Authoritative SYSVOL restore (DFS-R)
In my previous article “Non-authoritative SYSVOL restore (DFS-R)” I showed you, how to do a non-authoritative restore of SYSVOL based on DFS Replication. Today it is time to do an authoritative SYSVOL restore. If you have bigger mess in your domain or you need to restore SYSVOL from backup and replicate to other Domain Controllers.
This action affects all of your Domain Controllers in the entire domain. In the first case (non-authoritative) you only touch SYSVOL on one DC at the time. The rest of your Domain Controllers are running and sharing SYSVOL for users.
The second case (authoritative) is much more visible for users. All of Domain Controllers do not run and share SYSVOL where Group Policies and logon scripts are located. When you decide to do authoritative SYSVOL restore, you need to inform all administrators to not create/modify Group Policies during that time. All other domain services are running except access to SYSVOL. So, this action should be performed out of office business hours.
How to start authoritative SYSVOL restore? What do you need to do first?
You should identify which Domain Controller is holding PDC Emulator operation master role. As you know, one of its functions is to manage and maintain GPOs. When you create or modify existing GPO, it is done directly on this Domain Controller.
If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator operation master role holder, from which you will initiate authoritative SYSVOL restore.
So, let’s see, how we can do that.
Log on to PDC Emulator FSMO role holder. If you do not know, which Domain Controller holds this role, run in command-line/elevated command-line on any of your DCs
net dom query fsmo
or type in PowerShell (Windows Server 2012/2012R2)
Import-Module ActiveDirectory Get-ADDomain | Select PDCEmulator
and you’ll see which DC is holding this role.
When you are logged on on this Domain Controller, you need to evaluate how many DCs are in your domain. The most simple way to check that is using Microsoft DS tools on a DC. Type in command-line
dsquery server -name * -limit 0 | dsget server -dnsname | find /v "dnsname" | find /v "dsget" >c:dcslist.txt
- Collecting all Domain Controllers in a domain
or type in PowerShell (Windows Server 2012/2012R2)
Import-Module ActiveDirectory Get-ADDomainController -Filter * | Select Name | Out-File c:dcslist.txt
after you ran this command, on your DC’s C-Drive, you should find a text file named dcslist.txt Check its content, there are all Domain Controllers for your domain
On all of those Domain Controllers except PDC Emulator holder, you have to perform non-authoritative SYSVOL restore. But let’s start step-by-step.
You should initiate authoritative SYSVOL restore from a DC with PDC Emulator role. If you need to restore SYSVOL from backup, do it first before you initiate restore.
First of all, stop DFS Replication service. Type in elevated command-line
net stop DFSR
or in PowerShell
Stop-Service DFSR
or
Stop-Service "DFS Replication"
Important! All services relying on DFS Replication service will be affected!
Now, run ADSI Editor (adsiedit.msc) from Domain Controller on which you want to initiate non-authoritative SYSVOL restore. Type in run box
adsiedit.msc
Connect to domain partition (Default Naming Context). Click right mouse button (RMB) on root node in the console and select “Connect to“
select a well known Naming Context and choose “Default Naming Context“
Expand below location bt clicking on each node within a console
Default Naming Context -> DC=domain,DC=local -> OU=Domain Controllers -> CN=Domain Controller name -> CN=DFSR-LocalSettings -> Domain System Volume
where DC=domain,DC=local is a distinguished name of your domain and CN=Domain Controller name is DC name of PDC Emulator role holder on which you want to initiate authoritative SYSVOL restore.
and select “CN=SYSVOL Subscription” entry by RMB in the right pane, choose “Properties“
This time you need to change two atrributes value
- msDFSR-Enabled
- msDFSR-Options
Search them on the list and edit
Change its state from TRUE to FALSE and accept the change
and accept changes to be applied
Now, search the second attribute msDFSR-Options and edit it
Change its state from not set to 1 and accept the change
and accept changes to be applied (do not close window, you will use it later)
REPETITIVE TASK
Now, on each of the rest Domain Controllers you need to change msDFSR-Enabled attribute state from TRUE to FALSE to initiate replication from authoritative Domain Controller with SYSVOL. This not need to be done directly on Domain Controllers, you can use ADSI Editor on the same DC on which you changed previous attributes. But this is important to do for evry remaining DC!
