I had 2 Domain controllers that stopped replicating their SYSVOL to each other. These are some of the commands used to understand what is happening and then to get it working again.
Learnings
- Edit your Group Policies on the PDC / Operations Master (see the
netdom query fsmo) to figure out which DC is the PDC - You can quickly check if your replication is working by viewing the contents of the policies folder on each of the domain controller and sorting by Date Modified descending new policies will show up on all domain controllers if DFSR is working.
- If new Group Policies you create don't appear on each DC's SYSVOL Share you have a SYSVOL sync problem.
What is the current SYSVOL replication state of the domain controllers in the domain?
Run this command before you attempt to promote a new Domain Controller and make sure the current domain controllers are showing state 4.
For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
Healthy replication state 4 = Normal.
DC01
ReplicatedFolderName ReplicationGroupName State
SYSVOL Share Domain System Volume 4
DC02
ReplicatedFolderName ReplicationGroupName State
SYSVOL Share Domain System Volume 4
DC03
ReplicatedFolderName ReplicationGroupName State
SYSVOL Share Domain System Volume 4
What you might see when your SYSVOLS are out of synch and they refuse to replicate
I had to demote a new DC, run an authoratative synchronization (see below) and re promote it because I promoted it while the SYSVOLS synch status of the other two DC's were in state 2.
Your newly promoted DC won't be able to replicate SYSVOL and create the NETLOGON and SYSVOL Shares if it can't replicate from the current DC's
Possible replications states are
- 0: Uninitialized
- 1: Initialized
- 2: Initial synchronization
- 3: Auto recovery
- 4: Normal
- 5: In error state
- 6: Disabled
- 7: Unknown
How to view the Sysvol DFSR Backlog between servers
There should be no or just the very latest Group policy files still waiting to replicate as output. If you have good connections to your DC's and simple replication structure no output is expected.
Command line using dfsrdiag
Get-DfsrBacklog -SourceComputerName DC01 -DestinationComputerName DC03 -RgName "Domain System Volume" -RfName "SYSVOL Share"
Run an Authoritative Synchronization to get the replication state back to 4
If the Sysvol on your PDC has all its SYSVOL login scripts and policies and you just want to push them to all your other DC's you will need to follow "How to perform an authoritative synchronization of DFSR-replicated sysvol replication (like D4 for FRS)"
Before doing this take a backup copy of C:\Windows\SYSVOL or wherever your sysvols are on each domain controller.
See the current replication status
repadmin /replsummary
Replication Summary Start Time: 2023-10-31 11:33:56
Beginning data collection for replication summary, this may take awhile:
......
Source DSA largest delta fails/total %% error
DC01 46m:03s 0 / 10 0
DC02 46m:03s 0 / 10 0
DC03 38m:53s 0 / 10 0
Destination DSA largest delta fails/total %% error
DC01 34m:01s 0 / 10 0
DC02 38m:53s 0 / 10 0
DC03 46m:03s 0 / 10 0
Replication status with more detail
repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Azure\DC03
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 0cc2f0d6-7711-4e6d-b27b-0484e54a51f4
DSA invocationID: 624cf2c5-3689-4a8e-8c50-d7e7eca7cde2
==== INBOUND NEIGHBORS ======================================
DC=TOGGEN,DC=LOCAL
Azure\DC02 via RPC
DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360
Last attempt @ 2023-10-31 11:34:34 was successful.
Azure\DC01 via RPC
DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210
Last attempt @ 2023-10-31 11:35:28 was successful.
CN=Configuration,DC=TOGGEN,DC=LOCAL
Azure\DC02 via RPC
DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360
Last attempt @ 2023-10-31 10:47:53 was successful.
Azure\DC01 via RPC
DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210
Last attempt @ 2023-10-31 10:47:53 was successful.
CN=Schema,CN=Configuration,DC=TOGGEN,DC=LOCAL
Azure\DC02 via RPC
DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360
Last attempt @ 2023-10-31 10:47:53 was successful.
Azure\DC01 via RPC
DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210
Last attempt @ 2023-10-31 10:47:53 was successful.
DC=DomainDnsZones,DC=TOGGEN,DC=LOCAL
Azure\DC01 via RPC
DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210
Last attempt @ 2023-10-31 10:47:53 was successful.
Azure\DC02 via RPC
DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360
Last attempt @ 2023-10-31 10:47:53 was successful.
DC=ForestDnsZones,DC=TOGGEN,DC=LOCAL
Azure\DC02 via RPC
DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360
Last attempt @ 2023-10-31 10:47:53 was successful.
Azure\DC01 via RPC
DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210
Last attempt @ 2023-10-31 10:47:53 was successful.
Force Replication of Domain Controllers
repadmin /syncall /AdeP
Which domain controller holds the FSMO (Flexible single master of operations) Roles
netdom query fsmo
Output
Schema master DC01.TOGGEN.LOCAL
Domain naming master DC01.TOGGEN.LOCAL
PDC DC01.TOGGEN.LOCAL
RID pool manager DC01.TOGGEN.LOCAL
Infrastructure master DC01.TOGGEN.LOCAL
The command completed successfully.
View a list of installed HotFixes or KB patches
wmic qfe list
0 Comments