<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Active Directory DFSR Sysvol - Authoritative and Non Authoritative Restore Sequence

Published on
23,956 Points
8,656 Views
13 Endorsements
Last Modified:
Approved
This article explains DFSR Sysvol restoration process. The process originally explained in below MS KB article https://support.microsoft.com/en-in/help/2218556.
However they made is very confusing. Hence putting here in accurate way to get clear understanding of DFSR restoration process.

Active Directory DFSR Sysvol is very robust Sysvol replication engine.

It has number of benefits over conventional FRS Sysvol.

Check below article for more information

http://blogs.technet.com/b/askds/archive/2010/04/22/the-case-for-migrating-sysvol-to-dfsr.aspx


The major benefit is, DFSR has a self-healing system for problems like database corruption or journal wraps. However sometimes due to DNS problems, replication latencies, network problems, Sysvol might stop replicating on a specific domain controller. You might see event ID 4012 event ID on a domain controller in DFSR event logs.


DFSR0.jpg


In that case, you need to restore \ refresh Sysvol folder contents authoritatively \ non authoritatively depending upon the situation.


I have seen many Active Directory Distributed File System Replication (DFSR) Sysvol restoration articles, but most of the articles do not mention correct sequence \ restoration steps, especially for DFSR Sysvol Authoritative Restore. This process is explained in http://support.microsoft.com/kb/2218556.


However, the Microsoft article is not clear when to stop and start the DFSR service and on which server. This can lead to confusion, misunderstanding and even doing it wrong.


Hence I have set up a test lab and tried various sequences and found the correct sequence.


From Windows 2008 Domain Controllers and above domain functional levels, you can have the Active Directory Sysvol replicated with DFSR that is more robust and reliable than FRS replication technology.


There are TWO types of DFSR Sysvol restores are available:

  1. DFSR Sysvol Authoritative Restore
  2. DFSR Sysvol Non-Authoritative Restore


DFSR Sysvol Authoritative restore

If your DFSR replicated Sysvol is not replicating on any domain controller in an entire domain, it's broken and got corrupted on all domain controllers (very rare situation), in that case, you need DFSR Sysvol authoritative restore.

This restore should be done on primary domain control (PDC) master server because the PDC is the server where the most recent Sysvol data resides.

 

High-level approach for this restore:


  1. Disable DFSR Sysvol replication on all DCs including PDC master server
  2. Then you should initiate DFSR Sysvol authoritative restore on PDC
  3. Once authoritative restore gets completed successfully, then you should initiate nonauthoritative restore of DFSR Sysvol on other ADC servers one by one.


Steps to perform an authoritative restore of DFSR SYSVOL (like "D4" for FRS)


Step 1

On the PDC master server which is considered having most up to date Sysvol copy), open ADSIEDIT.MSC tool, load the domain directory partition and open properties of the following DN and edit two attributes mentioned below:


CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=PDC,OU=Domain Controllers,DC=domain,DC=com
(Replace PDC with the name of your primary DC server)



msDFSR-Enabled= FALSE
msDFSR-options= 1


DFSR1.jpg


Setting up msDFSR-Options to 1 makes that server authoritative for DFSR Sysvol replicated folder (Primary Copy).


Step 2

Navigate to the following DN and edit single attribute on all other domain controllers one by one in that domain:


CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=ADC,OU=Domain Controllers,DC=domain,DC=com
(Replace ADC with other additional DCs one by one)

msDFSR-Enabled= FALSE


DFSR2.jpg


Step 3

Force Active Directory replication throughout the domain. You can run repadmin /syncall command on all DCs OR you can go through all of your AD sites and services manually for all DCs.


Step 4

Run the following command from an elevated command prompt on the PDC (the same server that you set as authoritative) and all other ADC servers


DFSRDIAG POLLAD


This command will poll configuration changes in AD immediately for that DC wrt DFSR.

Note -  "DFSRDIAG" utility is installed by default when you promote 2008 / 2008 R2 / 2012 servers to domain controllers. If you have 2012 R2 / 2016 domain controllers, "Dfsrdiag" tool is not getting installed by default when you promote them to domain controllers. You need to install DFS management tools from server manager or from PowerShell cmdlet (Install-WindowsFeature RSAT-DFS-Mgmt-Con)


Step 5

Stop the DFSR service on all domain controllers including the PDC (the server where you want to restore DFSR Sysvol authoritatively). This step is required so that DC will stop communicating with DFSR Sysvol database and cannot make changes or modifications to DFSR configuration. This step is not given in original MS KB article.


Step 6

Start the DFSR service on PDC (the server where you want to restore DFSR Sysvol authoritatively) ONLY.


On the same server, You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on PDC because "msDFSR-Enabled value is still set to FALSE".


