Resolving Active Directory Replication Issues

In Windows Active Directory 2008+ mode, Distributed File System Replication  (DFSR) succeeds the legacy File Replication Service (FRS). This is a doubled edged sword as DFS is both more efficient and prone to replication errors as compared to its predecessor. In ideal circumstances, DFSR enables more robust AD Infrastruture at the trade off of including additional dependencies on domain controllers.

Initial assessment of DC Replication issues could be via the instructions here: https://support.microsoft.com/en-us/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares.

Furthermore, administrators are encouraged to use DFS Management to troubleshoot SYSVOL replication issues.This utility can be added to a Windows machine with this PowerShell command as Administrator:

Install-WindowsFeature RSAT-DFS-Mgmt-Con

Optional components:

Install-WindowsFeature FS-DFS-Namespace, FS-DFS-Replication

The troubleshooting steps should include creating Diagnostic Reports and running propagation tests using the above mentioned tool. If there’s any errors, eventvwr.exe should log these incidents (DFS Replication log name).

A last resort method of resolving DFS Replication would be forcing replication from an authoritative  DC. It is notable that “Unlike custom DFSR replicated folders, SYSVOL is intentionally protected from any editing through its management interfaces to prevent accidents.” (https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo). To reiterate the instructions from Microsoft, the authoritative sync sequence is:

1. Disable replication

Run ADSIEDIT.MSC:

On the PDC, modify the following DN to

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE
msDFSR-options=1

On ALL other DCs, modify the following DNs to prepare these DCs to accept replication from the PDC

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE
2. Test AD replication push from PDC

The expectation here is a true-negative result (due to DFS being disabled) by starting DFSR service on PDC, then run this command:

repadmin /syncall <PDC> /d /e /a /A /P

Validate replication as no longer being active by checking logs for Event ID 4114

3. Re-enable Replication on PDC Emulator

Change DFSR on PDC back to active settings:

msDFSR-Enabled=TRUE

Force AD replication push from PDC with the expectation of a true-positive result with this command:

repadmin /syncall <Other DCs> /d /e /a /A /P

Run DFSR Diagnostic on PDC

DFSRDIAG POLLAD
4. Re-enable Replication on peer DCs

Start DFSR service on other DCs

Change DFSR on other DCs back to active settings

msDFSR-Enabled=TRUE

Force AD replication pull from PDC to other DCs

repadmin /syncall <PDC> /d /e /a /A

Run DFSR Diagnostic on other DCs:

DFSRDIAG POLLAD

Warning: please execute the above procedure with care, especially on Production environments. Here are a few suggestions to mitigate these risks prior to making changes:

  • Active Directory Snapshots
  • VM Snapshots
  • Windows Backup Utility
  • 3rd Party Backup Applications such as Veeam, Veritas Backup Exec, Acronis, Ghost Imaging, Macrium, EaseUS etc.

Leave a Reply

Your email address will not be published. Required fields are marked *