, how we can do that.

Log on to PDC Emulator FSMO role holder. If you do not know, which Domain Controller holds this role, run in command-line/elevated command-line on any of your DCs

net dom query fsmo
Finding PDC Emulator role holder

Finding PDC Emulator role holder

or type in PowerShell (Windows Server 2012/2012R2)

Import-Module ActiveDirectory
Get-ADDomain | Select PDCEmulator
Finding PDC Emulator role holder

Finding PDC Emulator role holder

and you’ll see which DC is holding this role.

When you are logged on on this Domain Controller, you need to evaluate how many DCs are in your domain. The most simple way to check that is using Microsoft DS tools on a DC. Type in command-line

dsquery server -name * -limit 0 | dsget server -dnsname | find /v "dnsname" | find /v "dsget" >c:dcslist.txt

Collecting all Domain Controllers in a domain

Collecting all Domain Controllers in a domain

or type in PowerShell (Windows Server 2012/2012R2)

Import-Module ActiveDirectory
Get-ADDomainController -Filter * | Select Name | Out-File c:dcslist.txt
Collecting all Domain Controllers in a domain

Collecting all Domain Controllers in a domain

after you ran this command, on your DC’s C-Drive, you should find a text file named dcslist.txt Check its content, there are all Domain Controllers for your domain

Full list of Domain Controllers

Full list of Domain Controllers

On all of those Domain Controllers except PDC Emulator holder, you have to perform non-authoritative SYSVOL restore. But let’s start step-by-step.

You should initiate authoritative SYSVOL restore from a DC with PDC Emulator role. If you need to restore SYSVOL from backup, do it first before you initiate restore.

First of all, stop DFS Replication service. Type in elevated command-line

net stop DFSR
Stopping DFS Replication service

Stopping DFS Replication service

or in PowerShell

Stop-Service DFSR

or

Stop-Service "DFS Replication"
Stopping DFS Replication service

Stopping DFS Replication service

Important! All services relying on DFS Replication service will be affected!

Now, run ADSI Editor (adsiedit.msc) from Domain Controller on which you want to initiate non-authoritative SYSVOL restore. Type in run box

adsiedit.msc
Running ADSI Editor

Running ADSI Editor

Connect to domain partition (Default Naming Context). Click right mouse button (RMB) on root node in the console and select “Connect to

Connecting to Default Naming Context

Connecting to Default Naming Context

select a well known Naming Context and choose “Default Naming Context

Selecting Naming Context

Selecting Naming Context

Expand below location bt clicking on each node within a console

Default Naming Context -> DC=domain,DC=local -> OU=Domain Controllers -> CN=Domain Controller name -> CN=DFSR-LocalSettings -> Domain System Volume

where DC=domain,DC=local is a distinguished name of your domain and CN=Domain Controller name is DC name of PDC Emulator role holder on which you want to initiate authoritative SYSVOL restore.

Searching SYSVOL subscription node

Searching SYSVOL subscription node

and select “CN=SYSVOL Subscription” entry by RMB in the right pane, choose “Properties

Editing SYSVOL subscription entry

Editing SYSVOL subscription entry

This time you need to change two atrributes value

  • msDFSR-Enabled
  • msDFSR-Options

Search them on the list and edit

msDFSR-Enabled attribute edition

msDFSR-Enabled attribute edition

Change its state from TRUE to FALSE and accept the change

Modification of msDFSR-Enabled attribute

Modification of msDFSR-Enabled attribute

and accept changes to be applied

Accept attributes changes

Accept attributes changes

Now, search the second attribute msDFSR-Options and edit it

msDSFR-Options attribute edition

msDSFR-Options attribute edition

Change its state from not set to 1 and accept the change

Modification of msDFSR-Options attribute

Modification of msDFSR-Options attribute

and accept changes to be applied (do not close window, you will use it later)

Accept attributes changes

Accept attributes changes

REPETITIVE TASK

Now, on each of the rest Domain Controllers you need to change msDFSR-Enabled attribute state from TRUE to FALSE to initiate replication from authoritative Domain Controller with SYSVOL. This not need to be done directly on Domain Controllers, you can use ADSI Editor on the same DC on which you changed previous attributes. But this is important to do for evry remaining DC!

Below you can find all required steps. You need to repeat them on the rest of Domain Controllers

In ADSI Editor on Domain Controller where you changed previous attributes, close “Attribute Editor” window and go back to the console. Expand each DC to set up msDFSR-Enabled attribute

Changing SYSVOL subscription of the rest of Domain Controllers

Changing SYSVOL subscription of the rest of Domain Controllers

Search for the attribute

msDFSR-Enabled attribute edition

msDFSR-Enabled attribute edition

and edit it, changing TRUE to FALSE

Modification of msDFSR-Enabled attribute

Modification of msDFSR-Enabled attribute

and click OK to accept changes

Modify attribute and accept changes

Modify attribute and accept changes

and stop DFS Replication service on remote DC. Repeat these steps for EVERY remaining Domain Controller.

END OF REPETITIVE TASK

Now, on your PDC Emulator role holder start DFS Replication service, type in elevated command-line

net start DFSR
Starting DFS Replication service on PDC Emulator role holder DC

Starting DFS Replication service on PDC Emulator role holder DC

or type in PowerShell

Start-Service DFSR

or

Start-Service "DFS Replication"
Starting DFS Replication service on PDC Emulator holder Domain Controller

Starting DFS Replication service on PDC Emulator holder Domain Controller

In event log you should see event ID 4114

Event log review

Event log review

Modify msDFSR-Enabled attribute back to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

and accept changes

Accepting attribute changes

Accepting attribute changes

Start Active Directory replication on all of your Domain Controllers. Type in elevated command-line

repadmin /syncall /AdP
Replicating Active Directory

Replicating Active Directory

On your PDC Emulator Domain Controller in elevated command-line type

dfsrdiag PollAD
Sync with the global information store

Sync with the global information store

Note! When you ran dfsrdiag command and it was not recognized, you need to install DFS Management Tools from features!

