DFS

• Clear DFS Problems
• DFS Backlog Check
• DFS Checker
• DFS Checker client install and setup
• DFS Checker Configuration Settings
• DFS Does not Replicate Temporary Files
• DFS Staging Size
• DFSR Won't re-enable
• WMI-DFS Staging Size
• How to troubleshoot missing SYSVOL and Netlogon shares
• How to force authoritative and non-authoritative synchronization for DFSR-replicated sysvol replication

Clear DFS Problems

 

 

 

 

 

 

 

Replication State codes are as follow: 

0: Uninitialized 

1: Initialized 

2: Initial Sync 

3: Auto Recovery 

4: Normal 

5: In Error 

DFS Backlog Check

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

@echo off 

 

SET LSRV="RHSC-17-SRV02" 

Set BKSRV1="RHSC-00-SRV12" 

SET BKSRV2="RHSC-01-SRV13" 

SET RGName1="DikeIA" 

SET RFName1="DikeIA" 

SET RGName2="DeployedApps" 

SET RFName2="DeployedApps" 

 

 

 

echo. 

echo. 

echo Testing %LSRV% %BKSRV1% %RGNAME1% %RFName1% 

dfsrdiag backlog /sendingmember:%LSRV% /receivingmember:%BKSRV1% /RGName:%RGNAME1% /RFName:%RFName1% 

echo. 

echo. 

echo Testing %LSRV% %BKSRV2% %RGNAME1% %RFName1% 

dfsrdiag backlog /sendingmember:%LSRV% /receivingmember:%BKSRV2% /RGName:%RGNAME1% /RFName:%RFName1% 

echo. 

echo. 

echo Testing %LSRV% %BKSRV1% %RGNAME2% %RFName2% 

dfsrdiag backlog /sendingmember:%LSRV% /receivingmember:%BKSRV1% /RGName:%RGNAME2% /RFName:%RFName2% 

echo. 

echo. 

echo Testing %LSRV% %BKSRV2% %RGNAME2% %RFName2% 

dfsrdiag backlog /sendingmember:%LSRV% /receivingmember:%BKSRV2% /RGName:%RGNAME2% /RFName:%RFName2% 

pause 

cls 

 

 

%systemroot%\System32\wbem\WMIC.exe /namespace:\\root\microsoftdfs path dfsrconnectioninfo where "LastSyncTime<>'99990101000000.000000-000' and state='3'" get membername, partnername, ReplicationGroupName, state 

 

 

 

echo. 

echo. 

echo. 

echo. 

echo. 

echo Replication Test 

echo If Above states "No Instances(s) Available." then 1st test good 

pause 

cls 

 

 

%systemroot%\System32\wbem\WMIC.exe /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo where "state='5'" get membername, ReplicationGroupName, state 

 

 

 

echo. 

echo. 

echo. 

echo. 

echo. 

echo Connection Test 

echo If Above states "No Instances(s) Available." then 2nd test good 

pause 

cls 

 

 

 

%systemroot%\System32\wbem\WMIC.exe /namespace:\\root\microsoftdfs path dfsrconnectioninfo get membername, partnername, ReplicationGroupName, state, LastSyncTime 

 

 

 

echo. 

echo. 

echo. 

echo. 

echo. 

echo Replication Test 

echo If Above has some information and no errors then 3rd test good 

pause 

cls 

 

 

echo  Replication Test 

%systemroot%\System32\wbem\WMIC.exe /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo  get membername, ReplicationGroupName, state 

 

 

 

echo. 

echo. 

echo. 

echo. 

echo. 

echo Connection Test 

echo  State should be "4" for all of these 

echo. 

echo. 

echo If Above has some information and no errors then 4th test good 

pause 

cls 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

dfsrdiag backlog /sendingmember:rhsc-10-srv01 /receivingmember:rhsc-01-srv13 /RGName:HollandIA /RFName:"HollandDFS" 

dfsrdiag backlog /sendingmember:rhsc-16-vsrv01 /receivingmember:rhsc-01-srv13 /RGName:AnkenyIA /RFName:"AnkenyIA" 

dfsrdiag backlog /sendingmember:rhsc-16-vsrv01 /receivingmember:rhsc-00-srv12 /RGName:AnkenyIA /RFName:"AnkenyIA" 

dfsrdiag backlog /sendingmember:rhsc-18-vsrv02 /receivingmember:rhsc-00-srv12 /RGName:FloraE /RFName:"DFSFloraE" 

