Force synchronization for DFSR-replicated SYSVOL
One of my clients had a problem with processing GPO on client computers. Different computers applied different settings from the same GPO but from different domain controllers. All tests related to replication was successful, all GPOs are applied, but replication between domain controllers was a problem, and because of that most clients had a different GPO configuration.
I had a similar problem with a newly promoted domain controller which I previously blogged about here.
Scenarios where this problem typically occurs:
- Replication was moved from FRS to DFSR
- Demoting an old domain controller in the environment
- When there is a problem with the DFS replication of the SYSVOL folder
To solve this problem, I had to manually perform an authoritative synchronization between the domain controllers.
I am including steps for authoritative and non-authoritative synchronization, but before we get started we need to see the state of the replication.
Steps:
- Find the state of the replication state. Typically the problem DCs will be at 0 or 2. The goal is to get to state 4.
- Get to State 2
- Get to State 4
Find the state of the replication of all DCs
Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,state
0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error
Non-authoritative synchronization of DFSR-replicated SYSVOL
- Stop the DFS Replication service ( net stop dfsr).
- In the ADSIEDIT.MSC tool modify the following distinguished name (DN) value and attribute on each of the domain controllers that you want to make non-authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
-
Tip : Easiest is to adsiedit.msc connect to DC=***s,DC=nl , and then upwards
- Force Active Directory replication throughout the domain ( repadmin /syncall primary_dc_name /APed )
- Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
DFSRDIAG POLLAD - You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication).
- On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
- Force Active Directory replication throughout the domain ( repadmin /syncall primary_dc_name /APed).
- Start the DFS Replication service ( net start dfsr).
- Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
1DFSRDIAG POLLAD
- You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done non-authoritative sync of SYSVOL.
- Run Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,stat and make sure the state is at 4. If it is at 2, it may take some time to reach state 4. Wait a few minutes and try again until all DCs are at state 4.
Authoritative synchronization of DFSR-replicated SYSVOL
- Find the PDC Emulator (Elevated Command Prompt: netdom query fsmo ) – which is usually the most up to date for SYSVOL contents. Or the server holding all the policies and scripts. Consider this the primary server.
- Stop the DFS Replication service ( net stop dfsr) on the primary server.
- On the primary server, In the ADSIEDIT.MSC tool, modify the following DN and two attributes to make authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
msDFSR-options=1
- Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
- Force Active Directory replication throughout the domain and validate its success on all DCs ( repadmin /syncall primary_dc_name /APed). Probably need to run the same command 3-4 times.
- Start the DFSR service set as authoritative ( net start dfsr) on the primary DC.
- You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication).
- On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
- Force Active Directory replication throughout the domain and validate its success on all DCs ( repadmin /syncall primary_dc_name /APed ). Probably need to run the same command 3-4 times.
- Run the following command from an elevated command prompt on the same server that you set as authoritative (primary server):
DFSRDIAG POLLAD - Wait a few minutes you will see Event ID 4602 in the DFSR event log (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication) indicating SYSVOL has been initialized. That domain controller has now done an authoritative sync of SYSVOL.
- Start the DFSR service on the other non-authoritative DCs ( net start dfsr). You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.
- Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=TRUE
- Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):
1DFSRDIAG POLLAD
- Verify you see Event ID 2002 and 4602 on all other domain controllers.
- Run Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,stat and make sure the state is at 4. If it is at 2, it may take some time to reach state 4. Wait a few minutes and try again until all DCs are at state 4.
After these actions, all problems with GPO processing and SYSVOL replication disappeared. 🙂
same solution in my own words : see below
SYSVOL Replication Error on Windows 2012 R2
November 5, 2017 at 12:19 pm 4 comments
Hi Guys
Recently we migrated one of our customer’s active directory domain controllers to a virtualized environment. During the DC migration my colleague noticed that the SYSVOL and NETLOGON folders are not replicating it’s contents from the existing domain controller. Thus he copied the contents manually. But after some time client started reporting error like;
- The Group Policy is not getting updated or Propagated to all the workstations / users.
- Logon Scripts stopped working.
Thus when we digged in to the problem we were able to track down the issue to DFSR based sysvol replication, Most importantly the old DC was not replicating for almost 1300 days approximately(Figure.1) The below event ID’s helped us to track down the issue:
So when we started troubleshoot we tried to ran the commands stated in the Eventviewer(refer attached file) but no avail.
Also we ran the below command
For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state
Strangely the status on all the server showing 2 which is Initial Sync. (One of the reason for the problem) .Also in our MaxOfflineTimeInDays more than 1000 days. But
By default in Windows the is set to 60 Days. In our case we need to extend it upto 1800 days where there was an offset of more than 1000. so we ran the command to force the servers to allow the content freshness for more than 1000 days.
wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=1800
(Do not forget to bring it back the original value of 60 Days)
But sill no avail. Then we decided to Authoritative restore of the SYSVOL folders. We ran the below command set which were extracted from the MS KB:https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo)
Do this step on the PDC Emulator Role
Stop the DFSR Service
#net stop dfsr
Open the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferably the PDC Emulator, which is usually the most up to date for SYSVOL contents):
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
msDFSR-options=1
Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
Stop the DFSR service on all the remaining controllers
#net stop dfsr
Force Active Directory replication throughout the domain and validate its success on all DCs.
Start the DFSR service set as authoritative:(On the PDC emulator)
#net start dfsr
You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
Run the below command to force Active Directory replication throughout the domain and validate its success on all DCs.
#repadmin /syncall /AdP
Run the following command from an elevated command prompt on the same server that you set as authoritative:
DFSRDIAG POLLAD
You will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D4” of SYSVOL.
Start the DFSR service on the other non-authoritative DCs.
#net start dfsr
You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.
Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=TRUE
Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):
DFSRDIAG POLLAD
————————————————————————————-
Voila we could see the replication started working and when we checked the replication status via the command
For /f %i IN (‘dsquery server -o rdn’) do @echo %i && @wmic /node:”%i” /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername=’SYSVOL share’ get replicationgroupname,replicatedfoldername,state
it shows the status 4 (which is all synced)
I am listing the below articles which helped me in the initial troubleshooting.
http://www.itprotoday.com/windows-8/fixing-broken-sysvol-replication
http://kpytko.pl/active-directory-domain-services/non-authoritative-sysvol-restore-dfs-r
http://kpytko.pl/active-directory-domain-services/authoritative-sysvol-restore-dfs-r/
Good Luck
Jacco Straathof