Force SYSVOL / NETLOGON Replication on a problematic Domain Controller

As I’m sure most IT professionals / those working with AD realise problematic DC’s can be a royal pain the backside, especially once you’ve located the DC and need to get it back in to a working state.

There are many tools you can use for finding out information on when it stopped replicating, latest errors on replication but information on how to fix it is usually well hidden/admin’s are unsure of what to do.

In this example, one DC in the environment had not updated for few days, files within netlogon were out of date and were causing some problems to some users.

The method for getting this DC back to an up-to-date and sync’d status was forcing “an authoritative (D4) and non-authoritative (D2) synchronization”

This means, we are going to update / change the registry so please make a backup of the registry before you start playing about.

It’s also worth checking the health of the DC first (dcdiag /q AND repadmin /replsummary) to make sure no errors are flagging up.

Once done, we need to stop the File Replication Service on a GOOD/Working DC

Open up registry editor and find the following: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

Change the BurFlags value to D4

Select OK and then Start the File Replication Service.

Once this is done check the event log and the log we are looking for is: 13516

This shows you the following:

“The File Replication Service is no longer preventing the computer <name of your DC> from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. ”

Now this has been done, lets jump on to the problematic DC and again stop the FRS service, this time update the same registry key to D2

And again start the FRS service.

Once more, head to the event viewer and wait for the ID: 13516 to appear.

Open up a command prompt and type net share and you should now see sysvol and netlogon folders again

HOWEVER – if you don’t and you only see the SYSVOL share (even after a few hours of allowing replication to take place) then please follow this next step.

On the problematic DC open up regedit and this time browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Locate the SysVolReady key and change the value to 0 then press OK

Once done, double click the entry again and this time enter the value back to 1 and click OK

Now if you open up a command prompt and type net share you should see both SYSVOL and NETLOGON shares. Check both to make sure they are up to date, and then keep and eye on them to make sure further replications and changes are correctly replicated.

In the majority of cases I would say the above troubleshooting steps should help get a non-replicating DC back in to action.