dfsrdiag backlog /sendingmember:rhsc-24-srv01 /receivingmember:rhsc-01-srv13 /RGName:Harlan /RFName:"DFS Root" 

dfsrdiag backlog /sendingmember:rhsc-26-srv01 /receivingmember:rhsc-00-srv12 /RGName:Williams /RFName:"DFS Root" 

dfsrdiag backlog /sendingmember:rhsc-26-srv01 /receivingmember:rhsc-01-srv13 /RGName:Williams /RFName:"DFS Root" 

dfsrdiag backlog /sendingmember:rhsc-13-SRV02 /receivingmember:rhsc-01-srv13 /RGName:BloomingtonIL /RFName:"BloomingtonDFS" 

dfsrdiag backlog /sendingmember:rhsc-13-SRV02 /receivingmember:rhsc-00-srv12 /RGName:BloomingtonIL /RFName:"BloomingtonDFS" 

dfsrdiag backlog /sendingmember:rhsc-01-SRV01 /receivingmember:rhsc-01-srv13 /RGName:"Remington Main" /RFName:"NEW DFS" 

dfsrdiag backlog /sendingmember:rhsc-01-SRV01 /receivingmember:rhsc-00-srv12 /RGName:"Remington Main" /RFName:"NEW DFS" 

dfsrdiag backlog /sendingmember:rhsc-22-srv01 /receivingmember:rhsc-01-srv13 /RGName:Eldora /RFName:"Eldora" 

dfsrdiag backlog /sendingmember:rhsc-22-srv01 /receivingmember:rhsc-00-srv12 /RGName:Eldora /RFName:"Eldora" 

dfsrdiag backlog /sendingmember:rhsc-28-vsrv01 /receivingmember:rhsc-01-srv13 /RGName:Sturgis /RFName:"Sturgis DFS" 

dfsrdiag backlog /sendingmember:rhsc-22-vsrv01 /receivingmember:rhsc-00-srv12 /RGName:Sturgis /RFName:"Sturgis DFS" 

dfsrdiag backlog /sendingmember:rhsc-23-srv01 /receivingmember:rhsc-01-srv13 /RGName:Lincoln /RFName:"DFS Root" 

dfsrdiag backlog /sendingmember:rhsc-23-srv01 /receivingmember:rhsc-00-srv12 /RGName:Lincoln /RFName:"DFS Root" 

 

 

 

 

 

 

dfsrdiag backlog /sendingmember:REED-01-SRV02 /receivingmember:REED-01-SRV01 /RGName:Reed /RFName:"DFS" 

 

 

 

DFS Checker

Overview: 

 

DFS Checker is an Accent written software.  The installation in hosted on FileVista (DFSCheckerClient_1_1_5).    The software is installed on a server.  The server then checks into the main DFS Checker server (ACS-00-VSRV16) hourly.  VSRV16 has timetables and pathways configured on it.   The client SRV will scan those pathways for files and give a total of files and size to VSRV16.  VSRV16 then puts together a report to compare the total number of files between two DFS replicant servers.  The purpose is to show that if DFS replication has stopped, then as new files are added, there will be a difference between the two that will become apparent on the report. 

 

Note:  if each SRV had 100 files that the other does not, the total would then be zero. 

 

 

 

 

These email are set to be delivered nightly.  If they are not received: 

Restart service - ACS-00-VSRV17 - DFS Checker Service 

 

If you do not receive email 

Restart service - ACS-00-VSRV13 - SQL Server 

Restart service - ACS-00-VSRV17 - DFS Checker Service 

 

If you do not receive email 

Reboot - ACS-00-VSRV13 - SQL Server 

Restart service - ACS-00-VSRV17 - DFS Checker Service 

 

If you do not receive email 

Reboot - ACS-00-VSRV17 - SQL Server 

 

If you do not receive email - ask Barron for help 

 

 

 

ACS-00-VSRV16 - Labtech ID 683 

DFS Checker client install and setup

 

From FTP download and install the latest version (1.1.5) 

 

Install path should be C:\Program Files (x86)\Accent Consulting Services, LLC\DFSCheckerClient\ 

 

Create the DFS Checker configuration settings (config.txt) and place it in the same folder as the installed path.  

