Prevent Active Directory SYSVOL Replication

Sekar Chinnakannu
Sekar Chinnakannu used Ask the Experts™
on
Globally we have around 8 AD servers, Last week all sudden one of our ABC Domain Controller got some drive issue where SYSVOL stored. Problem is after several hours all the scripts and gpo folders are missing in other 7 Domain Controller's, but ABC DC has all the folders also we noticed lot of DFS errors and blocks on the D drive errors on ABC domain controller. To fix the issue I shutdown the ABC DC and restored sysvol from backup.

I need help how can we prevent these type of issues where one specfic DC got some issue and impacts all other domain controllers, all gpo&scripts are missing in SYSVOL which cause major issue. All our 8 server global catalog servers.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ajay ChananaMCSE-2003/08|RHCSA| VCP5/6 |vExpert2018
Distinguished Expert 2017
Commented:
you already have solution and you have implemented it , rare scenario there backups are in place

Author

Commented:
My question why all dc's got impacted where all files are missing as only ABC domain controller, Also is there any we can prevent and how can we monitor proactively.
Jeremy WeisingerSenior Network Consultant / Engineer
Commented:
The sysvol needs to be replicated to all DCs in the domain.

- To monitor it you can use software like SCOM, write scripts to alert you, or perform manual checks.
- Keep regular backups (as it seems you do) and restore the data if deleted or currupt

Have you fixed the DC that had the issue?
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013
Commented:
I agree with the previous comments. You have a RARE issue and stopping this replication would be akin to cutting off your arm to stop the pain from a paper cut in your finger.  It's silly and creates FAR WORSE problems.

Monitor your servers health regularly, pay attention to the event logs, run DCDIAG and REPADMIN regularly and you should be fine.  Replication is the whole point of domain controllers - stopping it causes problems!

Author

Commented:
Yes it's fixed the problematic server... any scripts to monitor the sysvol on regular basis
Senior Network Consultant / Engineer
Commented:
You should be monitoring the server as a whole. From what you said it was having DFSR issues. So in that case you would monitor the DFSR health. A lot of the issues should show up in the event logs.

But you'll be playing whack-a-mole using this approach. Looking to address and monitor one specific issue is a bad approach. What happens the next time there's a different issue? Implement another regimen to monitor and protect? Soon you'll get an unwieldy management burden and not actually get any benefit from it.

Reviewing the event logs regularly or implementing a monitoring software and address any issues that come up is a much better approach.

Author

Commented:
OK, How about keeping PDC in data center and DR Global Catalog, Other 6 sites with Read Only Domain Controllers... Will this be a good approach. Because we have don't have control in other 6 sites as its managed by different teams.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
Maybe but we can't really say. That's a big AD architecture question and would require getting to know your network, management structure, physical layout, security, and business requirements.

Author

Commented:
I agree, but if I am planning for Read only Domain Controllers and what the basic requirements i need to think about the same. I have full control in Data center side where i have contoel.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013
Commented:
I've not used REad Only domain controllers as most of my environments aren't suitable.  In general, they are intended for environments where physical security is not possible and allow you limit the accounts exposed on them.  Before you go planning on using a technology you're not familiar with (unless you are, but if you're asking about stopping replication, I'd guess you're not), you should be doing test.  REACTIONARY responses to what should again be a rare occurrence will almost certainly not help you and more likely cause you far worse problems in the long term.

You probably need to re-evaluate your security structure.  In one organization I worked for (a multi-national company) the satellite office I worked out of had a domain controller and we had ZERO access to it because we were not domain admins.  Domain Admins were RIGHTLY limited to a few select individuals since those accounts are god-like in AD.  Instead, we had servers - and we had control over those servers, but they were NOT domain controllers.  "Site Local Server Admins" (where site is the NAME of the site) was a group that we were in that had access to all servers on site EXCEPT the domain controllers.  I suggest you step back, contract with an IT security expert or firm, and evaluate what you have and what the best methods of securing your environment are.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
Glad to help. :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial