Dear Sysadmin, after searching for 6 hours manuals of MS website, this 10 min video saved my live! Thank you so much. All works as expected. I can add only 1 note from my end. When new DC controller is set-up and replication is not working: 1) Proceed all steps in video 2) If no "Netlogon" and no "Sysvol" shares are available on problematic (New) DC, go to registry and change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters "SysvolReady" to 1 Restart "Netlogon" service If no replication is started and no files created under "Sysvol", create manually directory "Sysvol\Polices" and sync will work as expected Thanks
YOU ARE A GAWD. I'm an MCSA on Server 2016, ten years professionally doing this stuff, set up a new DC today and ran into this issue. With the move to the cloud, I don't touch servers a ton anymore, but wow did this fix the issue. I was totally lost, too.
Life saver! I had an issue where de-promoting the old secondary DC caused the old primary DC to crap itself, and the new DCs took over but had weird issues because it wasn't graceful at all. You've just helped me solve the biggest issue that's been plaguing my domain!
This is one of the best instructional videos I have seen. Great explanations as to why you're doing what you're doing and what it's supposed to fix and how to do it. Fantastic!
Been on this thing for 3 days and this fixed 95% of the problems I was having (the other was Netlogon folder missing). Thanks for posting such a clean fix! Thankfully I did all of this on actual copies of may production machines in a VMware Workstation environment. This would have been a major PITA if not. 1000 Thank You's!
The steps in this video worked like a charm, I'd added a 2019 DC to a 2016 domain running a single DC but noticed no sysvol or netlogon on the new box. Did these steps and replication was fixed.
Thanks for this video. I have done it in the last six months or so on another DC pair, but this helped me out today when I needed to get this done in a hurry for a customer. Good clear instructions and fixed up a DFS system that had been broken for a long while. Top stuff!
The problem I am having is that the Netlogon and Sysvol folder is not on the additional DC. Yet it tells me the replication is working when I run the command to test it.
Hello Sysadmin, That worked perfectly for my issue where I had three domain controllers and migrated the FSMO roles to DC1. When I changed a policy, it didn't fully replicate to the SYSVOL, which was weird because it replicated to DC2, but when I navigated to the domain\sysvol on DC1, it was not there! Really weird! Anyway, it solved my issue. Thank you.
What if there is only one domain controller and you are getting event ID 4012 DFS Replication. How would I go about fixing this when there is only one domain controller and old domain controller was decommissioned.
Great stuff! This is very useful when you need to follow such procedure and don't have time to digest all the steps by simply reading MS article. Thanks man.
Worked for me , awesome and concise explanation. Only thing at the end I was wondering what happened to dsrf-options value which wasn’t manually reverted to original but in my case once everything was consistent again and working the value itself got back to 0
Thanks so much! I found a client had a netlogon/sysvol replication issue. Looked like it was also impacting all AD replication (GPO et al) but your procedure here fixed everything.
Thanks for this video. I had an issue where I have upgraded from a SBS 2008 server years ago and must have created a DFS group for SYSVOL during the migration. The SBS environment was always a single DC (yes, not good) so I just got around to adding a second DC but the wizard never created the shares or the DFR sync due to a stale sync of over 786 days The steps shown here resolved the issue with the sync once I manually added the shares on the second DC. Thanks again
I found this video while researching 2213 issue. On fixing that issue i'm now getting a 4012 issue with a primary DC that apparently has been having DFS replication issue for 7 years. Would this fix be recommended?
What if I am facing DNS replication issue? Any tips how to diagnose that? I dont see any warnings/errors in the event log for the DNS server service, apart from 4013 which doesn't really mean anything because then it says it loaded the zones few seconds after.
Without knowing your setup or seeing any errors I would probably start here: www.dell.com/support/article/en-us/sln156253/troubleshooting-active-directory-and-dns-replication
when u say ur logon scripts are not working how u updated it and logonscripts are store in netlogon folder so the entire trblshooting u did was was netlogon folder I mean im not getting what is the actual connection between netlogon and sysvol folder
Very to-the-point video sir. Appreciate for your effort and passing of knowledge. Quick question, how can I intentionally break replication so I can practice this in home lab environment? Any senior AD admin can advise. I am trying to improve my AD troubleshooting skills.
