How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)

*****Important to note: This should only be done by a competent tech that understands the steps they are performing. If done wrong these steps can have critical irreversible effects on a domain. AKA: Don't do this if you do not understand it because it can really jack stuff up!!!*****

***********************

#DomainBackup

#Backup Domain Level files

SET FILEROOTA="C:\Windows\SYSVOL\domain"

SET FILEENDA="C:\Accent\DomainBackup"

ROBOCOPY %FILEROOTA% %FILEENDA% /MIR /R:2 /W:2 /MT:6

***********************

Update-DfsrConfigurationFromAD

repadmin /syncall FS3 /APeD
Pause

Invoke-Command -ComputerName DC1, DC2 -ScriptBlock {Restart-Service DFSR}

Invoke-Command -ComputerName DC1, DC2 -ScriptBlock {Stop-Service DFSR}

Invoke-Command -ComputerName DC1, DC2 -ScriptBlock {Start-Service DFSR}

Non-authoritative restore is useful when a NON-PDC domain controller is not replicating the sysvol folder. This is done on the NON-PDC domain controller. It marks its data as non-authoritative and pulls in new sysvol data from the PDC.
An authoritative restore is useful when the non-authoritative does not work. This is done primarily on the PDC but you also have to complete steps on the NON-PDC domain controllers. This marks the data on the PDC as authoritative and pushes it to all other DCs. I believe this can be done on a non PDC domain controller if the non-PDC holds the good sysvol data but this needs to be verified.
Important to note: this is for servers that use DFSR to replicate SYSVOL, so Server 2008 and newer. Older servers have a different process. On older servers look at D2 and D4.
Below is three links. One is the Microsoft link with a step-by-step for both processes and the other two are step-by-step that include a more non-formal and understandable format.
In the Microsoft steps below (and in the first link) there is a More Info section that provides some scenario based information that is helpful.
Also the Microsoft steps are pasted below.

Microsoft links to both authoritative and non-authoritative steps.

Authoritative step-by-step that is easier to understand.

Non-authoritative step-by-step that is easier to understand.

__________________________________________________________________________________________________

Microsoft steps:

Consider the following scenario:

You want to force the non-authoritative synchronization of SYSVOL on a domain controller. In the File Replication Service (FRS), this was controlled through theD2 and D4 data values for the Burflags registry values, but these values do not exist for the Distributed File System Replication (DFSR) service. You cannot use the DFS Management snap-in (Dfsmgmt.msc) or the Dfsradmin.exe command-line tool to achieve this. Unlike custom DFSR replicated folders, SYSVOL is intentionally protected from any editing through its management interfaces to prevent accidents.

How to perform a non-authoritative synchronization of DFSR-replicated SYSVOL (like "D2" for FRS)

In the ADSIEDIT.MSC tool modify the following distinguished name (DN) value and attribute on each of the domain controllers that you want to make non-authoritative:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE
Force Active Directory replication throughout the domain.
Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:

DFSRDIAG POLLAD
You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
On the same DN from Step 1, set:

msDFSR-Enabled=TRUE
Force Active Directory replication throughout the domain.
Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:

DFSRDIAG POLLAD
You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D2” of SYSVOL.

How to perform an authoritative synchronization of DFSR-replicated SYSVOL (like "D4" for FRS)

Stop DFSR Service
In the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferably the PDC Emulator, which is usually the most up to date for SYSVOL contents):

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE
msDFSR-options=1
Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE
Force Active Directory replication throughout the domain and validate its success on all DCs.
Start the DFSR service set as authoritative:
You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
On the same DN from Step 1, set:

msDFSR-Enabled=TRUE
Force Active Directory replication throughout the domain and validate its success on all DCs.
Run the following command from an elevated command prompt on the same server that you set as authoritative:

DFSRDIAG POLLAD
You will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D4” of SYSVOL.
Start the DFSR service on the other non-authoritative DCs. You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.
Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=TRUE
Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):

DFSRDIAG POLLAD

More Information

If setting the authoritative flag on one DC, you must non-authoritatively synchronize all other DCs in the domain. Otherwise you will see conflicts on DCs, originating from any DCs where you did not set auth/non-auth and restarted the DFSR service. For example, if all logon scripts were accidentally deleted and a manual copy of them was placed back on the PDC Emulator role holder, making that server authoritative and all other servers non-authoritative would guarantee success and prevent conflicts.

