Non-authoritative SYSVOL restore (FRS)

 

When you are working in Active Directory environment you may fall into this problem, especially in case where you have many Domain Controllers. Sometimes you may figure out that one or more Domain Controllers are out of date with SYSVOL replication.

Each Domain Controller has its own folder where GPOs and scripts are saved. This folder is located under %WINDIR%SYSVOLdomain (by default, if you changed that location during DC promotion, you need to refer to your own location).

There are 2 folders:

  • Policies where Group Policies are saved (%WINDIR%SYSVOLdomainPolicies)
  • Scripts where logon scripts or other files are saved (%WINDIR%SYSVOLdomainScripts shared as NETLOGON)

If a DC does not replicate SYSVOL you can see that some Group Policies (GPOs) or scripts are not available on DC(s) in SYSVOLdomain folder on particular DC. Another symptom may be that all GPOs are in place but they are not updated.

When you notice one of these behaviors, you would need to do non-authoritative SYSVOL restore which re-deploys SYSVOL data from working Domain Controller (holding PDC Emulator operations master role).

How to be sure if you need non-authoritative SYSVOL restore? There is no simple answer because that depends on the size of your Active Directory and number of Domain Controllers.

When we can decide to start this kind of retore ?

  • one DC out of couple does not replicate SYSVOL
  • a few DCs out of many do not replicate SYSVOL
  • more than few but less than 50% of them do not replicate SYSVOL

above examples are typical scenarios for non-authoritative SYSVOL restore.

Let’s see how you to do that.

First of all, you need to find out which DC or DCs does/do not replicate SYSVOL. Then you have to start SYSVOL restore.

When you see an empty SYSVOL, this may suggest that Domain Controller initialization where not finished after server was promoted. Active Directory database was replicated but SYSVOL was not. In this case, you can simply perform non-authoritative restore and SYSVOL should be replicated.

Empty SYSVOL folder

Empty SYSVOL folder

Another case is when DC, is not up to date with SYSVOL. Some policies are missing and non-authoritative SYSVOL restore would be helpful.

Missing Group Policies under SYSVOL

Missing Group Policies under SYSVOL

When you log on to Domain Controller with PDC Emulator operation master role, you should see that there are more policies than on those faulty Domain Controllers

All Group Policies on DC with PDC Emulator role

So, you can see that those Domain Controllers need SYSVOL restore to have all data up-to-date.

Now, it’s time to play with non-authoritative SYSVOL restore. Log on to the DC which is out of replication with SYSVOL and stop File Replication Service (NtFRS) from command-line/elevated command-line. Type

net stop ntfrs
Stopping File Replication Service

Stopping File Replication Service

Now, you need to change some setting in Windows registry.

Warning! Be careful, do not change other entries than showed in this artcile, you may destroy your server!

You need to open registry editor from run box

Executing registry editor

Executing registry editor

Now, you need to find below key:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

and change BurFlags value from 0 to D2 (hexadecimal) by editing it

Changing BurFlags value

Changing BurFlags value

Before you will start FRS service, I would suggest to remove all content from those 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Warning! When you set up D2 BurFlags value, you need to know that during restoration time, your DC is prevent to be a Domain Controller! So, you need to be careful in locations/Sites where you have only single DC or you are going for authentication over WAN-link!

Now, it’s time to start File Replication Service.ย Type in command-line

net start ntfrs
Running File Replication Service

Running File Replication Service

When you refresh (F5 key) registry editor, you should see that BurFlgs values has changed back to 0

BurFlags value reset

BurFlags value reset

and you should also check “File Replication Service” event log. Please check if event idย 13565ย appeared. That means, server has initiated SYSVOL replication and you need to wait a while. You have to refresh event log from time to time and check if these event IDs appeared:

  • 13553
  • 13516

when you can see them, SYSVOL replication is over and your Domain Controller is up-to-date.

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

Verify if SYSVOL share is available on your Domain Controller, type in command-line

net share
SYSVOL share verification

SYSVOL share verification

go to %WINDIR%SYSVOLdomainPolicies and check if data is replicated

SYSVOL content verification

SYSVOL content verification

That’s all! Everything you need to do is to repeat all those steps on each Domain Controller which does not replicate SYSVOL volume.

Done!

Next part >>>

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

9 responses to “Non-authoritative SYSVOL restore (FRS)”

  1. leonardo says :

    Great info, thanks for sharing

     
  2. Leo says :

    Thank you for the great article! I wanted to note that “wait a while” after Event 13565 meant about 75 minutes for our domain. I was starting to think someting was wrong bu that’s how long it took for the SYSVOL folder to replicate from the good DC to the bad DC.

     
    • kpytko says :

      You’re welcome ๐Ÿ™‚ I’m glad it could help you.
      Yes, of course, in complex environment and where SYSVOL contains a lot of data, that might time some longer time ๐Ÿ™‚

      Finally, it was replicated and I hope everything is working fine, now

      Thank you for reading my bog.

      Regards,
      Krzysztof

       
  3. Tomasz says :

    Awesome post saved me tons of time ๐Ÿ™‚ A was pulling my hair out to try resolve issue with incostincent sysvol on ours controllers with various scripts, programs ntdsulit, repadmin, frsdiag without any luck. This is nice and effective solution and does not require visit in server room or restart computers ๐Ÿ™‚

    ps. Jeszcze raz Dzieki Krzysiek ๐Ÿ™‚

     
  4. Joselo Flores says :

    Your article is very helpful, I applied it step by step and it worked.
    Now my environment is fine again

    Muchas gracias

     
  5. freng says :

    Great! It works!

     

Leave a Reply

Your email address will not be published. Required fields are marked *