In Windows Active Directory 2008+ mode, Distributed File System Replication (DFSR) succeeds the legacy File Replication Service (FRS). This is a doubled edged sword as DFS is both more efficient and prone to replication errors as compared to its predecessor. In ideal circumstances, DFSR enables more robust AD Infrastruture at the trade off of including additional dependencies on domain controllers.
Initial assessment of DC Replication issues could be via the instructions here: https://support.microsoft.com/en-us/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares.
Furthermore, administrators are encouraged to use DFS Management to troubleshoot SYSVOL replication issues.This utility can be added to a Windows machine with this PowerShell command as Administrator:
Install-WindowsFeature FS-DFS-Namespace, FS-DFS-Replication
The troubleshooting steps should include creating Diagnostic Reports and running propagation tests using the above mentioned tool. If there’s any errors, eventvwr.exe should log these incidents (DFS Replication log name).
A last resort method of resolving DFS Replication would be forcing replication from an authoritative DC. It is notable that “Unlike custom DFSR replicated folders, SYSVOL is intentionally protected from any editing through its management interfaces to prevent accidents.” (https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo). To reiterate the instructions from Microsoft, the authoritative sync sequence is:
1. Disable replication
On the PDC, modify the following DN to
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
On ALL other DCs, modify the following DNs to prepare these DCs to accept replication from the PDC
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
2. Test AD replication push from PDC
The expectation here is a true-negative result (due to DFS being disabled) by starting DFSR service on PDC, then run this command:
repadmin /syncall <PDC> /d /e /a /A /P
Validate replication as no longer being active by checking logs for Event ID 4114
3. Re-enable Replication on PDC Emulator
Change DFSR on PDC back to active settings:
Force AD replication push from PDC with the expectation of a true-positive result with this command:
repadmin /syncall <Other DCs> /d /e /a /A /P
Run DFSR Diagnostic on PDC
4. Re-enable Replication on peer DCs
Start DFSR service on other DCs
Change DFSR on other DCs back to active settings
Force AD replication pull from PDC to other DCs
repadmin /syncall <PDC> /d /e /a /A
Run DFSR Diagnostic on other DCs:
Warning: please execute the above procedure with care, especially on Production environments. Here are a few suggestions to mitigate these risks prior to making changes:
- Active Directory Snapshots
- VM Snapshots
- Windows Backup Utility
- 3rd Party Backup Applications such as Veeam, Veritas Backup Exec, Acronis, Ghost Imaging, Macrium, EaseUS etc.