If making any DC authoritative, the PDC Emulator as authoritative is preferable, since its SYSVOL contents are usually most up to date.

The use of the authoritative flag is only necessary if you need to force synchronization of all DCs. If only repairing one DC, simply make it non-authoritative and do not touch other servers.

This article is designed with a 2-DC environment in mind, for simplicity of description. If you had more than one affected DC, expand the steps to include ALL of those as well. It also assumes you have the ability to restore data that was deleted, overwritten, damaged, etc. previously if this is a disaster recovery scenario on all DCs in the domain.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

From <https://support.microsoft.com/en-us/kb/2218556>

If SYSVOL will not replicate, adjust the following registry key from "0" to "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SysvolReady

Net stop netlogon

Net start netlogon

Repadmin /syncall /AeDqP

Dfsrdiag pollad

Active Directory Auditing Tool

Active Directory: Add a Domain Controller to PowerShell

Add a domain to the Active Directory

Add a Mapped Drive to a User Profile Using GPO

Add all users in OU to security group

Add Extension Attribute to User

ADSI Purge

Change Windows Desktop Background Using Group Policy

Checking Active Directory Domain Controller Health and Replication

Clean Up Server Metadata

CONFIGURE NTP TIME SYNC USING GROUP POLICY

Create a Group to Assign Permissions to Access Files

Create WMI Filters for the GPO

Cross Forest Resource Security

Demote or Promote Domain Controller

Determine AD forest and domain level

Disable "These files might be harmful to your computer" warning?

Disabling and Enabling Outbound Replication

Domain Controller DNS Best Practice

Domain Trust

Force reinstall of applications deployed by software GPO after uninstall

Get Password Info

How To Add Local Administrators via GPO (Group Policy)

How to Audit User Account Changes in Active Directory

How to Change the Default Lock Screen Image using GPO

How to create and manage the Central Store for Group Policy Administrative Templates in Windows

How to Disable NTLM Authentication in Windows Domain

How to Export Active Directory Users to CSV and Build Reports

How to find the source of failed logon attempts

How To Fix Group Policy: Error Windows could not determine if the user and computer accounts are in the same forest

How to install and configure Microsoft LAPS

How to Remove (Demote) a Domain Controller in Active Directory

How to Remove (Demote) a Domain Controller in Active Directory

How to store BitLocker keys in Active Directory

Joining Active Directory Error

Keytab file

LAPS_OperationsGuide

Migrate user domain profile from one domain to another domain

Modify Group Policy's refresh interval

Move FSMO Roles

Move-ADDirectoryServerOperationMasterRole

Netlogon Logging

Powershell export AD users in OU to CSV

Rejoining an "untrusted" workstation and primary domain

Rename Domain

repadmin

Repairing Broken Trust Relationship Between Workstation and AD Domain

Restore Default Domain Policy

Securing Active Directory: Who can add computers to the domain? Only the domain admin?

Security Groups

Step-By-Step: Manually Removing A Domain Controller Server

USER PROFILES AND USER FOLDERS REDIRECTION USING GPO

Using NTDSUTIL Metada Cleanup to Remove a Failed/Offline Domain Controller Object.

Wrong error message for missing .adml files

Transferring/Seizing FSMO Roles to Another Domain Controller

Raise domain and forest functional levels in Active Directory Domain Services

7zip Command Line

Add user to Administrators Group

Choice Command

CMD Line Admin

CMD Line Registry Delete

Configure TCP/IP from the Command Prompt

DNS Change Via CMD Line

Enable Remote Desktop Via Command Line

Hyper-V

Invalid H:\ Drive

Network Share Folder

Remote GPResult

Run Commands

Test if Computer is Azure Joined

Windows Activation Post Azurre Migration

Windows S.M.A.R.T Check

Check Installed Drive Type

Check type of computer

Change power settings

Clear DFS Problems

DFS Backlog Check

DFS Checker

DFS Checker client install and setup

DFS Checker Configuration Settings