(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 1)
Posted by Jorge on 2010-08-12
The SYSVOL contains logon scripts and GPOs for a particular AD domain. It replicates to all RWDCs and RODCs. When, during the promotion of the very first (W2K8/W2K8R2) RWDC, the DFL is configured with "Windows Server 2003" or lower, then the SYSVOL will use NTFRS as its replication mechanism. At a later stage when you increase the DFL to at least "Windows Server 2008", you can migrate the replication of the SYSVOL from NTFRS to DFS-R. The process for doing that is explained in the SYSVOL Replication Migration Guide: FRS to DFS Replication (Web Based) or SYSVOL Replication Migration Guide: FRS to DFS Replication (Word Doc).
If you need to migrate OTHER DFS NameSpaces from NTFRS to DFS-R then look at DFS Operations Guide: Migrating from FRS to DFS Replication and FRS to DFSR Migration Tool Released.
However, when, during the promotion of the very first (W2K8/W2K8R2) RWDC, the DFL is configured with at least "Windows Server 2008", then the SYSVOL will use DFS-R as its replication mechanism right away and no migration is needed to migration the replication of the SYSVOL from NTFRS to DFS-R.
The use of DFS-R, compared to NTFRS, is way better in terms of performance and stability. DFS-R also works better with RODCs than NTFRS. When the SYSVOL on an RODC is adjusted locally, the changes will remain and will not replicate out because the RODC does not support Outbound Replication to any DC. Over time, if you do this too often you will get inconsistencies. To resolve these consistencies you may need to do a non-authoritative restore of the SYSVOL when replicated by NTFRS. If the same occured on the RODC and DFS-R is being used as the replication mechanism for the SYSVOL, then the local change would be detected and reverted as if nothing had happen. This makes sure the SYSVOL contents remains consistent on RODCs. For other differences see The Case for Migrating SYSVOL to DFSR.
The availability of the SYSVOL is very important for users, because if it is not available on a certain DC (RWDC or RODC), both users and computers cannot log on using that DC.
For both replication mechanisms I will explain how to do an authoritative restore or a non-authoritative restore of the SYSVOL using either replication mechanism.
With an authoritative restore, the data that’s being restored is leading compared to all other versions of that same data on onther DCs. Taking that into account, when doing an authoritative restore on a RWDC, one should not forget that all other RWDCs and RODCs must do a non-authoritative restore.
With a non-authoritative restore, the data that’s being restored or that is in place is not leading compared to all other versions of that same data on onther DCs. To get the most recent data, the DC for which a non-authoritative restore was done must get the most recent data from another DC.
For the post on restoring the SYSVOL when replicated through the NTFRS mechanism see here.
For the post on restoring the SYSVOL when replicated through the DFS-R mechanism see here.
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########