SYSVOL Replication across D/C's

carlos-holmquist · 2015-08-25T00:12:28.000Z

I am trying to setup some new group policies and noted that they are not replicating between domain controllers. If i look at the sysvol on one domain controller I see there are 16 folders listed and looking at the other D/C i see there are 14 folders listed.

If I am correct these should be identical. It has been an estimated 2 hours since i created the Group policy and these DC’s are at the same physical site.

Does DFS replicate the sysvol folder or what does this?

trelstadtech · 2015-08-25T01:28:37.000Z

It kind of depends on what version of Windows Server you’re running and how it was setup. I’ll usually make a change in ADUC to a user, like add a middle initial to one of the users and see if that replicates. Copied from google:

To force replication over a connection. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. In the console tree, expand Sites, and then expand the site to which you want to force replication from the updated server.

You may also want to run dcdiag and see if that gives you any clues.

carlos-holmquist · 2015-08-25T01:46:50.000Z

Dfs is indicating a dns problem between domain controllers however they can ping each other. To post another question that maybe the problem to the replication …do you use the dns server of itself (if it holds the dns catalog or do you use another dns server has preferred des server?

trelstadtech · 2015-08-25T01:55:26.000Z

I don’t have any servers handy at the moment, but it seems to me I set them up using the IP of the server itself as the primary and the other DC as the secondary. Seems like this sort of problem is usually DNS related.

shanealexander · 2015-08-25T03:01:38.000Z

SysVol replication uses DFS in 2008 or newer domains, FRS used in older.

And note from MS “For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replication. The Group Policy container (GPC), which is stored in the domain, is replicated through Active Directory replication. For Group Policy to be effective, both parts must be available on a domain controller”

Agree with running dcdiag , there are many switches for testing, e.g. dcdiag /test:replications

But definitely running repadmin , again there are many relevant switches, e.g. *Repadmin /replicate (*this forces replication) , Repadmin /queue , Repadmin /replsummary , Repadmin /Showrepl

Some other links below.

Monitoring and Troubleshooting Active Directory Replication Using Repadmin

Troubleshooting Active Directory Replication Problems

shanealexander · 2015-08-25T03:12:01.000Z

Just came across this tool from Microsoft, recently updated.

Active Directory Replication Status Tool

With info below …

The Active Directory Replication Status Tool (ADREPLSTATUS) analyzes the replication status for domain controllers in an Active Directory domain or forest. ADREPLSTATUS displays data in a format that is similar to REPADMIN /SHOWREPL * /CSV imported into Excel but with significant enhancements.
Specific capabilities for this tool include:
• Expose Active Directory replication errors occurring in a domain or forest
• Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
• Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
• Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

carlos-holmquist · 2015-08-25T11:03:49.000Z

The A/D Replication Status Tool indicated everything was fine…This article did the trick though.

This is a cheat sheet on how to fix a new domain controller that does not have the NetLogon or Scripting

folder. Check out the references at bottom for info on it.

For this to work you need 1 working dc (if not the first reference talks about that as well)

This is for a non-authoritative mode restore

On the working DC do the following

To fix the problem, you must designate a domain controller to be authoritative for the Sysvol replica set:

1. Stop the File Replication service on the PDC emulator FSMO role holder.

2. Use the Registry Editor to navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Paramaters\Backup/Restore\Pr

ocess at Startup.

3. Double-click the BurFlags Value Name, a REG_DWORD data type, and set the data value to D4,

using the Hex radix.

4. Exit the Registry Editor.

5. Start the File Replication service.

Then on the non-working DC do the following

1. Stop FRS.

2. Start Registry Editor (Regedt32.exe).

3. Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restor

e/Process at Startup

4. On the Edit menu, click Add Value, and then add the following registry value:

Value name: BurFlags

Data type: REG_DWORD

Radix: Hexadecimal

Value data: D2

5. Quit Registry Editor.

6. Restart FRS.

References:

learn.microsoft.com

Use BurFlags to reinitialize File Replication Service (FRS) - Windows Server

This article talks about using the BurFlags registry key to reinitialize FRS.

http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=ntfrs&phase=1

psophos · 2015-09-01T10:03:07.000Z

That solution means your DCs are using FRS and not DFS for replication.

If you don’t have any Server 2003 DCs then you need to schedule some time and migrate sysvol replication from FRS to DFSR.

learn.microsoft.com

Ask the Directory Services Team

learn.microsoft.com