Adding DFS Management Tools feature

Adding DFS Management Tools feature

In DFS Replication event log, you should see event ID 4602 That means, your authoritative SYSVOL restore is initiated

Event ID 4602

Event ID 4602

REPETITIVE TASK

Before you will start DFS Replication service, I would suggest to remove all content from those 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Go to the another Domain Controller to which you want to replicate SYSVOL and start DFS Replication service, type in elevated command-line

net start DFSR
Starting DFS Replication service on PDC Emulator role holder DC

Starting DFS Replication service on PDC Emulator role holder DC

or in PowerShell

Start-Service DFSR

or

Start-Service "DFS Replication"
Starting DFS Replication service on PDC Emulator holder Domain Controller

Starting DFS Replication service on PDC Emulator holder Domain Controller

review DFS Replication event log and check if there is event ID 4114

Event log review

Event log review

Change back msDFSR-Enabled attribute to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

accept changes, clik “OK” button

Accepting attribute changes

Accepting attribute changes

and run dfsrdiag command to synchronize with the global information store

dfsrdiag PollAD
Sync with the global information store

Sync with the global information store

You should get SYSVOL replicated to this Domain Controller. Go to %WINDIR%SYSVOLdomainPolicies and check if data was replicated. You should see all Group Policies and scripts there

All Group Policies on DC with PDC Emulator role

All Group Policies on DC with PDC Emulator role

and go to one more location, %WINDIR%SYSVOLdomainScripts to check if scripts and other files from NETLOGON share were replicated

All scripts on DC where non-authoritative SYSVOL has been done

All scripts on DC where non-authoritative SYSVOL has been done

END OF REPETITIVE TASK

That’s all!

<<< Previous part

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

31 responses to “Authoritative SYSVOL restore (DFS-R)”

  1. Slint says :

    I’ve search the net the whole day and bazinga! I found your post! All my troubles are gone. Thanks for a wery good post! You are a hero!

     
    • Henrik says :

      Same goes for me! Thank you kindly Krzysztof, I can now demote my temporary primary DC with a clear conscience.

       
  2. El Chipo says :

    Hey, I did as you asked above but on my PDC I won’t get Event ID 4602, instaead I always get 2213. Any clues?

     
  3. Joe Smith says :

    Great article, Was trying to piece together info from multiple sources. this explained it all. Fixed my problem

     
  4. Karl says :

    You’ve effectively just saved my ass. THANK YOU!

     
  5. Drakes says :

    Thank you very much for this easy step-by-step instruction. Got my 2 Domain Controllers working again. You really saved me a lot of time and Trouble.

     
  6. David Harris says :

    After weeks of trying to fix this issue in my domain, your steps worked perfectly !!!! Thank you so much for posting this information !!!!!!

    I will definitely never forget it !!!!!!!!!

     
  7. David M says :

    Holy crap!! You Rock! I have been searching for a solution all day and you explained it fantastic detail! Thank you sooo much!

     
  8. Tom says :

    Thank you very much !
    After c.a. 6 months of getting replication issues finally my problems are gone !
    Policies started working as they should on my 2 AD controllers.
    Great job.

     
  9. vinodkumar MC says :

    Really fantastic super

     
  10. Jon Spigs says :

    Been banging my head against my desk for the last 2 weeks trying to get policy to replicate in my Lab. you are awesome!!!

     
  11. Sean says :

    Thanks! Came to a new job and the DC’s were not communicating for… OVER 600 DAYS. Did a bunch of troubleshooting and finally ended up on DFS event logs and then found your site! This post is 1000 times better than the one on technet.

     
  12. Bismarckg says :

    You have no idea how much I appreciate your post. Very easy to follow and detailed. MS should hire you to write their documentation which, by the way, sucks big time. Thanks!!!!

     
  13. Curt says :

    This worked great, My Sysvol is now happy again, I think it was a permission issue.

    Thank you again

     
  14. Mario Brenes says :

    Wau!!! Amazing document! Thank you alot!
    twice much better than https://support.microsoft.com/en-us/kb/2218556

     
  15. Mario Brenes says :

    Wau! Amazing document! Thanks a lot!
    Twice much better than https://support.microsoft.com/en-us/kb/2218556

     
  16. Nirmal says :

    Awesome documnet!!

    Far better than https://support.microsoft.com/en-us/kb/2218556

     
  17. Kusanagi1984 says :

    Buen Día,
    Estimado Isiek,

    Desde Colombia muchas gracias, salvaste mi vida dure mas de una semana buscando soluciones disque en technet, pero la solucion la tenias vos. Bendiciones.

     
  18. Sean K. says :

    Excellent. I found old versions of this tip, but yours was right on the money for my 2012 issues. Thanks for such a detailed and easy to follow guide!

     
  19. Enrique Rivera says :

    I can kiss you right now. I been working on this replication problem on and off for months now! I tried using the MS version of these procedures and they leave out way to many steps. They mention things like after this step force replication. Yet they give me no commands or directions so it was very confused. You are my hero, thanks.

     
  20. Alexandre Nogueira says :

    Great job Thks!!!! you are amazing !!!!!

     

Leave a Reply

Your email address will not be published. Required fields are marked *