If I have only 1 problematic server, then I have to change the DFSR to false only on it, or on all DCs in the whole domain? (Master server part is clear)
Tried this on Server 2012 STD. Not R2 and every command worked but if I open shares DC1 and DC2 to netlogon and make a text file it does not replicate to the other. But it says replication is working. Makes no sense to me why does it report working but fails this simple test of creating a text file.
I still have a bit of challenge i followed all the steps but still the results where just like you but my DFS issue was not cleared what else can i try
Hi, is it possible that this can cause a miss replication? If i create a user at HQ, it will show up at sites. But if i create a user account at this one site, it will not show up at ADUC hq and other site. I've only found one site that have this problem. DCA (hq) | DCB (hq) | DCC (site1) | DCD (site1): DCA / DCB ---> DCC / DCD ✅ DCC / DCD ---> DCA / DCB ❎
what if NONE of the DCs have msDFSR-Options = 1 on them? Yet, we do have one designated as the Operations Master according to the ADUC GUI? Is that completely separate from DFSR?
Mmm this is about 3rd of 4th source i have found that tells you how to do this. However for some reason NONE of my 3x DC's have "msDFSR-Options" in ADSI Edit... :-( I tried every other step but no luck fixing replication.
Thank you for great guide! Does this also work on a more complicated scenario where there are two child domains? Root-DC1 Root-DC2 / Child-DC1 Child-DC2 / Child2-DC1 Child2-DC2. I have a replication issue with Root-DC2 , even the initial replication is not done after dcpromo, there are no sysvol and netlogon shares. Non-authoritative restore did not work. I am a little afraid to do Authoritative restore, as most instructions say you have to change msDFSR-Enabled = False on all DC's.
I experienced this identical issue at work and these steps resolved the replication issue perfectly, but I don't know what caused the issue to begin with. How did you set up your lab to have this issue, as I would like to understand what causes this?
I have lot of doubts in the start u told that there is a problem with the sysvol foler replication and we know it uses dfsr service so why u have gone to netlogon folder to check the files created replicating .....Second u have show that changing values in adsi edit tool but have not told what actually it does I got ur point of setting the value of primary to 1 and all other dc to 0 but whyenabled is set to false and changed after what actual it does .....third is this the only fix we have to perform everytime when there is an issue related to sysvol folder or group policy in it is that theonly fix we have to perform or there are some other ways as well
So your saying a value of 1 is essentially saying the main server is the PDC. That conflicts with information I was able to find on the web. If the "msDFSR-Options" attribute on your Primary Domain Controller (PDC) is set to 1, it means that the PDC is in non-authoritative restore mode for the Distributed File System Replication (DFS-R) service. In this mode, the PDC will discard its current local version of the replicated folders and sync fresh data from other members of the replication group. The other domain controllers (DCs), having "msDFSR-Options" set to 0, are in normal mode. They will continue their regular DFS-R operations and will not discard their current data. In this scenario, the PDC will essentially become a "learner" and will pull the DFS-R data from the other DCs. It will not push any of its DFS-R data to the other DCs. This configuration is typically used when the data on the PDC has become inconsistent or corrupted, and you want to replace it with a fresh copy from the other DCs. However, it's important to note that this operation can generate significant network traffic and should be planned accordingly. Remember, changes to the "msDFSR-Options" attribute should be made with caution, as they can have significant impacts on your DFS-R environment. Always make sure to have a backup and plan before making changes to your DFS-R configuration.
Amazing! It worked like a charm. Thanks a lot for the video - other guides (including the ones from Microsoft) show a bit different actions and they did not work for me.
