SYSVOL Replication Error on Windows 2012 R2
November 5, 2017 at 12:19 pm 4 comments
Hi Guys
Recently we migrated one of our customer’s active directory domain controllers to a virtualized environment. During the DC migration my colleague noticed that the SYSVOL and NETLOGON folders are not replicating it’s contents from the existing domain controller. Thus he copied the contents manually. But after some time client started reporting error like;
- The Group Policy is not getting updated or Propagated to all the workstations / users.
- Logon Scripts stopped working.
Thus when we digged in to the problem we were able to track down the issue to DFSR based sysvol replication, Most importantly the old DC was not replicating for almost 1300 days approximately(Figure.1) The below event ID’s helped us to track down the issue:
So when we started troubleshoot we tried to ran the commands stated in the Eventviewer(refer attached file) but no avail.
Also we ran the below command
For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state
(In case if you ran in to an error when running the above command it could be due to the ‘ is get changed to ` when copying and pasting it. Thus change it manually)
Strangely the status on all the server showing 2 which is Initial Sync. (One of the reason for the problem) .Also in our MaxOfflineTimeInDays more than 1000 days. But
By default in Windows the is set to 60 Days. In our case we need to extend it upto 1800 days where there was an offset of more than 1000. so we ran the command to force the servers to allow the content freshness for more than 1000 days.
wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=1800
(Do not forget to bring it back the original value of 60 Days)
But sill no avail. Then we decided to Authoritative restore of the SYSVOL folders. We ran the below command set which were extracted from the MS KB:https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo)
Do this step on the PDC Emulator Role
Stop the DFSR Service
#net stop dfsr
Open the ADSIEDIT.MSC tool, connect to the “Default Naming Context” and move to OU=Domain Controllers” and select the PDC Emulator –> CN=SYSVOL Subscription,. Right click on CN=Domain System Volume and go to Properties(preferably the PDC Emulator, which is usually the most up to date for SYSVOL contents): and modify the following DN and two attributes
msDFSR-Enabled=FALSE
msDFSR-options=1
Modify the following DN and single attribute on all other domain controllers in that domain:(Using the same path as mentioned above)
msDFSR-Enabled=FALSE
Stop the DFSR service on all the remaining controllers
#net stop dfsr
Force Active Directory replication throughout the domain and validate its success on all DCs.
#repadmin /syncall /AdP
Start the DFSR service set as authoritative:(On the PDC emulator)
#net start dfsr
You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
Run the below command to force Active Directory replication throughout the domain and validate its success on all DCs.
#repadmin /syncall /AdP
Run the following command from an elevated command prompt on the same server that you set as authoritative:(In order to run the below command you need to install the “DFS Management Feature” on the servers , not the DFS Role)
DFSRDIAG POLLAD
You will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D4” of SYSVOL.
Start the DFSR service on the other non-authoritative DCs.
#net start dfsr
You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.
Revert the the following DN attribute as it was , on all other domain controllers in that domain.
msDFSR-Enabled=TRUE
Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):
DFSRDIAG POLLAD
————————————————————————————-
Voila we could see the replication started working and when we checked the replication status via the command
For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state
(In case if you ran in to an error when running the above command it could be due to the ‘ is get changed to ` when copying and pasting it. Thus change it manually)
OR
dfsrmig /getglobalstate
it shows the status 4 (which is all synced)
I am listing the below articles which helped me in the initial troubleshooting.
http://www.itprotoday.com/windows-8/fixing-broken-sysvol-replication
http://kpytko.pl/active-directory-domain-services/non-authoritative-sysvol-restore-dfs-r
http://kpytko.pl/active-directory-domain-services/authoritative-sysvol-restore-dfs-r/
Good Luck
Muralee
Update 1 (29/01/2018) :
- Added the start and stop DFSR commands.
Entry filed under: Windows, Windows 2012. Tags: DFSRDIAG, MaxOfflineTimeInDays, msDFSR-Enabled=TRUE, netlogon, POLLAD, replication, sysvol.
4 Comments Add your own
Leave a Reply to Muralee Cancel reply
Trackback this post | Subscribe to the comments via RSS Feed
Hope you like it.. 
1.
Dale Haeck | August 1, 2018 at 4:16 pm
nice blog!useful information
2.
Muralee | August 11, 2018 at 10:59 am
Thankyou Dale.
3.
Julian Louw | January 29, 2019 at 1:36 pm
Where is the step where you stopped this DFSR service on PDC and other DCs “Start the DFSR service set as authoritative:”????
4.
Muralee | January 29, 2019 at 2:48 pm
Hi Julian
Thankyou for pointing out the missing notes . You got a good eye. 🙂
I have updated the article.