 

 

 

DFS Checker Configuration Settings

Service Address: https://secure.accentconsulting.com/AccentConsulting/DFSChecker/DFSService 

Password: wei01vsrv03DFS 

CheckScheduleFrequency: 3600 

Debug: 1 

DFS Does not Replicate Temporary Files

This will remove the background temp archive attribute 

Get-childitem "D:\Data" -recurse | ForEach-Object -process {if (($_.attributes -band 0x100) -eq 0x100) {$_.attributes = ($_.attributes -band 0xFEFF)}} 

 

 

There are some attributes that also will stop replication.  Below command will remove those for whichever folder and subfolders you run this on. 

 

attrib * -r -a /S /D 

 

 

REED-01-SRV02 

Get-childitem I:\DFS -recurse | ForEach-Object -process {if (($_.attributes -band 0x100) -eq 0x100) {$_.attributes = ($_.attributes -band 0xFEFF)}} 

 

RHSC-01-SRV01 

Get-childitem "D:\NEW DFS" -recurse | ForEach-Object -process {if (($_.attributes -band 0x100) -eq 0x100) {$_.attributes = ($_.attributes -band 0xFEFF)}} 

 

RHSC-26-SRV03 

Get-childitem "D:\WilliamsDFS" -recurse | ForEach-Object -process {if (($_.attributes -band 0x100) -eq 0x100) {$_.attributes = ($_.attributes -band 0xFEFF)}} 

 

 

 

Script for task manager: 

~~~~~~~~~~~~~~~~~~BAT file~~~~~~~~~~~~~~ 

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Accent\Scripts\DFSR_archive_temp_bit_buster.ps1 

~~~~~~~~~~~~~~~~~~~~~powershell ps1 file~~~~~~~~~~~~~~~~~~ 

Get-childitem I:\DFS -recurse | ForEach-Object -process {if (($_.attributes -band 0x100) -eq 0x100) {$_.attributes = ($_.attributes -band 0xFEFF)}} 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

 

Windows Powershell – “Running scripts is disabled on this system” 

set-executionpolicy remotesigned 

http://www.faqforge.com/windows/windows-powershell-running-scripts-is-disabled-on-this-system/ 

 

 

 

 

 

 

If you don’t want it to work against subdirectories just remove the -recurse parameter. 

 

 

11 Nov 2008 7:40 AM  

Note that this post has been added to the TechNet Wiki to allow for community editing. 

If you notice that DFS Replication (DFSR) is not replicating certain files, one simple reason is that the temporary attribute is set on them. By design, DFSR does not replicate files if they have the temporary attribute set on them, and it cannot be configured to do so. 

This may not be obvious because nearly all the normal methods you would use in Windows to check file attributes do not show the temporary attribute. Specifically, all of the following do not show the temporary attribute - Attrib.exe, Explorer's file properties, FileSystemObject in Windows Scripting Host, and CIM_Datafile in WMI. Also, DFSR does not log any errors to the event log or to the debug logs to show temporary files are not being replicated. There is a relevant entry in the debug logs, but it is not an error because this behavior is by design. 

The reason DFSR does not replicate files with the temporary attribute set is that they are considered short-lived files that you would never actually want to replicate. Using the temporary attribute on a file keeps that file in memory and saves on disk I/O. Therefore applications can use it on short-lived files to improve performance. 

An application can use FILE_ATTRIBUTE_TEMPORARY when calling the CreateFile function if they want a temporary file. But an even better way is to also specify FILE_FLAG_DELETE_ON_CLOSE so the temporary file is deleted when all handles are closed. That way you get the performance benefit of a temporary file (it’s kept in memory) and it is removed when handles are closed so administrators don’t come along and wonder why DFSR isn’t replicating it. 

If you have temporary files that you want DFSR to replicate, you may think it is enough to just remove the temporary attribute on those files and be on your way. And you can do that. But since you got in this situation once, it is likely you still have an application that will come right back and create more temporary files. So you need to get at the crux of the issue – why do you want to replicate files that an application is specifically creating to be temporary? Either the application must change its behavior, or you must except that temporary files won’t be replicated, because there is no way to make DFSR replicate files as long as the temporary attribute is set on them. 

