(2014-08-01) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 6)
Posted by Jorge on 2014-08-01
PART 5 is here.
WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!
So I decided to undelete ‘CN=DFSR-LocalSettings’.
Figure 1: Undeleting The ‘DFS-R-LocalSettings’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ On ‘C1FSRWDC1.CHILD.ADCORP.LAB’
–
It is not possible to undelete ‘CN=Domain System Volume’ and ‘CN=SYSVOL Subscription’ using LDP as one of the required, but missing, attributes has binary values (‘msDFSR-ReplicationGroupGuid’ on ‘CN=Domain System Volume’, ‘msDFSR-ContentSetGuid’ and ‘msDFSR-ReplicationGroupGuid’ on ‘CN=SYSVOL Subscription’). It is not as easy as copying and pasting values into LDP. Does it stop here? No it does not! This is where PowerShell comes into the rescue! With PowerShell it is possible to use an existing object as a template to update or create another object.
First things first, let’s update the object ‘CN=DFSR-LocalSettings’ of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template.
Import-Module ActiveDirectory $templateDomainSystemVolume = Get-ADObject "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC2,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" ` -Properties "msDFSR-ReplicationGroupGuid","showInAdvancedViewOnly" $templateDomainSystemVolume New-ADObject -Instance $templateDomainSystemVolume -name "Domain System Volume" ` -type "msDFSR-Subscriber" ` -path "CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" ` -OtherAttributes @{'msDFSR-MemberReference'="CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB"}
–
Figure 2: Updating The ‘DFS-R-LocalSettings’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ Using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template
–
Now, let’s recreate the object ‘CN=Domain System Volume’ of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template.
Import-Module ActiveDirectory $templateSYSVOLSubscription = Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC2,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" ` -Properties "msDFSR-ContentSetGuid","msDFSR-ReplicationGroupGuid","msDFSR-Enabled","msDFSR-ReadOnly","msDFSR-ReplicationGroupGuid","msDFSR-RootPath","msDFSR-StagingPath","showInAdvancedViewOnly" $templateSYSVOLSubscription New-ADObject -Instance $templateSYSVOLSubscription "SYSVOL Subscription" ` -type "msDFSR-Subscription" ` -path "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB"
–
Figure 3: Recreating The ‘CN=Domain System Volume’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template
–
Now, let’s recreate the object ‘CN=SYSVOL Subscription’ of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template
Import-Module ActiveDirectory $templateSYSVOLSubscription = Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC2,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" ` -Properties "msDFSR-ContentSetGuid","msDFSR-ReplicationGroupGuid","msDFSR-Enabled","msDFSR-ReadOnly","msDFSR-ReplicationGroupGuid","msDFSR-RootPath","msDFSR-StagingPath","showInAdvancedViewOnly" $templateSYSVOLSubscription New-ADObject -Instance $templateSYSVOLSubscription "SYSVOL Subscription" ` -type "msDFSR-Subscription" ` -path "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB"
–
REMARK: either RWDC may have been migrated from NTFRS to DFSR whereas the SYSVOL is not named SYSVOL, but rather SYSVOL_DFSR. When using the DC object "CN=SYSVOL Subscription" CHECK if the applied paths are correct!
–
Figure 4: Recreating The ‘CN=SYSVOL Subscription’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template
–
Now also restart the DFSR service on both ‘C1FSRWDC1.CHILD.ADCORP.LAB’ and ‘C1FSRWDC2.CHILD.ADCORP.LAB’. It should start inbound replicating the SYSVOL contents immediately! In my case it didn’t! Damn!
–
PART 7 continues here.
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 
(2014-07-31) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 5) « Jorge's Quest For Knowledge! said
[…] (2014-07-30) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 4) (2014-08-01) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 6) […]
LikeLike
(2014-08-02) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 7) « Jorge's Quest For Knowledge! said
[…] « (2014-08-01) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 6) […]
LikeLike
Jerome said
I think you totally mix and match the code on this page none of the pasted script correspond with the description 😦
Nice work anyway
LikeLike
Jorge said
Do not understand what you mean. Can you please provide details?
LikeLike
Jakub Kamenc said
Jorge,
Jerome is right.
The PS codes (as text) don’t not correspond to the codes presented on the screenshots.
For example, for updating “CN=DFSR-LocalSettings” object you used “Set-ADObject” cmdlet (screenshot), but “New-ADObject” was presented in the text code area.
Beside this small mistake, the article is great – thank you.
LikeLike
Jorge said
the code is right as you have to recreate the objects because undelete is not possible due to the special attribute value I mention.
I think I created the object first (shown in the code, but in screen dump) and then updated it (not shown in the code, but shown in the screen dump)
LikeLike
Jerome said
The command :
New-ADObject -Instance $templateDomainSystemVolume -name “Domain System Volume”
Is not working 😦
LikeLike
Jorge said
and what’s the error?
LikeLike
T. Fieg said
This description worked perfect in our case!
The DFS-R-LocalSettings object (including everything below) was missing for one of our Domain Controller preventing it from replicating SYSVOL content for quite a while.
That object could be created manually, however for creation of both CN=Domain System Volume and CN=SYSVOL Subscription objects we followed the steps shown in Figure 3 & 4. After that we’ve set the msDFSR-Enabled attribute in the properties of CN=SYSVOL Subscription to FALSE state and restarted DFSR service. In DFSR eventlog ID 4114 was shown; then msDFSR-Enabled attribute was modified back to TRUE state followed by another restart of DFSR service.
Then running repadmin /syncall /AdP in administrative command shell and very quickly we could see the SYSVOL directory getting updated with missing information. This was a very straight forward fix!
LikeLike
Jorge said
Glad it worked for you!
LikeLike
Adam said
Hello, is it possilbe to fix these record if we have two DCs and both are missing these values? (I migrated from Samba to Windows). Thanks 🙂
LikeLike
Marti_the_g said
Thanks a bunch, your code was exactly what I needed. One of my DCs lost the setting and DFSR snapin reported it as missing. After seeting it and refreshing dfsr shows the DC again. Now I can do an non authoritative restore of sysvol.
LikeLike
Henric Appelgren said
Six years later and this is still a saving grace! Thanks alot1
LikeLike
Jorge said
Wow!. Glad it helped you!
LikeLike