Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-06-22) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 4)

Posted by Jorge on 2011-06-22


In the past I explained in multiple posts how to restore the SYSVOL on a DC when it is replicated through either NTFRS or DFS-R. Those procedures (including screen dumps) can be found through the following links:

In this post I will explain another method that is also available to restore the SYSVOL in an authoritative and non-authoritative way when it is replicated through DFS-R. The information posted here will be based upon the following Microsoft KB article:

In addition to what the KB article already mentions, this post will contain additional information such as PowerShell command lines used and screen dumps.

SYSVOL Replicated Through DFS-R – Authoritative Restore – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R, use the following steps (preferably on the RWDC with the PDC FSMO role!):

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="FALSE";"msDFSR-Options"=1}
    (this disables the replicated folder on this target and marks the target as primary, or in other words authoritative)

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4114 in the DFS Replication Event Log appears (after the first occurrence, this event will be repeated every 5 minutes):

image

Event ID 4008 in the DFS Replication Event Log appears:

image

Event ID 2010 in the DFS Replication Event Log appears:

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="TRUE"}
    (this re-enables the replicated folder on this target)

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4602 in the DFS Replication Event Log appears:

image

SYSVOL Replicated Through DFS-R – Non-Authoritative Restore On RWDC – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R on a RWDC, use the following steps:

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="FALSE"}
    (this disables the replicated folder on this target)

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4114 in the DFS Replication Event Log appears (after the first occurrence, this event will be repeated every 5 minutes):

image

Event ID 4008 in the DFS Replication Event Log appears:

image

Event ID 2010 in the DFS Replication Event Log appears:

image

As an optional steps, you can specify a specific replication (sourcing) partner for the SYSVOL

  • Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols
    • Value name: Parent Computer
    • Value type: REG_SZ
    • Value data: <FQDN of RWDC to source from>

REMARK: If you do not use this method to specify the source computer, any Active Directory replication partner that has the SYSVOL replicated folder in the NORMAL state could end up being used as the source.

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="TRUE"}
    (this re-enables the replicated folder on this target)

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4614 in the DFS Replication Event Log appears:

image

Event ID 4604 in the DFS Replication Event Log appears:

image

SYSVOL Replicated Through DFS-R – Non-Authoritative Restore On RODC – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R on a RODC, use the following steps:

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="FALSE"}
    (this disables the replicated folder on this target)
    (execute this either on the RODC with sufficient permissions AND make sure you can access the Active Directory Web Service (ADWS) (tcp:9389) on the RWDC (through referral by RODC) from the RODC, OR execute this on the RWDC with sufficient access permissions)

image

You then either wait until the change that originated on an RWDC reaches the RODC, or you force inbound AD replication on the RODC. Within a DOS command prompt

  • REPADMIN /SYNCALL R2FSRODC5.ADDMZ.LAN /A /d /q

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4114 in the DFS Replication Event Log appears (after the first occurrence, this event will be repeated every 5 minutes):

image

Event ID 4008 in the DFS Replication Event Log appears:

image

Event ID 2010 in the DFS Replication Event Log appears:

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="TRUE"}
    (this re-enables the replicated folder on this target)
    (execute this either on the RODC with sufficient permissions AND make sure you can access the Active Directory Web Service (ADWS) (tcp:9389) on the RWDC (through referral by RODC) from the RODC, OR execute this on the RWDC with sufficient access permissions)

image

You then either wait until the change that originated on an RWDC reaches the RODC, or you force inbound AD replication on the RODC. Within a DOS command prompt

  • REPADMIN /SYNCALL R2FSRODC5.ADDMZ.LAN /A /d /q

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4614 in the DFS Replication Event Log appears:

image

Event ID 4604 in the DFS Replication Event Log appears:

image

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

3 Responses to “(2011-06-22) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 4)”

  1. Mahesh said

    Hello
    Thanks, Really very good post.
    Please tell me if below steps are right ?
    DFSR with Authoritative restore – steps
    1 Start DC (PDC in my case) in Directory Restore Mode
    2 Restore valid System State backup so as good copy of Sysvol will be restored
    3 Set msDFSREnabled = $false and msDFSR Options = 1
    4 restart DC in normal mode
    5 On all other domain controllers disable DFSR (msDFSREnabled = $false)
    6 on PDC Enable DFSR to $true and run forcefully replication
    7 for rest of the DC’s enable DFSR (msDFSREnabled = $true) one by one and run forcefully replication so that all will get restored Sysvol copy.

    Also let me know in above screen shots why “msDFSR-options” is highlighted in only one DC where authoritative restore done ?

    Best Regards
    Mahesh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: