Authoritative SYSVOL restore (DFS-R)
In my previous article Non-authoritative SYSVOL restore (DFS-R) I showed you, how to do a
non-authoritative restore of SYSVOL based onDFS Replication. Today it is time to do an authoritative
SYSVOL restore. If you have bigger mess in your domain or you need to restore SYSVOL from
backup and replicate to other Domain Controllers.
This action affects all of your Domain Controllers in the entire domain. In the first case (nonauthoritative) you only touch SYSVOL on one DC at the time. The rest of your Domain Controllers
are running and sharing SYSVOL for users.
The second case (authoritative) is much more visible for users. All of Domain Controllers do not run
and share SYSVOL where Group Policies and logon scripts are located. When you decide to do
authoritative SYSVOL restore, you need to inform all administrators to not create/modify Group
Policies during that time. All other domain services are running except access to SYSVOL. So, this
action should be performed out of office business hours.
How to start authoritative SYSVOL restore? What do you need to do first?
You should identify which Domain Controller is holding PDC Emulatoroperation master role. As you
know, one of its functions is to manage and maintain GPOs. When you create or modify existing
GPO, it is done directly on this Domain Controller.
If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator
operation master role holder, from which you will initiate authoritative SYSVOL restore.
So, lets see, how we can do that.
Log on to PDC Emulator FSMO role holder. If you do not know, which Domain Controller holds this
role, run in command-line/elevated command-line on any of your DCs
netdomqueryfsmo
�Finding PDC Emulator role holder
or type in PowerShell (Windows Server 2012/2012R2)
ImportModuleActiveDirectory
GetADDomain|SelectPDCEmulator
Finding PDC Emulator role holder
and youll see which DC is holding this role.
When you are logged on on this Domain Controller, you need to evaluate how many DCs are in your
domain. The most simple way to check that is using Microsoft DS tools on a DC. Type in commandline
dsqueryservername*limit0|dsgetserverdnsname|find/v"dnsname"|
find/v"dsget">c:[Link]
Collecting all Domain Controllers in a domain
or type in PowerShell (Windows Server 2012/2012R2)
ImportModuleActiveDirectory
GetADDomainControllerFilter*|SelectName|OutFilec:[Link]
�Collecting all Domain Controllers in a domain
after
you
ran
this
command,
on
your
DCs
C-Drive,
you
should
find
text
file
named [Link] Check its content, there are all Domain Controllers for your domain
Full list of Domain Controllers
On all of those Domain Controllers except PDC Emulator holder, you have to perform nonauthoritative SYSVOL restore. But lets start step-by-step.
You should initiate authoritative SYSVOL restore from a DC with PDC Emulator role. If you need to
restore SYSVOL from backup, do it first before you initiate restore.
First of all, stop DFS Replication service. Type in elevated command-line
netstopDFSR
Stopping DFS Replication service
or in PowerShell
StopServiceDFSR
or
�StopService"DFSReplication"
Stopping DFS Replication service
Important! All services relying on DFS Replication service will be affected!
Now, run ADSI Editor ([Link]) from Domain Controller on which you want to initiate nonauthoritative SYSVOL restore. Type in run box
[Link]
Running ADSI Editor
Connect to domain partition (Default Naming Context). Click right mouse button (RMB) on root
node in the console and select Connect to
Connecting to Default Naming Context
select a well known Naming Context and choose Default Naming Context
�Selecting Naming Context
Expand below location bt clicking on each node within a console
DefaultNamingContext>DC=domain,DC=local>OU=DomainControllers>
CN=DomainControllername>CN=DFSRLocalSettings>DomainSystemVolume
where DC=domain,DC=local is a distinguished name of your domain andCN=Domain Controller
name is DC name of PDC Emulator role holder on which you want to initiate authoritative SYSVOL
restore.