Not necessarily - you'll want to check why its not accessible. If its not accessible because its not there. You can view this article to get setup. thesysadminchannel.com/solved-sysvol-and-netlogon-shares-missing-2016-2019-domain-controller/
Some Domain Users are getting this error "The processing of Group Policy failed. Windows attempted to read the file \\domain.com\SysVol\domain.com\Policies\{9ED3C1B0-B1v5-46B4-8B33-1F9F2A123BD3}\gpt.ini from a domain controller and was not successful" Would this process fix this? Domain Admins do not get this error. Also, it looks like that by default, Admins do not have permissions to \\DC\NETLOGON\ so do we change the permissions before the process? Thanks!!
Really appreciate this, I found the same process in a Microsoft guide but being able to watch someone do it was re-assuring, thank you! One quick question, I've followed this process as a newly promoted DC wasn't syncing. I plan to remove the current DC, would I have to manually update the option from 1 to 0 again when transferring the roles?
Dear Sysadmin, after searching for 6 hours manuals of MS website, this 10 min video saved my live! Thank you so much. All works as expected. I can add only 1 note from my end. When new DC controller is set-up and replication is not working:
1) Proceed all steps in video
2) If no "Netlogon" and no "Sysvol" shares are available on problematic (New) DC, go to registry and change
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
"SysvolReady" to 1
Restart "Netlogon" service
If no replication is started and no files created under "Sysvol", create manually directory "Sysvol\Polices" and sync will work as expected
Thanks
Even if this does not fix my particular problem. This is the best explanation of an issue I have ever seen on UA-cam.
YOU ARE A GAWD. I'm an MCSA on Server 2016, ten years professionally doing this stuff, set up a new DC today and ran into this issue. With the move to the cloud, I don't touch servers a ton anymore, but wow did this fix the issue. I was totally lost, too.
Life saver! I had an issue where de-promoting the old secondary DC caused the old primary DC to crap itself, and the new DCs took over but had weird issues because it wasn't graceful at all. You've just helped me solve the biggest issue that's been plaguing my domain!
Been beating my head against my desk all day trying to figure this out. This video worked. Thank you much, sir!
I can't tell you how glad I am to have found this -- I've been stuck on this for way too long that I'm willing to admit! Thank you.
I can't say how much this tutorial is great.
Right to the point, perfect. Thank you!
This is one of the best instructional videos I have seen. Great explanations as to why you're doing what you're doing and what it's supposed to fix and how to do it. Fantastic!
Been on this thing for 3 days and this fixed 95% of the problems I was having (the other was Netlogon folder missing). Thanks for posting such a clean fix! Thankfully I did all of this on actual copies of may production machines in a VMware Workstation environment. This would have been a major PITA if not. 1000 Thank You's!
I cant thank you enough for creating this video. We have had so many replication issues and this fixes them. THANK YOU!
Thank you so much .... just tested in the lab and resolved all my issue straight forward ... Man of the day !!
I've been chasing this problem for two weeks. Good thing I caught the problem in a test lab. Thank you!
The steps in this video worked like a charm, I'd added a 2019 DC to a 2016 domain running a single DC but noticed no sysvol or netlogon on the new box. Did these steps and replication was fixed.
Hi Sysadmin....you are a life saver!!!!!!!! Thank you so much! This is the easiest to follow and most accurate resolution!
Thanks for this video. I have done it in the last six months or so on another DC pair, but this helped me out today when I needed to get this done in a hurry for a customer. Good clear instructions and fixed up a DFS system that had been broken for a long while. Top stuff!
Fantastic video. I do not comment on things at all but this has saved me so much. Just subscribed. Keep up the awesome work bud!
Just wanted to say thank you, this got my SYSVOL rep working straight away following this guide.
I had 2 situations were it help me a lot! I have no words to thank you man!
The problem I am having is that the Netlogon and Sysvol folder is not on the additional DC. Yet it tells me the replication is working when I run the command to test it.
Excellent, clear and concise walkthrough. Very much appreciated.
I love it when videos get straight to the point and work. Awesome job!
In 2024, the issue with DC Server 2016 has been resolved.
Thank you very much.
