Prevent Active Directory SYSVOL Replication

Globally we have around 8 AD servers, Last week all sudden one of our ABC Domain Controller got some drive issue where SYSVOL stored. Problem is after several hours all the scripts and gpo folders are missing in other 7 Domain Controller's, but ABC DC has all the folders also we noticed lot of DFS errors and blocks on the D drive errors on ABC domain controller. To fix the issue I shutdown the ABC DC and restored sysvol from backup.

I need help how can we prevent these type of issues where one specfic DC got some issue and impacts all other domain controllers, all gpo&scripts are missing in SYSVOL which cause major issue. All our 8 server global catalog servers.
LVL 26
Sekar ChinnakannuStaff EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ajay ChananaMCSE-2003/08|RHCSA| VCP5/6 |vExpert2018Commented:
you already have solution and you have implemented it , rare scenario there backups are in place
Sekar ChinnakannuStaff EngineerAuthor Commented:
My question why all dc's got impacted where all files are missing as only ABC domain controller, Also is there any we can prevent and how can we monitor proactively.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
The sysvol needs to be replicated to all DCs in the domain.

- To monitor it you can use software like SCOM, write scripts to alert you, or perform manual checks.
- Keep regular backups (as it seems you do) and restore the data if deleted or currupt

Have you fixed the DC that had the issue?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Lee W, MVPTechnology and Business Process AdvisorCommented:
I agree with the previous comments. You have a RARE issue and stopping this replication would be akin to cutting off your arm to stop the pain from a paper cut in your finger.  It's silly and creates FAR WORSE problems.

Monitor your servers health regularly, pay attention to the event logs, run DCDIAG and REPADMIN regularly and you should be fine.  Replication is the whole point of domain controllers - stopping it causes problems!
Sekar ChinnakannuStaff EngineerAuthor Commented:
Yes it's fixed the problematic server... any scripts to monitor the sysvol on regular basis
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
You should be monitoring the server as a whole. From what you said it was having DFSR issues. So in that case you would monitor the DFSR health. A lot of the issues should show up in the event logs.

But you'll be playing whack-a-mole using this approach. Looking to address and monitor one specific issue is a bad approach. What happens the next time there's a different issue? Implement another regimen to monitor and protect? Soon you'll get an unwieldy management burden and not actually get any benefit from it.

Reviewing the event logs regularly or implementing a monitoring software and address any issues that come up is a much better approach.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sekar ChinnakannuStaff EngineerAuthor Commented:
OK, How about keeping PDC in data center and DR Global Catalog, Other 6 sites with Read Only Domain Controllers... Will this be a good approach. Because we have don't have control in other 6 sites as its managed by different teams.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Maybe but we can't really say. That's a big AD architecture question and would require getting to know your network, management structure, physical layout, security, and business requirements.
Sekar ChinnakannuStaff EngineerAuthor Commented:
I agree, but if I am planning for Read only Domain Controllers and what the basic requirements i need to think about the same. I have full control in Data center side where i have contoel.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I've not used REad Only domain controllers as most of my environments aren't suitable.  In general, they are intended for environments where physical security is not possible and allow you limit the accounts exposed on them.  Before you go planning on using a technology you're not familiar with (unless you are, but if you're asking about stopping replication, I'd guess you're not), you should be doing test.  REACTIONARY responses to what should again be a rare occurrence will almost certainly not help you and more likely cause you far worse problems in the long term.

You probably need to re-evaluate your security structure.  In one organization I worked for (a multi-national company) the satellite office I worked out of had a domain controller and we had ZERO access to it because we were not domain admins.  Domain Admins were RIGHTLY limited to a few select individuals since those accounts are god-like in AD.  Instead, we had servers - and we had control over those servers, but they were NOT domain controllers.  "Site Local Server Admins" (where site is the NAME of the site) was a group that we were in that had access to all servers on site EXCEPT the domain controllers.  I suggest you step back, contract with an IT security expert or firm, and evaluate what you have and what the best methods of securing your environment are.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Glad to help. :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.