Q: Replicating SYSVOL by using DFSR isn't working in my Active Directory environment--I see errors on domain controllers related to waiting for initial replication and other domain controllers have stopped replication. What can I do?
A: Active Directory (AD) uses Distributed File System Replication (DFSR) to replicate the disk-based portion of AD (SYSVOL) in Windows Server 2008 and later mode domains, replacing the old File Replication Service (FRS). DFSR has many advantages over FRS, including being far more efficient in the data it replicates.
One of the best ways to check the health of the SYSVOL replication using DFSR is to install the Distributed File System management tools on a machine. You can do this through Server Manager.
For amachine, they're found under Features, Remote Server Administration Tools, Role Administration Tools, File Services Tools,DFS Management Tools. After installation, launch the DFS Management tool, which will show the Domain System Volume group that contains the SYSVOL Share replicated folder (see screen shot below).
From this tool, click the Create Diagnostic Report action and accept the default Health report option. Click Next to all pages to accept the defaults, and at the end, click Create.
A report will be displayed that gives an overview of the health of the DFSR environment. Look through the report and make a note of any problems and follow any guidance.
Another good test is to run the propagation test, then run the propagation report, which will show if data is actually being replicated. Both of the propagation options are located as part of the Create Diagnostic Report action.
Additionally, open up Event Viewer on your domain controllers (DCs) and navigate to Applications and Services Logs, DFS Replication, and look for errors or warnings. You might see warnings related to waiting for initial replication, which means the DC is still waiting to complete the first replication from an authoritative SYSVOL replication partner.
The problem is if there's no authoritative SYSVOL replication partner. If on the server you believe to be authoritative and the one other DCs should replicate from, you see the following, it means that the server isn't replicating. It's stopped replicating because it believes its information could be stale, and to avoid problems related to lingering objects, it has stopped replication.
Date: 3/11/2013 9:35:38 AM
Event ID: 4012
Task Category: None
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 90 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group.
If you know this DC is authoritative and should be replicating out, then you need to force the server to be authoritative so it can replicate out to the other DCs. You can't follow the instructions in the event log, as SYSVOL is treated specially and can't be modified through the DFS Management snap-in.
To set a DC as authoritative for SYSVOL DFSR replication, and solve the issue, follow the steps exactly as outlined in this Microsoft support document. You need to follow the steps for "How to perform an authoritative synchronization of DFSR-replicated SYSVOL (like "D4" for FRS)".
Note in the article in step 4 it says to start the DFSR service; however, do this only if you had already stopped it-- if the service is running, you can skip this step. After you have completed all the steps, you should see functioning and healthy DFSR replication of SYSVOL (confirm by running the DFS Management reports again). On the authoritative server you will see an Event Log such as the following:
Date: 3/11/2013 10:40:35 AM
Event ID: 4602
Task Category: None
The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member is the designated primary member for this replicated folder. No user action is required. To check for the presence of the SYSVOL share, open a command prompt window and then type "net share".
On the non-authoritative servers you should see an Event Log such as this one:
Date: 3/11/2013 10:42:07 AM
Event ID: 4604
Task Category: None
The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member has completed initial synchronization of SYSVOL with partner savdaldc01.savilltech.net. To check for the presence of the SYSVOL share, open a command prompt window and then type "net share".