You may experience problems with domain controllers where SYSVOL is not replicating properly and you receive the following error:

The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 90 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.

In server 2012R2 and above, this can be fixed by performing a D2/D4 Restore. identify the server that has the most recent ADDS data, this will be the authorative server. The rest of the DC’s will be non-authorative servers.

To begin, stop the DFS replication service on all domain controllers and set the startup type to manual using the services.msc command to open the services console.

image

Once the services have been stopped, navigate to the most current DC that you want to make authorative (usually the PDC or the server you have been using to add ADDS policies to) and run the command adsiedit.msc to open the ADSI editing tool. From the action menu select connect to and then default domain.

image

Navigate to the following container (follow it in reverse) and edit the server that will be designated as the authorative server.

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>

image

Then right click and select the container’s properties:

image

Set the following attributes:

msDFSR-Enabled=FALSE
msDFSR-options=1

image

Now we need to run adsiedit.msc all the other DCs and set them to non-autorative. To do this, follow these steps on all other DCs:

First run adsiedit.msc from a command prompt and connect to the default domain as we did previously. Locate the following container:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>

Set the following attribute on all non-authorative DCs.

msDFSR-Enabled=FALSE

image

Once you have finished setting the attributes on all the non-authorative DCs, we will need to go back and start the DFSR service on the authorative server.

image

Look in the DFSR Event log and make sure you see event ID 4114.

image

Once you have verified that event 4114 has occurred, change the msDFSR-Enabled attribute on the authorative server back to msDFSR-Enabled=TRUE.

image

Force replication on all DCs by running the following command from an elevated command prompt:

DFSRDIAG /POLLAD

If the server does not recognize the command, don’t worry. Follow these instructions to install RSAT tools and enable the command.

image

And start the DFSR service on the authorative server.

Look for event 4602 in the DFSR event log. This indicates that the server SYSVOL has initialized and that this is the new authorative DC from where all other DCs will copy their SYSVOL data from.

image

Once you have verified that event 4602 has occurred, designating it as the authorative server it’s time to revisit the non-authorative DCs.

On each of the remaining non-authorative DCs, follow these steps:

Use adsiedit.msc to change the following attribute:

msDFSR-Enabled=TRUE

image

Start the DFSR replication service.

image

Run the DFSRDIAG POLLAD command.

image

Look for event ID 4604 indicating successful replication.

image

Lastly, set the DFSR replication service back to start automatically on all DC’s.

image

Leave a comment

Your email address will not be published.