Server 2012 R2 missing sysvol and netlogon since promoted to PDC?

Posted on 2014-10-26
Last Modified: 2016-06-22
Hi All,

I've encountered a problem that many users seem to have experienced previously on experts exchange, but I'm after a bit of clarification.

This was the question and answer I found, but the resolution is a bit brief and I'm after a little clarification.
I am trying to retire my first Domain controller machine and created a new DC to hold all FSMO roles in a windows 2012 server environment. I created my new DC, successfully transferred all FSMO and started using it as my DNS as well.  My exchange server is also acting as a Global catalog server but no FSMO roles. I turned off the old DC and things are running. However, when I went in to modify GPO, it failed.  Seems the SYSVOL and Netlogon folders did not replicate to the new DC.  All three servers show up in NTDS settings (I turned the original DC back on) but I can't get it to replicate.  I've told it to replicate from selected DC.  
 What did I miss and what should my next troubleshooting steps be please?

RESOLUTION suggested:
Ok, Got it figured out.
 DFS replication will only work if the two folders, policies and sysvol for a domain exist.  Since neither the policies or sysvol were created, for whatever reason, the tech threads to do a non-authoritative restore or ANY replication mechanism fails.  There are no errors generated but you never get a 4602 log or 4604 log entry.  
 Ergo, if you don't have sysvol and policies folders AND/OR their corresponding shares:
 - stop dfsr service on all domains
 - run start sysvol
 - Create the policies folder and sysvol folder manually under the appropriate domain
 - restart dfsr service on all domains
 - follow steps
 Hopefully, within 10-15 minutes, you'll get the 4604 and data will have replicated to your new DC.

 Thanks for all the suggestions.

My Query:
Hi Guys, i know this has been correctly answered, but one thing i've noticed on all articles with this problem is that it doesn't state where I run the commands from. In my situation I'm having the identical issue as above, existing 2012 DC, new 2012 DC added, no sysvol folder etc.I've looked at the D2 restore documentation, but where do i run the fix?

 Do i run it on the domain controller which is missing the sysvol folders etc? (note my dc which looks broken holds all my FSMO roles at this time)

 Or is it a mixture of editing both existing DC and New DC, all documents are unclear, unless it's my frustration getting the better of me. A clear answer would be appreciated.

 Many Thanks

Some pointers on this matter would be great.
Question by:danddnetworks
LVL 37

Accepted Solution

Mahesh earned 500 total points
ID: 40405838
How about your old DC?
Is the old DC is wiped out or you can bring it online?
How many days it is offline? more than 180 days?
If recently you made him offline without decommissioning, you can bring old DC online, simply make it online and demote \ promote new 2012  DC again
Because in order to restore sysvol with twicks, it needs to be in good condition at least on one domain controller from where you can replicate authoritatively
OR you need to restore it authoritatively from last healthy backup

Now moving to your question:
In order to get sysvol authoritative restore followed by non-authoritative restore sequence should be:
Disable sysvol dfsr (msDFSR-Enabled=FALSE) on all domain controllers including PDC
Then stop dfsr replication service on all domain controllers including PDC
Then set "msDFSR-options=1" and set "msDFSR-Enabled=TRUE" on PDC server only
Start dfsr service on PDC server only, this will initiate PDC server authoritative restore
Once operation completed successfully, you should be able to get sysvol and netlogon shares on PDC by running "Net Share" command
Now go to all domain controllers one by one and run "msDFSR-Enabled=TRUE" followed by start dfsr service
This should initiate non authoritative restore of sysvol on other domain controllers

If you just wanted to initiate non-authoritative restore of sysvol-dfsr on single or multiple DCs, follow below steps
Go to DC where you wanted to initiate non-authoritative restore and set "msDFSR-Enabled=FALSE" followed by stop dfsr service
Now again set "msDFSR-Enabled=TRUE" and start dfsr service
This will initiate non-authoritative restore for that particular DC

The above options can be set through adsiedit.msc or PowerShell
Check below blog post for location and PowerShell commands


Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question