Step-by-Step Guide to Restoring SYSVOL Replication on a Broken Domain Controller Using FRS or DFSR

Introduction

Domain Controllers (DCs) are critical to an Active Directory (AD) environment, ensuring synchronization among servers. One crucial folder that replicates across Domain Controllers is SYSVOL, which contains group policies and scripts that are essential for domain operations. When SYSVOL replication breaks, it often results from issues in either the File Replication Service (FRS) or Distributed File System Replication (DFSR). This article explains how to restore SYSVOL using D3 (non-authoritative) and D4 (authoritative) restore procedures.

The replication mechanism used depends on the Windows Server version and configuration: FRS or DFSR. In this guide, we will cover both scenarios.

Identifying the Replication Method (FRS or DFSR)

Before proceeding, determine whether the Domain Controllers are using FRS or DFSR:

  1. Command Prompt: Run the following command:
Command:
dfsrmig /getglobalstate

State 0 (Start): SYSVOL is replicated using FRS.

State 1-3 (Prepared, Redirected, Eliminated): SYSVOL is replicated using DFSR.

Alternatively, you can check the Event Viewer for messages:

  • FRS uses events with IDs like 13508 and 13516.
  • DFSR uses events with IDs such as 4602 and 4104.

Proceed to the corresponding section based on the replication mechanism your Domain Controllers are using.

Section 1: If Using FRS (File Replication Service)

Understanding D3 and D4 in FRS

  • D4 (Authoritative Restore): Marks the SYSVOL on the specified Domain Controller as authoritative, which will replicate to other Domain Controllers.
  • D3 (Non-Authoritative Restore): Instructs the Domain Controller to update its SYSVOL by replicating from an authoritative Domain Controller.

Step-by-Step Procedure for FRS

Step 1: Identify the Problematic Domain Controller

Use Event Viewer to check for issues like Event ID 13508 indicating replication failure. Additionally, run:

Command:
dcdiag /test:sysvolcheck /test:advertising  repadmin /replsummary

These commands help you understand the replication health.

Step 2: Perform the D4 (Authoritative) Restore

  1. Stop FRS Service:
Command:
net stop ntfrs

2. Modify the Registry:

  • Open Registry Editor (regedit).
  • Navigate to:
Regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

Set the BurFlags value to D4.

3. Restart the FRS Service:

Command:
net start ntfrs
  1. Verify Replication: Use dcdiag and repadmin commands to confirm that replication has resumed successfully.

Step 3: Perform the D3 (Non-Authoritative) Restore

  1. Stop FRS Service:
Command:
net stop ntfrs

2. Modify the Registry:

  • Open Registry Editor (regedit).
  • Navigate to:
Regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

Set the BurFlags value to D3.

3. Restart the FRS Service:

Command:
net start ntfrs

4. Monitor Progress: Monitor the Event Viewer for event ID 13516, indicating successful SYSVOL replication.

Step 4: Verification

Run the following commands to verify that SYSVOL replication is working correctly:

Command:
repadmin /replsummary  dcdiag /test:sysvolcheck


Section 2: If Using DFSR (Distributed File System Replication)

Understanding D3 and D4 in DFSR

  • D4 (Authoritative Restore): Makes the SYSVOL on this Domain Controller the authoritative copy for replication to other DCs.
  • D3 (Non-Authoritative Restore): Syncs the Domain Controller’s SYSVOL folder from an authoritative peer.

Step-by-Step Procedure for DFSR

Step 1: Identify the Problematic Domain Controller

Use Event Viewer to check for DFSR-specific events such as 4602 or 4104. Additionally, use the following commands:

Command:
dcdiag /test:sysvolcheck /test:advertising  repadmin /replsummary

Step 2: Perform the D4 (Authoritative) Restore

  1. Stop DFSR Service:
Command:
net stop dfsr

2. Modify the Registry:

  • Open Registry Editor (regedit).
  • Navigate to:
Regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVol

Set the BurFlags value to D4.

3. Restart the DFSR Service:

Command:
net start dfsr

4. Verify Replication: Use dcdiag and repadmin commands to confirm successful resumption of replication.

Step 3: Perform the D3 (Non-Authoritative) Restore

  1. Stop DFSR Service:
Command:
net stop dfsr

2. Modify the Registry:

  • Open Registry Editor (regedit).
  • Navigate to:
Regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVol

Set the BurFlags value to D3.

3. Restart the DFSR Service:

Command:
net start dfsr

4. Monitor Progress: Monitor Event Viewer for event ID 4104 or similar, indicating successful SYSVOL replication.

Step 4: Verification

Run the following commands to verify that SYSVOL replication is working correctly:

Command:
repadmin /replsummary  dcdiag /test:sysvolcheck

Conclusion

Restoring SYSVOL replication on a broken Domain Controller requires using the correct procedures for either FRS or DFSR, depending on your environment. For FRS, the D4 and D3 methods involve setting registry values and restarting the FRS service to reinitialize replication. For DFSR, similar steps apply, but within the context of DFSR-specific registry entries and services.

Always ensure you have a backup before making changes, as incorrect configurations can lead to broader domain issues. A successful restoration will lead to a fully functional domain, with group policies and scripts propagating correctly across all Domain Controllers.

References

  1. Microsoft Docs – SYSVOL Replication Migration to DFSR
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/migrate-sysvol-to-dfsr
  2. Microsoft Docs – DcDiag Tool for Active Directory Domain Services
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/using-ntdsutil/dcdiag
  3. Microsoft Docs – Repadmin Tool for Active Directory Replication
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/using-ntdsutil/repadmin
  4. Microsoft Docs – How to Perform an Authoritative and Non-Authoritative SYSVOL Restore
    https://support.microsoft.com/en-us/help/290762
  5. Microsoft Docs – BurFlags for SYSVOL Recovery
    https://support.microsoft.com/en-us/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain
  6. Event ID Reference – DFSR Event IDs
    https://www.eventid.net/displayqueue.asp?eventid=13516
  7. Event ID Reference – FRS Event IDs
    https://www.eventid.net/displayqueue.asp?eventid=13508