Netlogon missing - but sysvol present on SBS 2003 - tried burflag with D4

I have an SBS 2003 box with a missing netlogon share.  I caused this somehow in the last 4 hours, but I'm not sure how exactly.  I have a system state backup from before I made any changes (system state backup is about 36 hours old at this point), though I'm nervous about using it - as it says I need to start in directory restore mode.  I can do it, but I'm hoping someone with more experience can either guide me to another solution or allay my fears about that system state restore.

I'm doing a swing migration from SBS 2003 to SBS 2008.  There was a journal wrap error in my SBS 2003 file replication log so I took the steps to get rid of that.  In addition, I had two additional domain controllers (Server 2003 R2).  I did a dcpromo to remove them from being domain controllers (required by the swing migration method).

I noticed this after I removed the other two domain controllers.

Somewhere along that path, I lost the netlogon share.  I lost sysvol, too.  I know for a fact that I set the burflag to d2 at first on the SBS box (which was not correct because that's the non-authoritative reset).  I rebooted and got sysvol back.  Then after reading more, I set the burflag for ntfrs rebuild to d4 as per this article:

I'm at a loss.  I've been googling and googling.  I don't have any old domain controllers in HKLM\Software\CurrentControlSet\Services\Ntfrs\Sysvol Seeding.  I have set d4 in both HKLM\Software\CurrentControlSet\Services\Ntfrs\Parameters\backup/restore\Processes at startup and in HKLM\Software\CurrentControlSet\Services\Ntfrs\Parameters\Cumulative Replica Sets\GUID.

My users CAN log in - so it's not as bad as the typical situation where the SYSVOL and netlogon are missing.  But from my understanding the lack of a netlogon folder is a problem with your domain controller.

When I start up the server, here is what I see in the File Replication Service event log:

Event ID 13501 - The File Replication Service is starting.
and then 30 to 45 seconds later
Event ID 13516 - The File Replication Service is no longer preventing the computer SERVER2 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
Type "net share" to check for the SYSVOL share.

For more information, see Help and Support Center at

Below are screen shots of "net share" the shares area of computer management, the File Replication Service Event Log.

As usual, any help is appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shreedhar EtteCommented:
After setting the burflag have you restarted the File replication, Netlogon and DNS services.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dmessmanAuthor Commented:
I actually rebooted after each time I changed the burflag.  Each time you see event id 13566 in the event log (above), that's what happens after I have changed the burflag and then rebooted.

After rebooting the burflag value becomes 0.
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

dmessmanAuthor Commented:
I'll be pissed if that previous EE question is the answer.  I searched for hours.  Completely unrelated, I'm running an offline defrag right now - so I'll be able to test in the morning.
Justin MaloneSystem AdministratorCommented:
since you had other DC's up were they managing any of your FSMO roles? if so have they been reconfigured to be operating on the only remaining DC?

how to change FSMO roles
dmessmanAuthor Commented:
@squallkill99 - I never moved any of the FSMO roles from my SBS box, so that would be the issue.  Theoretically, it wouldn't hurt to try to seize those roles bc the SBS box should have them anyway - so I'll look at that as well.  Still waiting for the offline defrag to finish to look at simply manually recreating the netlogon folder.
dmessmanAuthor Commented:
I had a variety of issues related to a corrupt sysvol, but regarding the actual issue of missing netlogon share, I just needed to recreate the scripts folder.  

In the end, I had to restore my sysvol from backup and run a burflags=d4.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.