Today, I deploy a new domain controller server at Azure after site to site VPN built. Verify the replication status looks fine, but when I check the SYSVOL and LOGON shares folders status, I noticed there is no any shared folder at the new domain controller server.
In my case, DC01 is PDC domain controller server of on-premise site, DC02 is domain controller server of on-premise site and AZDC01 is new domain controller server at Azure site, I am going to show you how to troubleshoot on them and fixed the issues.
1.Login to AZDC01 server.
2.Open right-click Windows Start and select Run.
3.type regedit, click OK.
4.On the User Account Control page, click Yes.
5.Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters, change SysVolReady value data from 0 to 1, click OK and then close Regedit.
6.It Will create the SYSVOL share. But the NETLOGON share is not be created in my case.
7.Open File Explorer, you will find there is no any folder at c:\Windows\SYSVOL\domain\.
8.Cteate a new folder and name it as scripts.
9.Restart the Netlogon service.
10.Run \\azdc01\ to verify share status again, you will see the NETLOGON and SYSVOL shared folders.
11.In my case, although the NETLOGON and SYSVOL shares are working, but there is no group policies or scripts are being replicated using the DFS or DFRS.
12.Run below command to verify the SYSVOL share replication.
For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state
The states should translate as below
0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error
In my case, I have noticed that the newly promoted server and others domain controller were showing 2.
When check the event logs, there is event id 5014, it shows the DFS Replication service is stopping communication with partner XXXX for replication group Domain System Volume due to an error. Error 9033 (The request was cancelled by a shutdown)
13.To fix this issue, we need to do Non-Authoritative or Authoritative SYSVOL restore.
Non-Authoritative Restore
If it’s only one or few domain controller (less than 50%) which have replication issues in each time, we can issue a non-authoritative replication. In that scenario, system will replicate the SYSVOL from the PDC.
Authoritative Restore
If more than 50% of domain controllers have SYSVOL replication issues, it possible that entire SYSVOL got corrupted. In such scenario, we need to go for Authoritative Restore. In this process, first we need to restore SYSVOL from backup to PDC and then replicate over or force all the domain controllers to update their SYSVOL copy from the copy in PDC.
In my case, I need to do authoritative restore for SYSVOL on DC01 (it’s PDC domain controller server) and non-authoritative restore on DC02 and AZDC01 servers.
14.Backup the existing SYSVOL – This can be done by copying the SYSVOL folder from the domain controller which have DFS replication issues into a secure location.
15.Log in to domain controller server as Domain Administrator or Enterprise Administrator.
16.Stop DFS Replication Service (This is recommended to do in all the Domain Controllers).
17.Open Server Manager, select Tool and then click ADSI Edit.
18.Right-click ADSI Edit, select Connect to…..
19.On the Connection Settings, the settings as follow, click OK.
- Name: Default naming context.
- Select a well know Naming Context.
- Default (Domain or server that you logged in to).
20.Brows to DC=corp,DC=com > OU=Domain Controllers > CN=CDC01 > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription.
21.On the Attribute Editor, click msDFSR-Enabled, change the value from True to False, click OK.
22.On the Attribute Editor, click msDFSR-options, change the value from 0 to 1, click OK.
23.Click OK to apply settings and close Attribute Editor.
24.Brows to DC=corp,DC=com > OU=Domain Controllers > CN=DC02 > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription.
25.On the Attribute Editor, click msDFSR-Enabled, change the value from True to False, click OK.
26.Click OK to apply settings and close Attribute Editor.
27.Brows to DC=corp,DC=com > OU=Domain Controllers > CN=AZDC01 > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription.
28.On the Attribute Editor, click msDFSR-Enabled, change the value from True to False, click OK.
29.Click OK to apply settings and close Attribute Editor.
30.Run following PowerShell cmdlet to force the AD replication.
$DCs = ‘DC01′,’DC02′,’AZDC01’
ICM $DCS {
repadmin /kcc
repadmin /syncall /e
repadmin /syncall /e /P
Net Stop Netlogon
Net Start Netlogon
IPconfig /registerdns }
31.Start DFS replication service in DC01 (PDC Domain controller server).
32.You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
33.Open Server Manager, select Tool and then click ADSI Edit.
34.Right-click ADSI Edit, select Connect to…..
35.On the Connection Settings, the settings as follow, click OK.
- Name: Default naming context.
- Select a well know Naming Context.
- Default (Domain or server that you logged in to).
36.Brows to DC=corp,DC=com > OU=Domain Controllers > CN=DC01 > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription.
37.On the Attribute Editor, click msDFSR-Enabled, change the value from False to True, click OK.
38.Click OK to apply settings and close Attribute Editor.
39.Run following PowerShell cmdlet to force the AD replication.
$DCs = ‘DC01′,’DC02′,’AZDC01’
ICM $DCS {
repadmin /kcc
repadmin /syncall /e
repadmin /syncall /e /P
Net Stop Netlogon
Net Start Netlogon
IPconfig /registerdns }
40.Run the following command from an elevated command prompt to update the DFRS global state.
dfsrdiag PollAD
41.if it shows dfsrdiag it not recognized as an internal or external command, you need to run following PowerShell cmdlet to install the DFS management tools before run dfsrdiag PollAD command.
Add-WindowsFeature RSAT-DFS-Mgmt-Con
42.You will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized.
43.Start the DFSR Replication service on others non-authoritative domain controller servers (DC02 and AZDC01).
44.You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.
45.Open Server Manager, select Tool and then click ADSI Edit.
46.Right-click ADSI Edit, select Connect to…..
47.On the Connection Settings, the settings as follow, click OK.
- Name: Default naming context.
- Select a well know Naming Context.
- Default (Domain or server that you logged in to).
48.Brows to DC=corp,DC=com > OU=Domain Controllers > CN=DC02 > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription.
49.On the Attribute Editor, click msDFSR-Enabled, change the value from False to True, click OK.
50.Click OK to apply settings and close Attribute Editor.
51.Brows to DC=corp,DC=com > OU=Domain Controllers > CN=AZDC01 > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription.
52.On the Attribute Editor, click msDFSR-Enabled, change the value from False to True, click OK.
53.Click OK to apply settings and close Attribute Editor.
54.Run following PowerShell cmdlet to force the AD replication.
$DCs = ‘DC01′,’DC02′,’AZDC01’
ICM $DCS {
repadmin /kcc
repadmin /syncall /e
repadmin /syncall /e /P
Net Stop Netlogon
Net Start Netlogon
IPconfig /registerdns }
55.Run the following command from an elevated command prompt to update the DFRS global state at DC02 and AZDC01.
dfsrdiag PollAD
56.You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been initialized.
57.Login to the new Domain controller (AZDC01), check SYSVOL share status again, you will see the Policies at the shared folder.
59.Verify the SYSVOL share replication by running the following command.
For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state
The states should translate as below
0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error
60.Run following command to check for the SYSVOL share.
For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @(net view \\%i | find “SYSVOL”) & echo
61.if the SYSVOL shared folder is still not be replicated, you need to double check the Inter-Site Transports links between each sites domain controller servers and make sure there is inter-Site Transports link between PDC domain controller server (DC01) and others domain controller servers (DC02 and AZDC01).
Hope you enjoy this post.
Cary Sun
Twitter: @SifuSun
Web Site: carysun.com
Blog Site: checkyourlogs.net
Blog Site: gooddealmart.com