Searching SYSVOL subscription node
and select CN=SYSVOL Subscription entry by RMB in the right pane, choose Properties
�Editing SYSVOL subscription entry
This time you need to change two atrributes value
msDFSR-Enabled
msDFSR-Options
Search them on the list and edit
msDFSR-Enabled attribute edition
Change its state from TRUE to FALSE and accept the change
�Modification of msDFSR-Enabled attribute
and accept changes to be applied
�Accept attributes changes
Now, search the second attribute msDFSR-Options and edit it
�msDSFR-Options attribute edition
Change its state from not set to 1 and accept the change
�Modification of msDFSR-Options attribute
and accept changes to be applied (do not close window, you will use it later)
�Accept attributes changes
REPETITIVE TASK
Now, on each of the rest Domain Controllers you need to change msDFSR-Enabled attribute state
from TRUE to FALSE to initiate replication from authoritative Domain Controller with SYSVOL. This
not need to be done directly on Domain Controllers, you can use ADSI Editor on the same DC on
which you changed previous attributes. But this is important to do for evry remaining DC!
Below you can find all required steps. You need to repeat them on the rest of Domain Controllers
In ADSI Editor on Domain Controller where you changed previous attributes, close Attribute
Editor window and go back to the console. Expand each DC to set up msDFSR-Enabled attribute
�Changing SYSVOL subscription of the rest of Domain Controllers
Search for the attribute
msDFSR-Enabled attribute edition
and edit it, changing TRUE to FALSE
�Modification of msDFSR-Enabled attribute
and click OK to accept changes
�Modify attribute and accept changes
and stop DFS Replication service on remote DC. Repeat these steps for EVERY remaining Domain
Controller.
END OF REPETITIVE TASK
Now, on your PDC Emulator role holder start DFS Replication service, type in elevated commandline
netstartDFSR
Starting DFS Replication service on PDC Emulator role holder DC
or type in PowerShell
StartServiceDFSR
�or
StartService"DFSReplication"
Starting DFS Replication service on PDC Emulator holder Domain Controller
In event log you should see event ID 4114
Event log review
Modify msDFSR-Enabled attribute back to TRUE state
�Changing msDFSR-Enabled attribute back to TRUE state
and accept changes
�Accepting attribute changes
Start Active Directory replication on all of your Domain Controllers. Type in elevated command-line
repadmin/syncall/AdP
Replicating Active Directory
�On your PDC Emulator Domain Controller in elevated command-line type
dfsrdiagPollAD
Sync with the global information store
Note! When you ran dfsrdiag command and it was not recognized, you need to install DFS
Management Tools from features!
Adding DFS Management Tools feature
In DFS Replication event log, you should see event ID 4602 That means, your authoritative SYSVOL
restore is initiated
�Event ID 4602
REPETITIVE TASK
Before you will start DFS Replication service, I would suggest to remove all content from those 2
folders
%WINDIR%SYSVOLdomainPolicies
%WINDIR%SYSVOLdomainScripts
Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your
own location)
Go to the another Domain Controller to which you want to replicate SYSVOL and start DFS
Replication service, type in elevated command-line
netstartDFSR
Starting DFS Replication service on PDC Emulator role holder DC
or in PowerShell
�StartServiceDFSR
or
StartService"DFSReplication"
Starting DFS Replication service on PDC Emulator holder Domain Controller
review DFS Replication event log and check if there is event ID 4114
Event log review
Change back msDFSR-Enabled attribute to TRUE state
�Changing msDFSR-Enabled attribute back to TRUE state
accept changes, clik OK button
�Accepting attribute changes
and run dfsrdiag command to synchronize with the global information store
dfsrdiagPollAD
Sync with the global information store
You
should
get
SYSVOL
replicated
to
this
Domain
Controller.
Go
to%WINDIR
%SYSVOLdomainPolicies and check if data was replicated. You should see all Group Policies and
scripts there
�All Group Policies on DC with PDC Emulator role
and go to one more location, %WINDIR%SYSVOLdomainScripts to check if scripts and other files
from NETLOGON share were replicated
All scripts on DC where non-authoritative SYSVOL has been done
END OF REPETITIVE TASK
Thats all!
<<< Previous part
Author: Krzysztof Pytko
