We help IT Professionals succeed at work.

Group Policy Not Replicating - NTFRS Service Won't Start

We have two domain controllers. DC1 is working fine. DC2 is not receiving replicated GPOs.

Both DCs are Server 2012 Datacenter (not R2) with all current updates. They both have AD, DNS and DHCP.

DC1 is RID, PDC and Operations Master.

DC2 is getting AD and DNS updates but NO Group Policy replication is taking place. Users who end up with DC1 in their gpresult get the GPOs and no problems. Users who end up with DC2 "kind of" get GPOs but with a lof of missing settings. The records show that DC2's GPOs are over 100 days older than DC1, so they haven't synced/replicated in that long.

The problem DC is getting some errors.

-Error 1053
-Event ID 4012
- Deleted all of the domain policies out of SYSVOL. They were over 100 days old, anyway (per event ID 4012).
- The NTFRS (File Replication) service will NOT start from the GUI or command line.
- I noticed that NTFRS won't start on the "working" DC

Any thoughts?

This doesn't work because ntfrs isn't "missing". I see it there but it just won't start.

I can follow this up to the point where it wants me to start the ntfrs service which results in error 1053.

The article did not address this specfic issue.

I did a non-authoratative restore, got Event ID 4614 in the DFS Replication log but still no replication in Group Policy.
Watch Question

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1

Can you post the output of command DCDIAG /ALL from DC2?
Manager - Infrastructure:  Information Technology
Been there and it might be easier and quicker to demote the server and promote as a DC again.  Last time I had an issue like this, we got it resolved but after almost 2 days and that was PFEs from Microsoft who assisted us.
Paul WagnerPrincipal Consultant


@mark bill
There is no "/ALL" command for dcdiag. Are you looking for "/a"?

@Mohammed Khawaja
Won't I create problems across the enterprise by taking a domain controller out of play? ie- other services will fail like Exchange, Citrix, etc?
Mohammed KhawajaManager - Infrastructure:  Information Technology
Your DC is not fully functioning anyways and also note that if you remove the DC by doing a meta data cleanup, Exchange and everything else should work fine (ensure that there is a DC in each site).  Citrix does not rely on a single particular DC and neither should Exchange (check Exchange configuration to ensure there are other DCs/GCs included in the configuration).
Paul WagnerPrincipal Consultant


@mohammed khawaja
I am reading up on dcpromo and will perform the task in Remove Roles and Features. Where do I perform the meta data cleanup?
Paul WagnerPrincipal Consultant


I've demoted and promoted DC2. Same problem. Group Policy is not replicating. On both servers in the GPMC, I am seeing DC2 "with replication in progress". It never gets to "replication in sync".

DC2 IS connecting via DFSR to DC1 but I am not seeing any policies copied over to the c:\windows\SYSVOL\domain folder on DC2.
Paul WagnerPrincipal Consultant


... The replication in progress shows "Inaccessible" under the Active Directory column as a hyperlink. When I click that, it says "Active Directory or SYSVOL is inaccessible on this domain controller or an object is missing." It has a link that takes me to a general article about Group Policy.
I was having a similar issue with 4012 on my 2012 DC.  I found tons of articles.  
first I cleared out blocked and conflicting folders following ned Pyles Blog at:
Lots of helpful stuff here, Ned is the DFSR Guru and was happy to help.
Then I followed this one:
My replication had not taken place for over 90 days so I used 144  for the <insert number> to give me plenty of time.
Then I removed the PreExisting from the hidden folder DfsrPrivate in the sysvol\sysvol\domain folder under C:\windows.
My PreExisting was older than the domain, so was from the setup before I joined.
Paul WagnerPrincipal Consultant


I've discovered that the problem lies in that the SYSVOL and NETLOGON folders aren't even there on DC2. I manually created the shares and then repadmin'd and the servers seemed to sync.

I rebooted DC2 for good measure and the shared folder disappeared. Back to the drawing board.

Any article I look at about this particular issue (folders missing) says to do a non-authoritative or authoritative restore. I've done that already...