Below you can find all required steps. You need to repeat them on the rest of Domain Controllers
In ADSI Editor on Domain Controller where you changed previous attributes, close “Attribute Editor” window and go back to the console. Expand each DC to set up msDFSR-Enabled attribute
Search for the attribute
and edit it, changing TRUE to FALSE
and click OK to accept changes
and stop DFS Replication service on remote DC. Repeat these steps for EVERY remaining Domain Controller.
END OF REPETITIVE TASK
Now, on your PDC Emulator role holder start DFS Replication service, type in elevated command-line
net start DFSR
or type in PowerShell
Start-Service DFSR
or
Start-Service "DFS Replication"
In event log you should see event ID 4114
Modify msDFSR-Enabled attribute back to TRUE state
and accept changes
Start Active Directory replication on all of your Domain Controllers. Type in elevated command-line
repadmin /syncall /AdP
On your PDC Emulator Domain Controller in elevated command-line type
dfsrdiag PollAD
Note! When you ran dfsrdiag command and it was not recognized, you need to install DFS Management Tools from features!
In DFS Replication event log, you should see event ID 4602 That means, your authoritative SYSVOL restore is initiated
REPETITIVE TASK
Before you will start DFS Replication service, I would suggest to remove all content from those 2 folders
- %WINDIR%SYSVOLdomainPolicies
- %WINDIR%SYSVOLdomainScripts
Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)
Go to the another Domain Controller to which you want to replicate SYSVOL and start DFS Replication service, type in elevated command-line
net start DFSR
or in PowerShell
Start-Service DFSR
or
Start-Service "DFS Replication"
review DFS Replication event log and check if there is event ID 4114
Change back msDFSR-Enabled attribute to TRUE state
accept changes, clik “OK” button
and run dfsrdiag command to synchronize with the global information store
dfsrdiag PollAD
You should get SYSVOL replicated to this Domain Controller. Go to %WINDIR%SYSVOLdomainPolicies and check if data was replicated. You should see all Group Policies and scripts there
and go to one more location, %WINDIR%SYSVOLdomainScripts to check if scripts and other files from NETLOGON share were replicated
END OF REPETITIVE TASK
That’s all!
Author: Krzysztof Pytko
51 responses to “Authoritative SYSVOL restore (DFS-R)”
Trackbacks / Pingbacks
- January 4, 2014 -
- December 31, 2018 -
I’ve search the net the whole day and bazinga! I found your post! All my troubles are gone. Thanks for a wery good post! You are a hero!
Same goes for me! Thank you kindly Krzysztof, I can now demote my temporary primary DC with a clear conscience.
Hey, I did as you asked above but on my PDC I won’t get Event ID 4602, instaead I always get 2213. Any clues?
Looks like some step is missing in between. Could you check it once again, please?
Great article, Was trying to piece together info from multiple sources. this explained it all. Fixed my problem
You’ve effectively just saved my ass. THANK YOU!
I’m glad I could help you
Thank you very much for this easy step-by-step instruction. Got my 2 Domain Controllers working again. You really saved me a lot of time and Trouble.
Great! I’m glad I could help you to solve the issue.
Thank you for reading my blgo
After weeks of trying to fix this issue in my domain, your steps worked perfectly !!!! Thank you so much for posting this information !!!!!!
I will definitely never forget it !!!!!!!!!
Great! I’m glad that this article could help you solving the issue in your environment!
Holy crap!! You Rock! I have been searching for a solution all day and you explained it fantastic detail! Thank you sooo much!
Thank you! I’m glad I could help you
Regards,
Krzysztof
Thank you very much !
After c.a. 6 months of getting replication issues finally my problems are gone !
Policies started working as they should on my 2 AD controllers.
Great job.