DFSR3.jpg


Step 7

On PDC go to the Properties of same DN from Step 1 and set:


msDFSR-Enabled= TRUE


This will ensure that this PDC server is the primary member for DFSR replicated folder. This will also resume DFSR replication on the PDC server only; DFSR replication on other DCs is still disabled.


This step also resets msDFSR-options to 0 from 1 automatically (We have set it to 1 in 1st step on PDC) which means DFSR Sysvol authoritative restore is attempted on this DC (PDC)


Note that while you will have enabled DFSR replication on this DC (PDC) authoritatively, you must ensure that the DFSR service has been stopped on other DCs, and that DFSR replication is in the disabled state. Otherwise, it leads to DFSR database conflicts and issues. I have seen many DFSR restoration articles, however, they did not mention this precaution.


DFSR4.jpg


Step 8

Force Active Directory replication throughout the domain. You can run the repadmin /syncall command on all DCs OR you can do that through the AD sites and services manually for all DCs.


Step 9

Run the following command from an elevated command prompt on the PDC:


DFSRDIAG POLLAD


This command will poll the configuration changes in AD immediately for that DC wrt DFSR. On the same server, you will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller (PDC) has now done a “D4” of SYSVOL successfully.


DFSR5.jpg


Step 10

Start the DFSR service on the other non-authoritative ADC servers one by one. On those servers, You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them. Starting DFSR service will enable these DCs to start accessing DFSR configuration database; however, still DFSR replication is not enabled.


DFSR3.jpg


Step 11

From Adsiedit.msc, go to the properties of same DN as Step 2 and edit single attribute on all other domain controllers one by one in that domain:



msDFSR-Enabled= TRUE
 


This step will enable DFSR replication across the domain controllers and they will start non-authoritatively restoring DFSR Sysvol


DFSR6.jpg


Step 12

Force Active Directory replication throughout the domain. You can run the repadmin /syncall command on all DCs OR you can do that through the AD sites and services manually for all DCs.


Step 13

Run the following command from an elevated command prompt on all ADC Servers (non-authoritative DCs) one by one:


DFSRDIAG POLLAD 


On the ADC servers, you will see Event ID 4604 in the DFSR event log indicating SYSVOL is now initialized and replicating correctly on each of them. These domain controllers have now done a “D2” of SYSVOL successfully.


DFSR7.jpg 

DFSR Sysvol Non Authoritative restore


If your DFSR replicated Sysvol is not replicating on any specific domain controller apart from PDC master server, in that case, you need DFSR Sysvol Non-authoritative restore.


This restore should be done on problematic ADC server where you want to refresh Sysvol data from other healthy DC (Probably PDC) where Sysvol is healthy and replicating correctly.

High-level approach for this restore:


  1. Disable DFSR Sysvol replication on problematic ADC
  2. Then you should initiate DFSR Sysvol non-authoritative restore on that ADC


Steps to perform a non-authoritative restore of DFSR SYSVOL (like "D2" for FRS)


Step 1

On the Problematic ADC, open ADSIEDIT.MSC tool and go to following distinguished name (DN) value and edit below attribute:

 

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=ADC,OU=Domain Controllers,DC=domain,DC=com
(Replace ADC with your server hostname)

msDFSR-Enabled= FALSE


DFSR2.jpg


Step 2

Force Active Directory replication throughout the domain.


Step 3

Run the following command from an elevated command prompt on the same server that you set as non-authoritative:

DFSRDIAG POLLAD

On the same server, You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.


DFSR3.jpg


Step 4

Restart DFSR service on the same server from an elevated command prompt or from services console.


Step 5

On the same DN from Step 1, set:

 

msDFSR-Enabled= TRUE


DFSR6.jpg


Step 6

Force Active Directory replication throughout the domain.


Step 7

Run the following command from an elevated command prompt on the same server that you set as non-authoritative:

DFSRDIAG POLLAD

On the same servers, You will see Event ID 4614 followed by 4604 in the DFSR event log indicating SYSVOL has been initialized successfully. That domain controller has now done a “D2” of SYSVOL.


DFSR8.jpg


DFSR7.jpg


I have tested above process in a test lab on two Windows 2008 R2 Domain Controllers with Windows 2008 domain and forest functional level. 

The process remains unchanged for Windows 2012 / 2012 R2 and 2016 server editions


Any comments are welcome.

Please endorse if you like the Article

13
Comment
Author:Mahesh
  • 6
  • 4
  • 2
  • +5
17 Comments
LVL 1

Expert Comment

by:Shamil Mohamed
Hi,

I got a comment here..

In Non-Authorative restore while doing STEP-3; DFSRDIAG POLLAD not executing because of DFSR service is down.