Checking the Temporary Attribute on a File using Fsutil 

But wait, you say, maybe I don’t even know yet if these files that aren’t replicating are temporary! So let’s find out. As mentioned before, almost none of the ways to check attributes in Windows will actually show the temporary attribute. But there is one that does – the handy Fsutil tool that is included in Windows. 

fsutil usn readdata c:\data\test.txt 

Major Version : 0x2  

Minor Version : 0x0  

FileRef# : 0x0021000000002350  

Parent FileRef# : 0x0003000000005f5e  

Usn : 0x000000004d431000  

Time Stamp : 0x0000000000000000 12:00:00 AM 1/1/1601  

Reason : 0x0  

Source Info : 0x0  

Security Id : 0x5fb  

File Attributes : 0x120  

File Name Length : 0x10  

File Name Offset : 0x3c  

FileName : test.txt 

File Attributes is a bitmask that indicates which attributes are set. In the above example, 0x120 indicates the temporary attribute is set because that is 0x100 and 0x20 (Archive) = 0x120. 

Here are the possible values:  

 

You combine the values to come up with the File Attributes bitmask value.  

If you need a sanity check: 

Checking for Temporary Files in the Debug Logs with Findstr 

Another way to check if files are not replicating because they have the temporary attribute set is to use Findstr (included in Windows) to look for the FILE_ATTRIBUTE_TEMPORARY text string in the DFSR debug logs. 

First you need to extract out all of the debug logs, because all except the active log will be compressed, as indicated by a .GZ extension. The DFSR debug logs (Dfsr*.log and Dfsr*.log.gz) reside by default under %windir%\debug. All the popular compression tools such as Winzip and Winrar can handle .GZ compression. 

Let’s say you extracted the debug logs to C:\Logs. You can then run the following Findstr command to look for temporary files. 

Findstr FILE_ATTRIBUTE_TEMPORARY c:\logs\dfsr*.log 

That will output the entire line for every line in the debug log that contains a match to that string. If it doesn't find any matches, it will return to a prompt and not show anything. 

Sample output from a matching entry: 

C:\WINDOWS\debug\Dfsr00018.log:20080903 16:14:29.390 1808 USNC 1204 UsnConsumer::ProcessUsnRecord Skipping USN_RECORD with FILE_ATTRIBUTE_TEMPORARY flag: 

If it does find any matches, you can then open the specified log file, search on the string FILE_ATTRIBUTE_TEMPORARY (Ctrl+F or Edit | Find in Notepad) and then you will see the actual file name for the file that was skipped because the temporary attribute is set on it. 

Removing the Temporary Attribute from Multiple Files with Powershell 

So you figured out that DFSR is not replicating some files because they have the temporary attribute set. There is no way to change this behavior in DFSR, so the only option is to live with it, or remove the temporary attribute from the files you want to replicate. An application in your environment has created these temporary files, so just treating the symptom isn’t enough, you need to find the application that creates them and either change its behavior, or accept that those files will not be replicated.  

Since Attrib is not aware of the temporary attribute, we need to go to greater lengths to remove it. First you need to have Powershell installed on the machine - www.microsoft.com/powershell 

Then bring up a Powershell prompt (Start, Run, Powershell or from the Programs menu) and run this command to remove the temporary attribute from all files in the specified directory, including subdirectories (in this example, D:\Data): 

Get-childitem D:\Data -recurse | ForEach-Object -process {if (($_.attributes -band 0x100) -eq 0x100) {$_.attributes = ($_.attributes -band 0xFEFF)}} 

If you don’t want it to work against subdirectories just remove the -recurse parameter. 

 

Pasted from <http://blogs.technet.com/b/askds/archive/2008/11/11/dfsr-does-not-replicate-temporary-files.aspx>  

DFS Staging Size

(Get-ChildItem 'F:\SQL_DFS' -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

 

The above command is originally from Microsoft 

It checked the DFS folder "F:\SQL_DFS" for the largest 32 files and gives the result in GB. 

Once you have that number change the staging on the folder to that size (listed in MB). 

 

DFS will stop and work on staging if it gets to 90% of that number.  Therefore 

Multiply it by 1.12 to get the size needed to keep that from happening. 

 

 

 

 

 

 

 

$DFSSource='E:\Shared' 

(Get-ChildItem $DFSSource -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

 

 

$DFSSource2='E:\Data1' 

 

(Get-ChildItem $DFSSource2 -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

 

 

$DFSSource3='E:\Procedures' 

$DFSSource4='E:\Sales Information' 

$DFSSource5='E:\SCC Reband' 

$DFSSource6='E:\Shared' 

$DFSSource7='E:\SQL Backup' 

$DFSSource8='E:\Tech Information' 

$DFSSource9='E:\Williams Documents-Accounting' 

$DFSSource0='E:\Williams Mail List' 

 

(Get-ChildItem $DFSSource3 -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

(Get-ChildItem $DFSSource4 -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

(Get-ChildItem $DFSSource5 -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

(Get-ChildItem $DFSSource6 -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

(Get-ChildItem $DFSSource7 -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

(Get-ChildItem $DFSSource8 -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

(Get-ChildItem $DFSSource9 -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

(Get-ChildItem $DFSSource0 -recurse –force | Sort-Object length -descending | select-object -first 32 | measure-object -property length -sum).sum /1gb 

 

 

 

 

 

 

 

 

 

DFSR Won't re-enable

There are times when DFS was used prior and it just won't work anymore.  This has been seen in AD replication. 

