Non-authoritative SYSVOL restore (DFS-R)
Last time, I wrote an article about Non-authoritative SYSVOL restore (FRS) which was based on File Replication Service for SYSVOL. Now, I will show you a procedure for non-authoritative SYSVOL restore based on DFS Replication (DFS-R).
So, let’s look at the procedure for DFS-R.
When you are working in Active Directory environment you may fall into this problem, especially in case where you have many Domain Controllers. Sometimes you may figure out that one or more Domain Controllers are out of date with SYSVOL replication.
Each Domain Controller has its own folder where GPOs and scripts are saved. This folder is located under %WINDIR%SYSVOLdomain (by default, if you changed that location during DC promotion, you need to refer to your own location).
There are 2 folders:
- Policies where Group Policies are saved (%WINDIR%SYSVOLdomainPolicies)
- Scripts where logon scripts or other files are saved (%WINDIR%SYSVOLdomainScripts shared as NETLOGON)
If a DC does not replicate SYSVOL you can see that some Group Policies (GPOs) or scripts are not available on DC(s) in SYSVOLdomain folder on particular DC. Another symptom may be that all GPOs are in place but they are not updated.
When you notice one of these behaviors, you would need to do non-authoritative SYSVOL restore which re-deploys SYSVOL data from working Domain Controller (holding PDC Emulator operations master role).
How to be sure if you need non-authoritative SYSVOL restore? There is no simple answer because that depends on the size of your Active Directory and number of Domain Controllers.
When we can decide to start this kind of retore ?
- one DC out of couple does not replicate SYSVOL
- a few DCs out of many do not replicate SYSVOL
- more than few but less than 50% of them do not replicate SYSVOL
above examples are typical scenarios for non-authoritative SYSVOL restore.
Let’s see how you to do that.
First of all, you need to find out which DC or DCs does/do not replicate SYSVOL. Then you have to start SYSVOL restore.
When you see an empty SYSVOL, this may suggest that Domain Controller initialization where not finished after server was promoted. Active Directory database was replicated but SYSVOL was not. In this case, you can simply perform non-authoritative restore and SYSVOL should be replicated.
Another case is when DC, is not up to date with SYSVOL. Some policies are missing and non-authoritative SYSVOL restore would be helpful
When you log on to Domain Controller with PDC Emulator operation master role, you should see that there are more policies than on those faulty Domain Controllers
So, you can see that those Domain Controllers need SYSVOL restore to have all data up-to-date.
OK, let’s start non-authoritative restore of SYSVOL. This procedure is a little bit different than for FRS, you do not set up anything in registry. All changes (which can be compared to D2 BurFlags value) are done with ADSI Editor console. You need to run adsiedit.msc from Domain Controller on which you want to initiate non-authoritative SYSVOL restore. Type in run box
Connect to domain partition (Default Naming Context). Click right mouse button (RMB) on root node in the console and select “Connect to“
select a well known Naming Context and choose “Default Naming Context“
Expand below location bt clicking on each node within a console
Default Naming Context -> DC=domain,DC=local -> OU=Domain Controllers -> CN=Domain Controller name -> CN=DFSR-LocalSettings -> Domain System Volume
where DC=domain,DC=local is a distinguished name of your domain and CN=Domain Controller name is DC name on which you want to initiate non-authoritative SYSVOL restore.
and select “CN=SYSVOL Subscription” entry by RMB in the right pane, choose “Properties“
In the “Attributes Editor” windows, search for msDFSR-Enable attribute and edit it
Change its state from TRUE to FALSE and accept the change
and accept changes to be applied (do not close window, you will use it later)
I would suggest to remove all content from SYSVOL folders before starting non-authoritative restore:
Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)
Now, you need to start Active Directory replication in a domain. Start elevated command prompt
and type a command to initiate AD replication (you need to have at leatd domain administrator’s privileges) and wait for its end
repadmin /syncall /AdP
and run dfsrdiag command to synchronize with the global information store
Note! When you ran dfsrdiag command and it was not recognized, you need to install DFS Management Tools from features!
Please check DFS Replication event log, if you can see event ID 4114 which indicates that SYSVOL is no longer replicated
OK, let’s set up msDFSR-Enabled attribute to TRUE state and accept changes (use that previous window, you haven’t closed)
and click OK to accept changes
again, start Active Directory replication
repadmin /syncall /AdP
run dfsrdiag command one more time to synchronize with the global information store
go back to DFS Replication event log and check if you can see these two event IDs:
go to %WINDIR%SYSVOLdomainPolicies and check if data was replicated. You should see all Group Policies and scripts there
and go to one more location, %WINDIR%SYSVOLdomainScripts to check if scripts and other files from NETLOGON share were replicated
That’s all! Everything you need to do is to repeat all those steps on each Domain Controller which does not replicate SYSVOL volume.
Author: Krzysztof Pytko