You’re welcome. I’m glad you could find this article useful for you
Regards,
Krzysztof
Really fantastic super
Been banging my head against my desk for the last 2 weeks trying to get policy to replicate in my Lab. you are awesome!!!
Thank you!
Thanks! Came to a new job and the DC’s were not communicating for… OVER 600 DAYS. Did a bunch of troubleshooting and finally ended up on DFS event logs and then found your site! This post is 1000 times better than the one on technet.
Thank you!
You have no idea how much I appreciate your post. Very easy to follow and detailed. MS should hire you to write their documentation which, by the way, sucks big time. Thanks!!!!
Thank you 🙂
This worked great, My Sysvol is now happy again, I think it was a permission issue.
Thank you again
when I get to ou=domain controllers\cn=server under that is cn=ntfrs Subscriptions and cn=routeridentity. Nowhere is cn=dfsr-localsettings. How badly messed up is my system?
Wau!!! Amazing document! Thank you alot!
twice much better than https://support.microsoft.com/en-us/kb/2218556
Wau! Amazing document! Thanks a lot!
Twice much better than https://support.microsoft.com/en-us/kb/2218556
Awesome documnet!!
Far better than https://support.microsoft.com/en-us/kb/2218556
Buen Día,
Estimado Isiek,
Desde Colombia muchas gracias, salvaste mi vida dure mas de una semana buscando soluciones disque en technet, pero la solucion la tenias vos. Bendiciones.
Excellent. I found old versions of this tip, but yours was right on the money for my 2012 issues. Thanks for such a detailed and easy to follow guide!
I can kiss you right now. I been working on this replication problem on and off for months now! I tried using the MS version of these procedures and they leave out way to many steps. They mention things like after this step force replication. Yet they give me no commands or directions so it was very confused. You are my hero, thanks.
Great job Thks!!!! you are amazing !!!!!
Many thanks for this excellent guide.
Helped me to restore out of sync SYSVOL folder and issues related with that…
I had to run a manual recovery of a dirty dfsr first tho. The PDC (w2k12) wasn’t allowing other dc’s to get data until this was fixed.
Howto: https://blogs.technet.microsoft.com/filecab/2012/07/23/understanding-dfsr-dirty-unexpected-shutdown-recovery/
Thanks this helps alott
You rock! Your post solved my issue where as a dozen TechNet articles couldn’t.
This is the answer i have been looking for for the last 2 weeks!! Many thanks!!!
hey ;
i have tried non-authoritative restore but it dosent work. so i will try authoritative restore but the problem FSMO roles because i moved them on new DC which is not get Sysvol replicaiton. whats is ur offer ?
anyway i took FSMO roles back and i did ….SOLVED !
Thank you much .
I really appriciated your posts on both authoritative and non-authoritative dfrs restores. Its helped me out a bunch. I wanted to post to mention to other readers that for me I had an issue with deleting the contents of the sysvol directorys during the correct step. it turned out i had group policy management open on one of the domain controllers and it was denying access. just for anyone else that comes across it. make sure its closed.
Hello
It works
Great job
Thank You so much
REALLY GREAT POST! Saved my life. Wish I’d have seen it earlier.
Very good step by step solution for my problem. One of a few who seems to know what he talks about.
Thanks a lot!
Thank you. Great write up. Saved the day. 😀
Saved my bacon, thank you! Just wondering though, do we set on the PDCe the msDFSR-Options back to 0? Or can it stay at 1?
Thanks again!
No, you do not need to change it to 0. When you start DFS-R service it will be reverted automatically to 0.
Regards,
Krzysztof
Thank you. Great write up
what dose mean? “If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator operation master role holder, from which you will initiate authoritative SYSVOL restore.” can you explain it more please???
It worked like a treat. I firstly performed the non-authoritative restore, but it didn’t work, then I tried authoritative, the initialization was able to complete. Thanks so much.
Thank You for the Excellent Write Up. It’s really Helps.
Thanks for his excellent post! Saved me so much time and worked a charm