Introduction
Domain Controllers (DCs) are critical to an Active Directory (AD) environment, ensuring synchronization among servers. One crucial folder that replicates across Domain Controllers is SYSVOL, which contains group policies and scripts that are essential for domain operations. When SYSVOL replication breaks, it often results from issues in either the File Replication Service (FRS) or Distributed File System Replication (DFSR). This article explains how to restore SYSVOL using D3 (non-authoritative) and D4 (authoritative) restore procedures.
The replication mechanism used depends on the Windows Server version and configuration: FRS or DFSR. In this guide, we will cover both scenarios.
Identifying the Replication Method (FRS or DFSR)
Before proceeding, determine whether the Domain Controllers are using FRS or DFSR:
- Command Prompt: Run the following command:
dfsrmig /getglobalstateState 0 (Start): SYSVOL is replicated using FRS.
State 1-3 (Prepared, Redirected, Eliminated): SYSVOL is replicated using DFSR.
Alternatively, you can check the Event Viewer for messages:
- FRS uses events with IDs like 13508 and 13516.
- DFSR uses events with IDs such as 4602 and 4104.
Proceed to the corresponding section based on the replication mechanism your Domain Controllers are using.
Section 1: If Using FRS (File Replication Service)
Understanding D3 and D4 in FRS
- D4 (Authoritative Restore): Marks the SYSVOL on the specified Domain Controller as authoritative, which will replicate to other Domain Controllers.
- D3 (Non-Authoritative Restore): Instructs the Domain Controller to update its SYSVOL by replicating from an authoritative Domain Controller.
Step-by-Step Procedure for FRS
Step 1: Identify the Problematic Domain Controller
Use Event Viewer to check for issues like Event ID 13508 indicating replication failure. Additionally, run:
dcdiag /test:sysvolcheck /test:advertising repadmin /replsummaryThese commands help you understand the replication health.
Step 2: Perform the D4 (Authoritative) Restore
- Stop FRS Service:
net stop ntfrs2. Modify the Registry:
- Open Registry Editor (regedit).
- Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at StartupSet the BurFlags value to D4.
3. Restart the FRS Service:
net start ntfrs- Verify Replication: Use dcdiag and repadmin commands to confirm that replication has resumed successfully.
Step 3: Perform the D3 (Non-Authoritative) Restore
- Stop FRS Service:
net stop ntfrs2. Modify the Registry:
- Open Registry Editor (regedit).
- Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at StartupSet the BurFlags value to D3.
3. Restart the FRS Service:
net start ntfrs4. Monitor Progress: Monitor the Event Viewer for event ID 13516, indicating successful SYSVOL replication.
Step 4: Verification
Run the following commands to verify that SYSVOL replication is working correctly:
repadmin /replsummary dcdiag /test:sysvolcheckSection 2: If Using DFSR (Distributed File System Replication)
Understanding D3 and D4 in DFSR
- D4 (Authoritative Restore): Makes the SYSVOL on this Domain Controller the authoritative copy for replication to other DCs.
- D3 (Non-Authoritative Restore): Syncs the Domain Controller’s SYSVOL folder from an authoritative peer.
Step-by-Step Procedure for DFSR
Step 1: Identify the Problematic Domain Controller
Use Event Viewer to check for DFSR-specific events such as 4602 or 4104. Additionally, use the following commands:
dcdiag /test:sysvolcheck /test:advertising repadmin /replsummaryStep 2: Perform the D4 (Authoritative) Restore
- Stop DFSR Service:
net stop dfsr2. Modify the Registry:
- Open Registry Editor (regedit).
- Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVolSet the BurFlags value to D4.
3. Restart the DFSR Service:
net start dfsr4. Verify Replication: Use dcdiag and repadmin commands to confirm successful resumption of replication.
Step 3: Perform the D3 (Non-Authoritative) Restore
- Stop DFSR Service:
net stop dfsr2. Modify the Registry:
- Open Registry Editor (regedit).
- Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVolSet the BurFlags value to D3.
3. Restart the DFSR Service:
net start dfsr4. Monitor Progress: Monitor Event Viewer for event ID 4104 or similar, indicating successful SYSVOL replication.
Step 4: Verification
Run the following commands to verify that SYSVOL replication is working correctly:
repadmin /replsummary dcdiag /test:sysvolcheckConclusion
Restoring SYSVOL replication on a broken Domain Controller requires using the correct procedures for either FRS or DFSR, depending on your environment. For FRS, the D4 and D3 methods involve setting registry values and restarting the FRS service to reinitialize replication. For DFSR, similar steps apply, but within the context of DFSR-specific registry entries and services.
Always ensure you have a backup before making changes, as incorrect configurations can lead to broader domain issues. A successful restoration will lead to a fully functional domain, with group policies and scripts propagating correctly across all Domain Controllers.
References
- Microsoft Docs – SYSVOL Replication Migration to DFSR
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/migrate-sysvol-to-dfsr - Microsoft Docs – DcDiag Tool for Active Directory Domain Services
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/using-ntdsutil/dcdiag - Microsoft Docs – Repadmin Tool for Active Directory Replication
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/using-ntdsutil/repadmin - Microsoft Docs – How to Perform an Authoritative and Non-Authoritative SYSVOL Restore
https://support.microsoft.com/en-us/help/290762 - Microsoft Docs – BurFlags for SYSVOL Recovery
https://support.microsoft.com/en-us/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain - Event ID Reference – DFSR Event IDs
https://www.eventid.net/displayqueue.asp?eventid=13516 - Event ID Reference – FRS Event IDs
https://www.eventid.net/displayqueue.asp?eventid=13508