@mark bill
I know you asked for dcdiag /all but that command doesn't work.
I ran a simple dcdiag and I get two issues reported:
Warning: DsGetDcName returned information fo \\DC1.domain.local, when we were trying to reach DC2.
......................................DC2 failed test Advertising

Also, I get this:
Starting test: NetLogons
Unable to connect to the NETLOGON hsare! (\\DC2\netlogon)
[DC2] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
.......................................DC2 failed test NetLogons

All other tests pass

I don't get the "replication hasn't taken place in xx days" anymore since I demoted and then promoted DC2. Now, it seems like the DFS share is just hosed. The DFSRPrivate folder has recent folders created a few days ago but no data in them.
Have you check your networking to make sure everything is ok? NIC's, switches etc.... Stupid question but have to ask..

In DFS Management console have you tried to run a diagnostic report?

Paul WagnerPrincipal Consultant



Yes, all networking is solid. (ie- NIC, switch, ping tests, DNS, etc)
I ran the diagnostic but already discovered something new. The old/new (not sure) DC2 share is showing as Disabled because the old/new one is already there. I'm guessing since there are two DC2's then it won't let the newly promoted DC2 get activated.

DFS Management Diagnostic will run but won't show the Disabled DC.
(I've read articles about removing one server and adding it back but there is no option for that in my DFS Management.)

I clicked Yes to run the report
Error - DC2 - The DFS Replication service is restarting frequently.

Warning - DC1 - This member is waiting for initial replication for replicated folder SYSVOL Share.
Warning - DC2 - This member is waiting for initial replication for replicated folder SYSVOL Share.
Paul WagnerPrincipal Consultant


Also, I think it is odd that the File Replication (ntfrs) is constantly starting/stopping stating that the DFSR is taking over for it. The File Replication service is disabled so it seems odd that it would be trying to start.

This isn't normal, is it?

File Replication (ntfrs) keeps trying to start

File Replication Service should be disabled.  It is no longer used on the DC since it now uses DFS Replication or DFSR.
Not sure when it stopped, possibly after 2003.
gotta love all those confusing acronyms
Paul WagnerPrincipal Consultant


That's what I figured.

Any solutions/thoughts on how to proceed? I'm working through the SYSVOL folders not being shared on DC2 right now until a better method of troubleshooting presents itself. (At this point, should I just make a new server?)

If this is virtual, that may be quickest. I see you have at least two DCs.
Paul WagnerPrincipal Consultant


OK, everyone... duhn duhn duuuuhhhnnnn!!!

I fixed it. Say whhaaaattt? I have no idea why it started working this time.

I did an authoritative synchronization using this article.

My thoughts:
After demotion/promotion of DC2, I did an authoritative sync, but it still didn't work.
What might have made the difference:
-Playing around with creating a sysvol/netlogon share folder on DC2 and rebooting
-deleting contents of dc2 sysvol\domain folder and cutting contents of dc1 sysvol\domain folder to a temp folder. I then removed the replication group from DFS Management, moved the files back to DC1's sysvol\domain folder and then added the replication group back in DFS Management.
-Meticulously went through the authoritative sync instructions. (Perhaps I clicked the wrong server when entering the TRUE/FALSE commands?) I also restarted the DFSR service each time. I wasn't doing that before since other "guru" articles said that it wasn't necessary or didn't help.

After doing those things, I did the authoritative sync and it worked.
The only anomaly DCDIAG now shows is a DFSR Event in the last 24 hours but that should clear out by tomorrow.

Thank you to all who helped. I'll split up the points as best I can based on who helped the most.
Paul WagnerPrincipal Consultant


Everyone's help led to the solution I stumbled upon. Great team effort. Thanks! You saved me from having to rebuild or pay for a Microsoft ticket. Your help was worth a whole year's cost of subscription to EE.

Yes that article was to be my final attack as daunting as it looked.  Luckily I got mine working without it, since I share the main DC with other sites.