Solved

Server 2012 R2 missing sysvol and netlogon since promoted to PDC?

Posted on 2014-10-26
2
178 Views
Last Modified: 2016-06-22
Hi All,

I've encountered a problem that many users seem to have experienced previously on experts exchange, but I'm after a bit of clarification.

This was the question and answer I found, but the resolution is a bit brief and I'm after a little clarification.
I am trying to retire my first Domain controller machine and created a new DC to hold all FSMO roles in a windows 2012 server environment. I created my new DC, successfully transferred all FSMO and started using it as my DNS as well.  My exchange server is also acting as a Global catalog server but no FSMO roles. I turned off the old DC and things are running. However, when I went in to modify GPO, it failed.  Seems the SYSVOL and Netlogon folders did not replicate to the new DC.  All three servers show up in NTDS settings (I turned the original DC back on) but I can't get it to replicate.  I've told it to replicate from selected DC.  
 What did I miss and what should my next troubleshooting steps be please?

RESOLUTION suggested:
Ok, Got it figured out.
 DFS replication will only work if the two folders, policies and sysvol for a domain exist.  Since neither the policies or sysvol were created, for whatever reason, the tech threads to do a non-authoritative restore or ANY replication mechanism fails.  There are no errors generated but you never get a 4602 log or 4604 log entry.  
 Ergo, if you don't have sysvol and policies folders AND/OR their corresponding shares:
 - stop dfsr service on all domains
 - run start sysvol
 - Create the policies folder and sysvol folder manually under the appropriate domain
 - restart dfsr service on all domains
 - follow http://support.microsoft.com/kb/2218556 steps
 Hopefully, within 10-15 minutes, you'll get the 4604 and data will have replicated to your new DC.

 Thanks for all the suggestions.

My Query:
Hi Guys, i know this has been correctly answered, but one thing i've noticed on all articles with this problem is that it doesn't state where I run the commands from. In my situation I'm having the identical issue as above, existing 2012 DC, new 2012 DC added, no sysvol folder etc.I've looked at the D2 restore documentation, but where do i run the fix?

 Do i run it on the domain controller which is missing the sysvol folders etc? (note my dc which looks broken holds all my FSMO roles at this time)

 Or is it a mixture of editing both existing DC and New DC, all documents are unclear, unless it's my frustration getting the better of me. A clear answer would be appreciated.

 Many Thanks

Some pointers on this matter would be great.
0
Comment
Question by:danddnetworks
2 Comments
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40405838
How about your old DC?
Is the old DC is wiped out or you can bring it online?
How many days it is offline? more than 180 days?
If recently you made him offline without decommissioning, you can bring old DC online, simply make it online and demote \ promote new 2012  DC again
Because in order to restore sysvol with twicks, it needs to be in good condition at least on one domain controller from where you can replicate authoritatively
OR you need to restore it authoritatively from last healthy backup

Now moving to your question:
In order to get sysvol authoritative restore followed by non-authoritative restore sequence should be:
Disable sysvol dfsr (msDFSR-Enabled=FALSE) on all domain controllers including PDC
Then stop dfsr replication service on all domain controllers including PDC
Then set "msDFSR-options=1" and set "msDFSR-Enabled=TRUE" on PDC server only
Start dfsr service on PDC server only, this will initiate PDC server authoritative restore
Once operation completed successfully, you should be able to get sysvol and netlogon shares on PDC by running "Net Share" command
Now go to all domain controllers one by one and run "msDFSR-Enabled=TRUE" followed by start dfsr service
This should initiate non authoritative restore of sysvol on other domain controllers

If you just wanted to initiate non-authoritative restore of sysvol-dfsr on single or multiple DCs, follow below steps
Go to DC where you wanted to initiate non-authoritative restore and set "msDFSR-Enabled=FALSE" followed by stop dfsr service
Now again set "msDFSR-Enabled=TRUE" and start dfsr service
This will initiate non-authoritative restore for that particular DC

The above options can be set through adsiedit.msc or PowerShell
Check below blog post for location and PowerShell commands
http://jorgequestforknowledge.wordpress.com/2011/06/22/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-4/

Mahesh
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question