 

 

The DB that DFS refers to is in  

C:\System Volume Information\DFSR 

 

Within that folder is the DFS information.  If that information is bad you have to purge it. 

 

Remove the server from all DFSR 

Update settings to allow you to see hidden system files 

Take ownership of "System Volume Information" 

Grant full access to folder and subfolders to yourself 

CMD Elevated:       rmdir "C:\System Volume Information\DFSR" /s 

At this point all the DFSR information is gone but you messed with vital security permissions  

I am using: DISM.exe /Online /Cleanup-image /Restorehealth 

To hopefully get it back in-line 

 

WMI-DFS Staging Size

From command prompt, run these commands: 

 

 

Connection Test 

%systemroot%\System32\wbem\WMIC.exe /namespace:\\root\microsoftdfs path dfsrconnectioninfo where "LastSyncTime<>'99990101000000.000000-000' and state='3'" get membername, partnername, ReplicationGroupName, state 

 

 

Replication Test 

%systemroot%\System32\wbem\WMIC.exe /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo where "state='5'" get membername, ReplicationGroupName, state 

 

 

If the result is: 

No Instances(s) Available. 

 

Then all is good. 

 

 

 

 

 

 

 

Without limitations, these commands will give the current connections and their states: 

 

Connection Test 

%systemroot%\System32\wbem\WMIC.exe /namespace:\\root\microsoftdfs path dfsrconnectioninfo get membername, partnername, ReplicationGroupName, state, LastSyncTime 

 

 

Replication Test 

%systemroot%\System32\wbem\WMIC.exe /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo  get membername, ReplicationGroupName, state 

How to troubleshoot missing SYSVOL and Netlogon shares

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-missing-sysvol-and-netlogon-shares

This article provides the steps to troubleshoot the missing SYSVOL and Netlogon shares in Windows Server 2012 R2.

Original KB number:   2958414

Symptoms

SYSVOL and Netlogon shares aren't shared on a domain controller. The following symptoms or conditions may also occur:

• The sysvol folder is empty.
• The affected domain controller was recently promoted.
• The environment contains domain controllers running versions of Windows earlier than Windows Server 2012 R2.
• DFS Replication is used to replicate the SYSVOL Share replicated folder.
• An upstream domain controller's DFS Replication service is in an error state.

Cause

Domain controllers without SYSVOL shared can't replicate inbound because of upstream (source) domain controllers being in an error state. Frequently (but not limited to), the upstream servers have stopped replication because of a dirty shutdown (event ID 2213).

Resolution

This section contains recommended methods for troubleshooting and resolving missing SYSVOL and Netlogon shares on domain controllers that replicate by using the DFS Replication service.

The process reinitializes DFS Replication if SYSVOL isn't shared on domain controllers according to How to force an authoritative, or non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS). It's unnecessary in most cases, and it may cause data loss if done incorrectly. In addition, it prevents determining the cause of the issue and averting future occurrences of the issue.

What follows are general steps to investigate the missing shares. Determine if the problem is caused by a one-time occurrence, or if the upstream domain controller(s) can't support replication by using DFS Replication.

Deleting the DFS Replication database from the volume shouldn't be required and is discouraged. It causes DFS Replication to consider all local data on the server to be nonauthoritative. By letting DFS Replication recover the database gracefully (as instructed in the 2213 event), the last writer will still win any conflicting versions of SYSVOL data.

Step 1 - Evaluate the state of DFS Replication on all domain controllers

Evaluate how many domain controllers aren't sharing SYSVOL, have recently logged an Error event, and how many domain controllers are in an error state. Follow these steps.

