I had 2 Domain controllers that stopped replicating their SYSVOL to each other. These are some of the commands used to understand what is happening and then to get it working again.
Learnings
- Edit your Group Policies on the PDC / Operations Master (see the
netdom query fsmo) to figure out which DC is the PDC - You can quickly check if your replication is working by viewing the contents of the policies folder on each of the domain controller and sorting by Date Modified descending new policies will show up on all domain controllers if DFSR is working.
- If new Group Policies you create don't appear on each DC's SYSVOL Share you have a SYSVOL sync problem.
What is the current SYSVOL replication state of the domain controllers in the domain?
Run this command before you attempt to promote a new Domain Controller and make sure the current domain controllers are showing state 4.
1 | For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state |
Healthy replication state 4 = Normal.
1 2 3 4 5 6 7 8 9 10 11 | DC01ReplicatedFolderName ReplicationGroupName StateSYSVOL Share Domain System Volume 4DC02ReplicatedFolderName ReplicationGroupName StateSYSVOL Share Domain System Volume 4DC03ReplicatedFolderName ReplicationGroupName StateSYSVOL Share Domain System Volume 4 |
What you might see when your SYSVOLS are out of synch and they refuse to replicate
I had to demote a new DC, run an authoratative synchronization (see below) and re promote it because I promoted it while the SYSVOLS synch status of the other two DC's were in state 2.
Your newly promoted DC won't be able to replicate SYSVOL and create the NETLOGON and SYSVOL Shares if it can't replicate from the current DC's
Possible replications states are
- 0: Uninitialized
- 1: Initialized
- 2: Initial synchronization
- 3: Auto recovery
- 4: Normal
- 5: In error state
- 6: Disabled
- 7: Unknown
How to view the Sysvol DFSR Backlog between servers
There should be no or just the very latest Group policy files still waiting to replicate as output. If you have good connections to your DC's and simple replication structure no output is expected.
Command line using dfsrdiag
1 | Get-DfsrBacklog -SourceComputerName DC01 -DestinationComputerName DC03 -RgName "Domain System Volume" -RfName "SYSVOL Share" |
Run an Authoritative Synchronization to get the replication state back to 4
If the Sysvol on your PDC has all its SYSVOL login scripts and policies and you just want to push them to all your other DC's you will need to follow "How to perform an authoritative synchronization of DFSR-replicated sysvol replication (like D4 for FRS)"
Before doing this take a backup copy of C:\Windows\SYSVOL or wherever your sysvols are on each domain controller.
See the current replication status
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | repadmin /replsummaryReplication Summary Start Time: 2023-10-31 11:33:56Beginning data collection for replication summary, this may take awhile: ......Source DSA largest delta fails/total %% error DC01 46m:03s 0 / 10 0 DC02 46m:03s 0 / 10 0 DC03 38m:53s 0 / 10 0Destination DSA largest delta fails/total %% error DC01 34m:01s 0 / 10 0 DC02 38m:53s 0 / 10 0 DC03 46m:03s 0 / 10 0 |
Replication status with more detail
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | repadmin /showreplRepadmin: running command /showrepl against full DC localhostAzure\DC03DSA Options: IS_GCSite Options: (none)DSA object GUID: 0cc2f0d6-7711-4e6d-b27b-0484e54a51f4DSA invocationID: 624cf2c5-3689-4a8e-8c50-d7e7eca7cde2==== INBOUND NEIGHBORS ======================================DC=TOGGEN,DC=LOCAL Azure\DC02 via RPC DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360 Last attempt @ 2023-10-31 11:34:34 was successful. Azure\DC01 via RPC DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210 Last attempt @ 2023-10-31 11:35:28 was successful.CN=Configuration,DC=TOGGEN,DC=LOCAL Azure\DC02 via RPC DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360 Last attempt @ 2023-10-31 10:47:53 was successful. Azure\DC01 via RPC DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210 Last attempt @ 2023-10-31 10:47:53 was successful.CN=Schema,CN=Configuration,DC=TOGGEN,DC=LOCAL Azure\DC02 via RPC DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360 Last attempt @ 2023-10-31 10:47:53 was successful. Azure\DC01 via RPC DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210 Last attempt @ 2023-10-31 10:47:53 was successful.DC=DomainDnsZones,DC=TOGGEN,DC=LOCAL Azure\DC01 via RPC DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210 Last attempt @ 2023-10-31 10:47:53 was successful. Azure\DC02 via RPC DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360 Last attempt @ 2023-10-31 10:47:53 was successful.DC=ForestDnsZones,DC=TOGGEN,DC=LOCAL Azure\DC02 via RPC DSA object GUID: 6e27820c-a290-40d2-8caf-d00f991a0360 Last attempt @ 2023-10-31 10:47:53 was successful. Azure\DC01 via RPC DSA object GUID: 1a62bae0-0f6a-41d2-ba0d-ebb0c835d210 Last attempt @ 2023-10-31 10:47:53 was successful. |
Force Replication of Domain Controllers
1 | repadmin /syncall /AdeP |
Which domain controller holds the FSMO (Flexible single master of operations) Roles
1 | netdom query fsmo |
Output
1 2 3 4 5 6 | Schema master DC01.TOGGEN.LOCALDomain naming master DC01.TOGGEN.LOCALPDC DC01.TOGGEN.LOCALRID pool manager DC01.TOGGEN.LOCALInfrastructure master DC01.TOGGEN.LOCALThe command completed successfully. |
View a list of installed HotFixes or KB patches
1 | wmic qfe list |
0 Comments