Thursday, December 4, 2014

Non-authoritative SYSVOL restore (FRS)

When you are working in Active Directory environment you may fall into this problem, especially in case where you have many Domain Controllers. Sometimes you may figure out that one or more Domain Controllers are out of date with SYSVOL replication.
Each Domain Controller has its own folder where GPOs and scripts are saved. This folder is located under %WINDIR%\SYSVOL\domain (by default, if you changed that location during DC promotion, you need to refer to your own location).
There are 2 folders:
  • Policies where Group Policies are saved (%WINDIR%\SYSVOL\domain\Policies)
  • Scripts where logon scripts or other files are saved (%WINDIR%\SYSVOL\domain\Scripts shared as NETLOGON)
If a DC does not replicate SYSVOL you can see that some Group Policies (GPOs) or scripts are not available on DC(s) in SYSVOL\domain folder on particular DC. Another symptom may be that all GPOs are in place but they are not updated.
When you notice one of these behaviors, you would need to do non-authoritative SYSVOL restore which re-deploys SYSVOL data from working Domain Controller (holding PDC Emulator operations master role).
How to be sure if you need non-authoritative SYSVOL restore? There is no simple answer because that depends on the size of your Active Directory and number of Domain Controllers.
When we can decide to start this kind of retore ?
  • one DC out of couple does not replicate SYSVOL
  • a few DCs out of many do not replicate SYSVOL
  • more than few but less than 50% of them do not replicate SYSVOL
above examples are typical scenarios for non-authoritative SYSVOLrestore.
Let’s see how you to do that.
First of all, you need to find out which DC or DCs does/do not replicate SYSVOL. Then you have to start SYSVOL restore.
When you see an empty SYSVOL, this may suggest that Domain Controller initialization where not finished after server was promoted. Active Directory database was replicated but SYSVOL was not. In this case, you can simply perform non-authoritative restore and SYSVOL should be replicated.
Empty SYSVOL folder
Empty SYSVOL folder
Another case is when DC, is not up to date with SYSVOL. Some policies are missing and non-authoritative SYSVOL restore would be helpful.
Missing Group Policies under SYSVOL
Missing Group Policies under SYSVOL
When you log on to Domain Controller with PDC Emulator operation master role, you should see that there are more policies than on those faulty Domain Controllers
All Group Policies on DC with PDC Emulator role
So, you can see that those Domain Controllers need SYSVOL restore to have all data up-to-date.
Now, it’s time to play with non-authoritative SYSVOL restore. Log on to the DC which is out of replication with SYSVOL and stop File Replication Service (NtFRS) from command-line/elevated command-line. Type
net stop ntfrs
Stopping File Replication Service
Stopping File Replication Service
Now, you need to change some setting in Windows registry.
Warning! Be careful, do not change other entries than showed in this artcile, you may destroy your server!
You need to open registry editor from run box
Executing registry editor
Executing registry editor
Now, you need to find below key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
BurFlags value location
BurFlags value location
and change BurFlags value from 0 to D2 (hexadecimal) by editing it
Changing BurFlags value
Changing BurFlags value
Before you will start FRS service, I would suggest to remove all content from those 2 folders
  • %WINDIR%\SYSVOL\domain\Policies
  • %WINDIR%\SYSVOL\domain\Scripts
Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)
Warning! When you set up D2 BurFlags value, you need to know that during restoration time, your DC is prevent to be a Domain Controller! So, you need to be careful in locations/Sites where you have only single DC or you are going for authentication over WAN-link!
Now, it’s time to start File Replication Service. Type in command-line
net start ntfrs
Running File Replication Service
Running File Replication Service
When you refresh (F5 key) registry editor, you should see that BurFlgs values has changed back to 0
BurFlags value reset
BurFlags value reset
and you should also check “File Replication Service” event log. Please check if event id 13565 appeared. That means, server has initiated SYSVOL replication and you need to wait a while. You have to refresh event log from time to time and check if these event IDs appeared:
  • 13553
  • 13516
when you can see them, SYSVOL replication is over and your Domain Controller is up-to-date.
SYSVOL re-initialized
SYSVOL re-initialized
SYSVOL re-initialized
SYSVOL re-initialized
Verify if SYSVOL share is available on your Domain Controller, type in command-line
net share
SYSVOL share verification
SYSVOL share verification
go to %WINDIR%\SYSVOL\domain\Policies and check if data is replicated
SYSVOL content verification
SYSVOL content verification
That’s all! Everything you need to do is to repeat all those steps on each Domain Controller which does not replicate SYSVOL volume.
Done!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)