• Check for the SYSVOL share

  You may manually check whether SYSVOL is shared or you can inspect each domain controller by using the net view command:

  ConsoleCopy

  
  

  For /f %i IN ('dsquery server -o rdn') do @echo %i && @(net view \\%i | find "SYSVOL") & echo
  

• Check DFS Replication state

  To check DFS Replication's state on domain controllers, you may query WMI. You can query all domain controllers in the domain for the SYSVOL Share replicated folder by using WMI as follows:

  ConsoleCopy

  
  

  For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
  

  The state values can be any of:
  0 = Uninitialized
  1 = Initialized
  2 = Initial Sync
  3 = Auto Recovery
  4 = Normal
  5 = In Error

   Note

  Depending on a domain controller's condition, it may fail to report a state value and indicate no instance(s) available.

• Check Event logs for recent errors or warnings

  If any domain controllers don't report the SYSVOL Share replicated folder as being in a state 4 (normal), check the event log of those domain controller(s) to evaluate their condition. Review each domain controller for recent errors or warnings in the DFS Replication event log, such as the warning event ID 2213 that indicates that DFS Replication is currently paused.

• Check the Content Freshness configuration

  Determine whether DFS Replication triggered content freshness protection on the affected domain controllers. Content Freshness is enabled on Windows Server 2012 (and later versions) domain controllers by default. However, it may also be manually enabled on Windows Server 2008 R2 servers.

  To evaluate if content freshness is enabled, the MaxOfflineTimeInDays setting will be set to 60. If content freshness is disabled, MaxOfflineTimeInDays will be set to 0. To check MaxOfflineTimeInDays, run the following command:

  ConsoleCopy

  
  

  wmic.exe /node:%computername% /namespace:\\root\microsoftdfs path DfsrMachineConfig get MaxOfflineTimeInDays
  

  To query all domain controllers in the domain, run the following command:

  ConsoleCopy

  
  

  For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path DfsrMachineConfig get MaxOfflineTimeInDays
  

  For each domain controller enabled for content freshness, evaluate if DFS Replication has logged an event ID 4012 that indicates replication of the folder has stopped because replication has failed for longer than the MaxOfflineTimeInDays parameter.

Step 2 - Prepare the domain controllers that are in an error state

• Install appropriate updates

  For any domain controllers running Windows Server 2008 R2, first install DFS Replication updates to prevent data loss and to fix known issues. It's a best practice to use the latest version of DFS Replication. See List of currently available hotfixes for Distributed File System (DFS) technologies for the latest version of DFS Replication.

• Back up SYSVOL data

  Do a backup of SYSVOL data (if present) on each domain controller. Backups may be a file copy of the SYSVOL contents to a safe location or, it may be a backup that uses backup software.

  Depending on the situation, policy files could be moved to PreExisting or Conflict and Deleted. PreExisting and Conflict and Deleted contents will be purged if initial synchronization is done multiple times on a server. Back up data in these locations to avoid data loss.

Step 3 - Recover DFS Replication on the domain controllers in the error state

Based on the number of domain controllers in the domain, select the appropriate method to recover the DFS Replication service.

For environments that have two domain controllers

Determine whether a dirty shutdown was detected (event ID 2213) on either domain controller. You may find the second domain controller is waiting to complete initialization of SYSVOL. The reason is, after promotion, it will log a 4614 event that indicates that DFS Replication is waiting to do initial replication. In addition, it won't log a 4604 event signaling that DFS Replication has initialized SYSVOL.

• If content freshness is enabled on both domain controllers

  If the second domain controller waits to do initial synchronization (event 4614 logged without the 4604 anti-event), follow the How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS) to set the first domain controller as authoritative. You don't have to configure the second domain controller as nonauthoritative, because it's already waiting to do initial synchronization.

  Or, if the second domain controller is healthy and SYSVOL is shared, take the following steps:

  1. Back up all SYSVOL contents of the first domain controller.

  2. Evaluate if the second domain controller's SYSVOL data is up to date. If not, you may want to copy updated SYSVOL files to the second domain controller from the first domain controller. Otherwise, any existing data present on first domain controller not present on the second will go into the PreExisting and Conflict and Deleted folders.

  3. Set the first domain controller as nonauthoritative by disabling the membership per How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS). Confirm that an event ID 4114 is logged to indicate the membership is disabled.

  4. Enable the first domain controller's membership, and wait for the 4614 and 4604 events that report completion of the initial synchronization. If necessary, restore any updated files from PreExisting to the original location.

