Authoritative SYSVOL restore (DFS-R)

In my previous article Non-authoritative SYSVOL restore (DFS-R) I showed you, how to do a

non-authoritative restore of SYSVOL based onDFS Replication. Today it is time to do an authoritative
SYSVOL restore. If you have bigger mess in your domain or you need to restore SYSVOL from
backup and replicate to other Domain Controllers.
This action affects all of your Domain Controllers in the entire domain. In the first case (nonauthoritative) you only touch SYSVOL on one DC at the time. The rest of your Domain Controllers
are running and sharing SYSVOL for users.
The second case (authoritative) is much more visible for users. All of Domain Controllers do not run
and share SYSVOL where Group Policies and logon scripts are located. When you decide to do
authoritative SYSVOL restore, you need to inform all administrators to not create/modify Group
Policies during that time. All other domain services are running except access to SYSVOL. So, this
action should be performed out of office business hours.
How to start authoritative SYSVOL restore? What do you need to do first?
You should identify which Domain Controller is holding PDC Emulatoroperation master role. As you
know, one of its functions is to manage and maintain GPOs. When you create or modify existing
GPO, it is done directly on this Domain Controller.
If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator
operation master role holder, from which you will initiate authoritative SYSVOL restore.
So, lets see, how we can do that.
Log on to PDC Emulator FSMO role holder. If you do not know, which Domain Controller holds this
role, run in command-line/elevated command-line on any of your DCs
netdomqueryfsmo

Finding PDC Emulator role holder

or type in PowerShell (Windows Server 2012/2012R2)

ImportModuleActiveDirectory
GetADDomain|SelectPDCEmulator

Finding PDC Emulator role holder

and youll see which DC is holding this role.

When you are logged on on this Domain Controller, you need to evaluate how many DCs are in your
domain. The most simple way to check that is using Microsoft DS tools on a DC. Type in commandline
dsqueryservername*limit0|dsgetserverdnsname|find/v"dnsname"|
find/v"dsget">c:dcslist.txt

Collecting all Domain Controllers in a domain

or type in PowerShell (Windows Server 2012/2012R2)
ImportModuleActiveDirectory
GetADDomainControllerFilter*|SelectName|OutFilec:dcslist.txt

Collecting all Domain Controllers in a domain

after

you

ran

this

command,

on

your

DCs

C-Drive,

you

should

find

text

file

named dcslist.txt Check its content, there are all Domain Controllers for your domain

Full list of Domain Controllers

On all of those Domain Controllers except PDC Emulator holder, you have to perform nonauthoritative SYSVOL restore. But lets start step-by-step.
You should initiate authoritative SYSVOL restore from a DC with PDC Emulator role. If you need to
restore SYSVOL from backup, do it first before you initiate restore.
First of all, stop DFS Replication service. Type in elevated command-line
netstopDFSR

Stopping DFS Replication service

or in PowerShell
StopServiceDFSR

or

StopService"DFSReplication"

Stopping DFS Replication service

Important! All services relying on DFS Replication service will be affected!

Now, run ADSI Editor (adsiedit.msc) from Domain Controller on which you want to initiate nonauthoritative SYSVOL restore. Type in run box
adsiedit.msc

Running ADSI Editor

Connect to domain partition (Default Naming Context). Click right mouse button (RMB) on root
node in the console and select Connect to

Connecting to Default Naming Context

select a well known Naming Context and choose Default Naming Context

Selecting Naming Context

Expand below location bt clicking on each node within a console

DefaultNamingContext>DC=domain,DC=local>OU=DomainControllers>
CN=DomainControllername>CN=DFSRLocalSettings>DomainSystemVolume

where DC=domain,DC=local is a distinguished name of your domain andCN=Domain Controller

name is DC name of PDC Emulator role holder on which you want to initiate authoritative SYSVOL
restore.