On Step: 4 only asked to restart server.

Kindly clarify the doubt. Thank you

Shamil
0
LVL 1

Expert Comment

by:Shamil Mohamed
after all this non-authoritative done in newly created domain controller.. still am receiving this error

Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... NDC01 failed test DFSREvent

what should i do this resolve.

thank you..
Shamil
0

Expert Comment

by:Karatestahl
Very Good article, solved my problems.
i Red the Microsoft one at first, and i it wasnt helping me due to poorly described order , what to do on what server

Regards
/Peter
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Expert Comment

by:zohre aghaei
hi
i tested non-authoritatve restore in a test lab with a DC.
i deleted contents in policies folder of sysvol and did all steps in this article and at the end of that, i received log 4602,not 4604 &4614, and policies that i had didn't back.
what can i do?
Untitled.jpg
0
LVL 45

Author Comment

by:Mahesh
if you want to delete sysvol contents, it should be done post step 4
2

Expert Comment

by:zohre aghaei
I want to return sysvol contents that i deleted at first. All steps from 1 to 7 done but they didnt back. Do you have another help?
0
LVL 45

Author Comment

by:Mahesh
I believe sysvol contents got deleted from all DCs  because of AD sysvol replication?

The only way to restore it is to restore from backup
0

Expert Comment

by:zohre aghaei
Ok you are right
But I don't know how to restore them from backup.

Would you please guide me?
0
LVL 45

Author Comment

by:Mahesh
check below article:
https://msdn.microsoft.com/en-us/library/bb727048.aspx

Look for sysvol authoritative restore
0

Expert Comment

by:zohre aghaei
Thank you
0

Expert Comment

by:Jhony Trujillo
Este articulo como muchos otros relacionados con este problema esta muy escueto, le falta mucha informacion.

Por ejemplo al momento de usar el adsiedit.msc, no te especifican a cual dc debes de conectarte, si es al dc con los problemas o al pdc emulator.

Si las pruebas las realizan en un ambiente virtualizado con 2 dc , pues es facil. ahora la cosa cambia cuando el problema es en un ambiente en produccion con al menos 30 dcs y solo uno de los dcs esta fallando. Incluso, los nuevos dcs que se unen al dominio, no estan replicando sysvol.
0
LVL 45

Author Comment

by:Mahesh
Can you pl write in English, unable to understand
0

Expert Comment

by:Andrew Grant
Thank you! This is by far the clearest article I've seen on this subject.
0

Expert Comment

by:Oleg Zolotarenko
Отличная статья. Very Good article! I'll mention your article as a reference here. Thanks. The clue is event 4602 in the end on all DC.
0
LVL 45

Author Comment

by:Mahesh
Thanks @Oleg Zolotarenko and @Andrew Grant

I honor your comments

If you could please endorse the article...

Mahesh.
0
LVL 2

Expert Comment

by:sara2000
This is nice article. I was reading MS's KBs time and time again. They were not clear.
I have couple of questions. If we are unsure that PDC has the clean copy of  sysvol, What is the procedure in the authoritative restore?
Restore it from backup on all DCs/ at PDC and perform authoritative restore as on the Steps above?
My other question in Step 1. You set  msDFSR-options= 1 and have not done anything for that after that, Is it staying as it is ?
1
LVL 45

Author Comment

by:Mahesh
I have couple of questions. If we are unsure that PDC has the clean copy of  sysvol, What is the procedure in the authoritative restore?
1. If you are unable to replicate with DFSR Sysvol to / from PDC, or if you unable open GPMC console etc., it means some corruption occurs with Sysvol, you need to check if Sysvol on PDC is working correctly by creating new GPO on PDC and other DC and check if its replicating, also need to check event logs pertaining to DFSR on PDC
2. Ideally you should look for Sysvol contents (including policy folders) 1st if they are same across domain controllers and there are same number of GPOs exists
If you certain that current PDC did not have all contents of Sysvol but it might having on other DC, then you should promote that other DC as PDC, replicate the changes to all other DCs and on that DC initiate Sysvol authoritative restore
If Sysvol contents are missing on all domain controllers, then doing authoritative restore will not restore them
In that case you need to restore Sysvol contents from backup on PDC server only and need to attempt Sysvol authoritative restore on PDC followed by non authoritative restore on other DCs

You set  msDFSR-options= 1 and have not done anything for that after that, Is it staying as it is ?

This is good point and thanks for highlighting and will highlight in article...
When you do Sysvol authoritative restore, this bit is set to 0, it means Sysvol authoritative restore is attempted on that DC
For Other DCs this value remains <Not Set>

Thanks
Mahesh.
1

Featured Post

CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

Join & Write a Comment

This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Next Article:

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month