• If content freshness isn't enabled or triggered on both domain controllers

  If the first domain controller is in the event ID 2213 state, and the second domain controller has never completed initialization after it was promoted, and content freshness hasn't been triggered. Take the following steps:

  1. Run the ResumeReplication WMI method on the first domain controller as instructed in the 2213 event.

  2. After replication resumes, it will log an event ID 4602 that indicates that DFS Replication initialized the SYSVOL replicated folder and specified it as the primary member.

  3. Run the dfsrdiag pollad command on the second domain controller to trigger it to complete initial sync (event ID 4614). As soon as initial sync is finished, event ID 4604 is logged, signaling SYSVOL has completed initialization.

  Or, if the first domain controller is in the 2213 state and the second domain controller is healthy (SYSVOL is shared), run the ResumeReplication WMI method on the first domain controller. It will log event ID 2214 at the completion of dirty shutdown recovery.

For environments that have three or more domain controllers

Determine whether a dirty shutdown was detected and whether DFS Replication is paused on any domain controllers (event ID 2213). You may find a domain controller is waiting to complete initialization of SYSVOL after promotion. It will log a 4614 event that indicates that DFS Replication is waiting to do initial replication. It also won't log a 4604 event signaling that DFS Replication has initialized SYSVOL.

• If content freshness is enabled, and there are three or more domain controllers in the domain.

  Content freshness protection will log an event ID 4012 that indicates that replication has stopped because replication on the folder has failed for longer than the MaxOfflineTimeInDays parameter. To reinitialize DFS Replication on the affected domain controller(s), follow the instructions in How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS).

  If all domain controllers have logged the 4012 event and their state is 5, follow the instructions in How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS) to completely initialize SYSVOL. It's the only situation to set a DFS Replication server as authoritative. Make sure that the domain controller configured as authoritative has the most up-to-date copy of all SYSVOL contents.

  Or, if one or more domain controllers are blocking replication because of content freshness, they each must be non-authoritatively recovered. Follow these steps:

  1. Back up all SYSVOL contents of the domain controller(s). Typically, policy edits are done on the PDC Emulator, but it isn't guaranteed. Any data present on the recovered domain controller(s) not matching the partners will go into the PreExisting or Conflict and Deleted folder, or both.

  2. Set the domain controller(s) as nonauthoritative by disabling the membership, as described in How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS). You must be aware of the replication topology, and you must fan out from a healthy domain controller by selecting direct partners of it, then recovering further downstream domain controllers, and so on. Event ID 4144 will be logged to confirm the membership is disabled. Make sure all domain controllers requiring recovery log the event. It may be necessary to force Active Directory replication and then run the dfsrdiag pollad command on each domain controller to detect the disabled membership quickly.

  3. Enable the membership and wait for the 4614 and 4604 events to report completion of the initial synchronization. Restore any required files from backup or from PreExisting and Conflict and Deleted as necessary.

• If content freshness isn't enabled or triggered, and there are three or more domain controllers in the domain

  If content freshness protection isn't triggered, run the ResumeReplication WMI method on the affected domain controllers. You must be aware of the replication topology, and you must fan out from a healthy domain controller by selecting direct partners of it, then recovering further downstream domain controllers, and so on. After replication is resumed, DFS Replication will log events 2212, 2218, and then 2214 (indicating that DFS Replication initialized the SYSVOL replicated folder).

Preventing future occurrences of the issue

Check whether the Application and System event logs are frequently reporting ESENT database recovery operations, disk performance problems, or both. The event logs typically coincide with unexpected shutdowns of the system, with DFS Replication not stopping gracefully, or disk subsystem failures. Consider updating the system's drivers, installing appropriate updates to the disk subsystem, or contacting the system's hardware manufacturer to investigate further. You may also contact Microsoft Customer Support Services to help evaluate the system's health and DFS Replication behavior.

The Service Control Manager (SCM) uses the default time-out time of 20 seconds for stopping a service. In some complex DFS Replication implementations, this time-out value may be too short, and DFS Replication stops before the appropriate database is closed. At service restart, DFS Replication detects this condition, and then does the database recovery. WaitToKillServiceTimeout may be used to grant DFS Replication more time to commit changes to the database during shutdown. For more information, go to article You receive DFSR event ID 2212 after you restart the DFSR service.

After you have restored DFS Replication of SYSVOL, DFS Replication health must be carefully monitored in the environment to prevent this scenario. Regular review of DFS Replication event logs, collecting of DFS Replication health reports, and collecting of replication state (by using the WMI query in the Check DFS Replication state section under Step 1 - Evaluate the state of DFS Replication on all domain controllers) are recommended.