Searching SYSVOL subscription node

and select CN=SYSVOL Subscription entry by RMB in the right pane, choose Properties

Editing SYSVOL subscription entry

This time you need to change two atrributes value

msDFSR-Enabled

msDFSR-Options
Search them on the list and edit

msDFSR-Enabled attribute edition

Change its state from TRUE to FALSE and accept the change

Modification of msDFSR-Enabled attribute

and accept changes to be applied

Accept attributes changes

Now, search the second attribute msDFSR-Options and edit it

msDSFR-Options attribute edition

Change its state from not set to 1 and accept the change

Modification of msDFSR-Options attribute

and accept changes to be applied (do not close window, you will use it later)

Accept attributes changes

REPETITIVE TASK
Now, on each of the rest Domain Controllers you need to change msDFSR-Enabled attribute state
from TRUE to FALSE to initiate replication from authoritative Domain Controller with SYSVOL. This
not need to be done directly on Domain Controllers, you can use ADSI Editor on the same DC on
which you changed previous attributes. But this is important to do for evry remaining DC!
Below you can find all required steps. You need to repeat them on the rest of Domain Controllers
In ADSI Editor on Domain Controller where you changed previous attributes, close Attribute
Editor window and go back to the console. Expand each DC to set up msDFSR-Enabled attribute

Changing SYSVOL subscription of the rest of Domain Controllers

Search for the attribute

msDFSR-Enabled attribute edition

and edit it, changing TRUE to FALSE

Modification of msDFSR-Enabled attribute

and click OK to accept changes

Modify attribute and accept changes

and stop DFS Replication service on remote DC. Repeat these steps for EVERY remaining Domain
Controller.

END OF REPETITIVE TASK

Now, on your PDC Emulator role holder start DFS Replication service, type in elevated commandline
netstartDFSR

Starting DFS Replication service on PDC Emulator role holder DC

or type in PowerShell
StartServiceDFSR

or
StartService"DFSReplication"

Starting DFS Replication service on PDC Emulator holder Domain Controller

In event log you should see event ID 4114

Event log review

Modify msDFSR-Enabled attribute back to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

and accept changes

Accepting attribute changes

Start Active Directory replication on all of your Domain Controllers. Type in elevated command-line
repadmin/syncall/AdP

Replicating Active Directory

On your PDC Emulator Domain Controller in elevated command-line type

dfsrdiagPollAD

Sync with the global information store

Note! When you ran dfsrdiag command and it was not recognized, you need to install DFS
Management Tools from features!

Adding DFS Management Tools feature

In DFS Replication event log, you should see event ID 4602 That means, your authoritative SYSVOL
restore is initiated

Event ID 4602

REPETITIVE TASK
Before you will start DFS Replication service, I would suggest to remove all content from those 2
folders

%WINDIR%SYSVOLdomainPolicies

%WINDIR%SYSVOLdomainScripts
Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your
own location)
Go to the another Domain Controller to which you want to replicate SYSVOL and start DFS
Replication service, type in elevated command-line
netstartDFSR

Starting DFS Replication service on PDC Emulator role holder DC

or in PowerShell

StartServiceDFSR

or
StartService"DFSReplication"

Starting DFS Replication service on PDC Emulator holder Domain Controller

review DFS Replication event log and check if there is event ID 4114

Event log review

Change back msDFSR-Enabled attribute to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

accept changes, clik OK button

Accepting attribute changes

and run dfsrdiag command to synchronize with the global information store
dfsrdiagPollAD

Sync with the global information store

You

should

get

SYSVOL

replicated

to

this

Domain

Controller.

Go

to%WINDIR

%SYSVOLdomainPolicies and check if data was replicated. You should see all Group Policies and
scripts there

All Group Policies on DC with PDC Emulator role

and go to one more location, %WINDIR%SYSVOLdomainScripts to check if scripts and other files
from NETLOGON share were replicated

All scripts on DC where non-authoritative SYSVOL has been done

END OF REPETITIVE TASK

Thats all!
<<< Previous part
Author: Krzysztof Pytko