Server 2012 R2 missing sysvol and netlogon since promoted to PDC?

Posted on 2014-10-26
Last Modified: 2016-06-22
Hi All,

I've encountered a problem that many users seem to have experienced previously on experts exchange, but I'm after a bit of clarification.

This was the question and answer I found, but the resolution is a bit brief and I'm after a little clarification.
I am trying to retire my first Domain controller machine and created a new DC to hold all FSMO roles in a windows 2012 server environment. I created my new DC, successfully transferred all FSMO and started using it as my DNS as well.  My exchange server is also acting as a Global catalog server but no FSMO roles. I turned off the old DC and things are running. However, when I went in to modify GPO, it failed.  Seems the SYSVOL and Netlogon folders did not replicate to the new DC.  All three servers show up in NTDS settings (I turned the original DC back on) but I can't get it to replicate.  I've told it to replicate from selected DC.  
 What did I miss and what should my next troubleshooting steps be please?

RESOLUTION suggested:
Ok, Got it figured out.
 DFS replication will only work if the two folders, policies and sysvol for a domain exist.  Since neither the policies or sysvol were created, for whatever reason, the tech threads to do a non-authoritative restore or ANY replication mechanism fails.  There are no errors generated but you never get a 4602 log or 4604 log entry.  
 Ergo, if you don't have sysvol and policies folders AND/OR their corresponding shares:
 - stop dfsr service on all domains
 - run start sysvol
 - Create the policies folder and sysvol folder manually under the appropriate domain
 - restart dfsr service on all domains
 - follow steps
 Hopefully, within 10-15 minutes, you'll get the 4604 and data will have replicated to your new DC.

 Thanks for all the suggestions.

My Query:
Hi Guys, i know this has been correctly answered, but one thing i've noticed on all articles with this problem is that it doesn't state where I run the commands from. In my situation I'm having the identical issue as above, existing 2012 DC, new 2012 DC added, no sysvol folder etc.I've looked at the D2 restore documentation, but where do i run the fix?

 Do i run it on the domain controller which is missing the sysvol folders etc? (note my dc which looks broken holds all my FSMO roles at this time)

 Or is it a mixture of editing both existing DC and New DC, all documents are unclear, unless it's my frustration getting the better of me. A clear answer would be appreciated.

 Many Thanks

Some pointers on this matter would be great.
Question by:danddnetworks
LVL 36

Accepted Solution

Mahesh earned 500 total points
ID: 40405838
How about your old DC?
Is the old DC is wiped out or you can bring it online?
How many days it is offline? more than 180 days?
If recently you made him offline without decommissioning, you can bring old DC online, simply make it online and demote \ promote new 2012  DC again
Because in order to restore sysvol with twicks, it needs to be in good condition at least on one domain controller from where you can replicate authoritatively
OR you need to restore it authoritatively from last healthy backup

Now moving to your question:
In order to get sysvol authoritative restore followed by non-authoritative restore sequence should be:
Disable sysvol dfsr (msDFSR-Enabled=FALSE) on all domain controllers including PDC
Then stop dfsr replication service on all domain controllers including PDC
Then set "msDFSR-options=1" and set "msDFSR-Enabled=TRUE" on PDC server only
Start dfsr service on PDC server only, this will initiate PDC server authoritative restore
Once operation completed successfully, you should be able to get sysvol and netlogon shares on PDC by running "Net Share" command
Now go to all domain controllers one by one and run "msDFSR-Enabled=TRUE" followed by start dfsr service
This should initiate non authoritative restore of sysvol on other domain controllers

If you just wanted to initiate non-authoritative restore of sysvol-dfsr on single or multiple DCs, follow below steps
Go to DC where you wanted to initiate non-authoritative restore and set "msDFSR-Enabled=FALSE" followed by stop dfsr service
Now again set "msDFSR-Enabled=TRUE" and start dfsr service
This will initiate non-authoritative restore for that particular DC

The above options can be set through adsiedit.msc or PowerShell
Check below blog post for location and PowerShell commands


Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question