How to force authoritative and non-authoritative synchronization for DFSR-replicated sysvol replication

https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization#how-to-perform-an-authoritative-synchronization-of-dfsr-replicated-sysvol-replication-like-d4-for-frs

Summary

Consider the following scenario:

You want to force the non-authoritative synchronization of sysvol replication on a domain controller (DC). In the File Replication Service (FRS), it was controlled through the D2 and D4 data values for the Bur Flags registry values, but these values don't exist for the Distributed File System Replication (DFSR) service. You can't use the DFS Management snap-in (Dfsmgmt.msc) or the Dfsradmin.exe command-line tool to achieve this. Unlike custom DFSR replicated folders, sysvol replication is intentionally protected from any editing through its management interfaces to prevent accidents.

How to perform a non-authoritative synchronization of DFSR-replicated sysvol replication (like D2 for FRS)

1. In the ADSIEDIT.MSC tool, modify the following distinguished name (DN) value and attribute on each of the domain controllers (DCs) that you want to make non-authoritative:

   ConsoleCopy

   
   

   CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
   
   msDFSR-Enabled=FALSE
   

2. Force Active Directory replication throughout the domain.

3. Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:

   ConsoleCopy

   
   

   DFSRDIAG POLLAD
   

4. You'll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated.

5. On the same DN from Step 1, set msDFSR-Enabled=TRUE.

6. Force Active Directory replication throughout the domain.

7. Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:

   ConsoleCopy

   
   

   DFSRDIAG POLLAD
   

8. You'll see Event ID 4614 and 4604 in the DFSR event log indicating sysvol replication has been initialized. That domain controller has now done a D2 of sysvol replication.

How to perform an authoritative synchronization of DFSR-replicated sysvol replication (like D4 for FRS)

1. Set the DFS Replication service Startup Type to Manual, and stop the service on all domain controllers in the domain.

2. In the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferably the PDC Emulator, which is usually the most up-to-date for sysvol replication contents):

   ConsoleCopy

   
   

   CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
   
   msDFSR-Enabled=FALSE
   msDFSR-options=1
   

3. Modify the following DN and single attribute on all other domain controllers in that domain:

   ConsoleCopy

   
   

   CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
   
   msDFSR-Enabled=FALSE
   

4. Force Active Directory replication throughout the domain and validate its success on all DCs.

5. Start the DFSR service on the domain controller that was set as authoritative in Step 2.

6. You'll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated.

7. On the same DN from Step 2, set msDFSR-Enabled=TRUE.

8. Force Active Directory replication throughout the domain and validate its success on all DCs.

9. Run the following command from an elevated command prompt on the same server that you set as authoritative:

   ConsoleCopy

   
   

   DFSRDIAG POLLAD
   

10. You'll see Event ID 4602 in the DFSR event log indicating sysvol replication has been initialized. That domain controller has now done a D4 of sysvol replication.

11. Start the DFSR service on the other non-authoritative DCs. You'll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated on each of them.

12. Modify the following DN and single attribute on all other domain controllers in that domain:

    ConsoleCopy

    
    

    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
    
    msDFSR-Enabled=TRUE
    

13. Run the following command from an elevated command prompt on all non-authoritative DCs (that is, all but the formerly authoritative one):

    ConsoleCopy

    
    

    DFSRDIAG POLLAD
    

14. Return the DFSR service to its original Startup Type (Automatic) on all DCs.

More information

If setting the authoritative flag on one DC, you must non-authoritatively synchronize all other DCs in the domain. Otherwise you'll see conflicts on DCs, originating from any DCs where you did not set auth/non-auth and restarted the DFSR service. For example, if all logon scripts were accidentally deleted and a manual copy of them was placed back on the PDC Emulator role holder, making that server authoritative and all other servers non-authoritative would guarantee success and prevent conflicts.

If making any DC authoritative, the PDC Emulator as authoritative is preferable, since its sysvol replication contents are most up to date.

The use of the authoritative flag is only necessary if you need to force synchronization of all DCs. If only repairing one DC, make it non-authoritative and don't touch other servers.

This article is designed with a 2-DC environment in mind, for simplicity of description. If you had more than one affected DC, expand the steps to include ALL of them as well. It also assumes you have the ability to restore data that was deleted, overwritten, damaged, and so on. previously if it's a disaster recovery scenario on all DCs in the domain.