Solved

Server 2012 R2 missing sysvol and netlogon since promoted to PDC?

Posted on 2014-10-26
2
212 Views
Last Modified: 2016-06-22
Hi All,

I've encountered a problem that many users seem to have experienced previously on experts exchange, but I'm after a bit of clarification.

This was the question and answer I found, but the resolution is a bit brief and I'm after a little clarification.
I am trying to retire my first Domain controller machine and created a new DC to hold all FSMO roles in a windows 2012 server environment. I created my new DC, successfully transferred all FSMO and started using it as my DNS as well.  My exchange server is also acting as a Global catalog server but no FSMO roles. I turned off the old DC and things are running. However, when I went in to modify GPO, it failed.  Seems the SYSVOL and Netlogon folders did not replicate to the new DC.  All three servers show up in NTDS settings (I turned the original DC back on) but I can't get it to replicate.  I've told it to replicate from selected DC.  
 What did I miss and what should my next troubleshooting steps be please?

RESOLUTION suggested:
Ok, Got it figured out.
 DFS replication will only work if the two folders, policies and sysvol for a domain exist.  Since neither the policies or sysvol were created, for whatever reason, the tech threads to do a non-authoritative restore or ANY replication mechanism fails.  There are no errors generated but you never get a 4602 log or 4604 log entry.  
 Ergo, if you don't have sysvol and policies folders AND/OR their corresponding shares:
 - stop dfsr service on all domains
 - run start sysvol
 - Create the policies folder and sysvol folder manually under the appropriate domain
 - restart dfsr service on all domains
 - follow http://support.microsoft.com/kb/2218556 steps
 Hopefully, within 10-15 minutes, you'll get the 4604 and data will have replicated to your new DC.

 Thanks for all the suggestions.

My Query:
Hi Guys, i know this has been correctly answered, but one thing i've noticed on all articles with this problem is that it doesn't state where I run the commands from. In my situation I'm having the identical issue as above, existing 2012 DC, new 2012 DC added, no sysvol folder etc.I've looked at the D2 restore documentation, but where do i run the fix?

 Do i run it on the domain controller which is missing the sysvol folders etc? (note my dc which looks broken holds all my FSMO roles at this time)

 Or is it a mixture of editing both existing DC and New DC, all documents are unclear, unless it's my frustration getting the better of me. A clear answer would be appreciated.

 Many Thanks

Some pointers on this matter would be great.
0
Comment
Question by:danddnetworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40405838
How about your old DC?
Is the old DC is wiped out or you can bring it online?
How many days it is offline? more than 180 days?
If recently you made him offline without decommissioning, you can bring old DC online, simply make it online and demote \ promote new 2012  DC again
Because in order to restore sysvol with twicks, it needs to be in good condition at least on one domain controller from where you can replicate authoritatively
OR you need to restore it authoritatively from last healthy backup

Now moving to your question:
In order to get sysvol authoritative restore followed by non-authoritative restore sequence should be:
Disable sysvol dfsr (msDFSR-Enabled=FALSE) on all domain controllers including PDC
Then stop dfsr replication service on all domain controllers including PDC
Then set "msDFSR-options=1" and set "msDFSR-Enabled=TRUE" on PDC server only
Start dfsr service on PDC server only, this will initiate PDC server authoritative restore
Once operation completed successfully, you should be able to get sysvol and netlogon shares on PDC by running "Net Share" command
Now go to all domain controllers one by one and run "msDFSR-Enabled=TRUE" followed by start dfsr service
This should initiate non authoritative restore of sysvol on other domain controllers

If you just wanted to initiate non-authoritative restore of sysvol-dfsr on single or multiple DCs, follow below steps
Go to DC where you wanted to initiate non-authoritative restore and set "msDFSR-Enabled=FALSE" followed by stop dfsr service
Now again set "msDFSR-Enabled=TRUE" and start dfsr service
This will initiate non-authoritative restore for that particular DC

The above options can be set through adsiedit.msc or PowerShell
Check below blog post for location and PowerShell commands
http://jorgequestforknowledge.wordpress.com/2011/06/22/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-4/

Mahesh
0

Featured Post

Office 365 Advanced Training for Admins

Special Offer:  Buy 1 course, get 2nd free!  Buy the 'Managing Office 365 Identities & Requirements' course w/ Accelerated TestPrep, and automatically receive the 'Enabling Office 365 Services' course FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ADFS trust for Skype 4 18
CTIOS error on Windows 10 3 58
ADFS: AADSTS50107: Requested federation realm object 8 86
Active Directory permissions 5 34
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question