Hello Sysadmin,
That worked perfectly for my issue where I had three domain controllers and migrated the FSMO roles to DC1. When I changed a policy, it didn't fully replicate to the SYSVOL, which was weird because it replicated to DC2, but when I navigated to the domain\sysvol on DC1, it was not there! Really weird! Anyway, it solved my issue. Thank you.
Thank you very much this fixed my issue and i cant tell you how long it took me of trying before i found this video
You just helped me fix the issue and I did find another article on how to do this but the video was much better.
Thanks a bunch! This video helped me solve my problem! Thank you so much mate.
You just got a new subscriber!
Not all heroes wear capes. You sir are great!
Thank you!
Thank you Paul! Saved the Easter Weekend! :-)
What if there is only one domain controller and you are getting event ID 4012 DFS Replication. How would I go about fixing this when there is only one domain controller and old domain controller was decommissioned.
I know this is an older video, but any ideas when I'm getting a RPC server is unavailable error when running the replication commands?
Saved me countless hours of troubleshooting, thanks a lot.
Great stuff!
This is very useful when you need to follow such procedure and don't have time to digest all the steps by simply reading MS article.
Thanks man.
Worked for me , awesome and concise explanation. Only thing at the end I was wondering what happened to dsrf-options value which wasn’t manually reverted to original but in my case once everything was consistent again and working the value itself got back to 0
Thanks. This solved my issue. Had 3 DC´s that did not sync at all. And now it works again.
Thanks so much! I found a client had a netlogon/sysvol replication issue. Looked like it was also impacting all AD replication (GPO et al) but your procedure here fixed everything.
why wouldn't you do a non-auth restore and it will copy changes from dc02? what is the reasoning behind doing a auth restore in this scenario -thanks
Thx Paul, you saved us as lot of time :)!!
What if your NETLOGON and SYSVOL shares are missing altogether on a domain controller?
Thanks for this video. I had an issue where I have upgraded from a SBS 2008 server years ago and must have created a DFS group for SYSVOL during the migration.
The SBS environment was always a single DC (yes, not good) so I just got around to adding a second DC but the wizard never created the shares or the DFR sync due to a stale sync of over 786 days
The steps shown here resolved the issue with the sync once I manually added the shares on the second DC.
Thanks again
This was the perfect tutorial, I was able to fix this issue finally. Thanks!😀
I found this video while researching 2213 issue. On fixing that issue i'm now getting a 4012 issue with a primary DC that apparently has been having DFS replication issue for 7 years. Would this fix be recommended?
I do not have msDFSR-Enabled at all on my domain controllers... it is not there... 2012R2... not sure how to proceed..
Subscribed! this is the very first video I found very useful lol. Thanks very much.
what if nothing is syncing either way? follow the same stuff, or is there another way to approach it if no replication is happening whatsoever?
What if I am facing DNS replication issue? Any tips how to diagnose that? I dont see any warnings/errors in the event log for the DNS server service, apart from 4013 which doesn't really mean anything because then it says it loaded the zones few seconds after.
Without knowing your setup or seeing any errors I would probably start here: www.dell.com/support/article/en-us/sln156253/troubleshooting-active-directory-and-dns-replication
Thank you so much, been stuck on this for way too long! 🙏
This solved my domain sysvol replication issues. Thanks for a great video guide :)
when u say ur logon scripts are not working how u updated it and logonscripts are store in netlogon folder so the entire trblshooting u did was was netlogon folder I mean im not getting what is the actual connection between netlogon and sysvol folder
cn=dfsr-localsettings missing On second DC folder please help 🙏
what is the default msDFSR-Options = 1 on DCs, once the replication is fixed, shouldnt it be reverted on all DCs to default ? please advise.
Can't thank you enough. This fixed my DFS replication issues.
You rock Bro, fantastic tutorial. Hit every step, easy to follow and fixed my issue!
does msDFSR-Option on authoritative DC never set back to 0?
Very to-the-point video sir. Appreciate for your effort and passing of knowledge. Quick question, how can I intentionally break replication so I can practice this in home lab environment? Any senior AD admin can advise. I am trying to improve my AD troubleshooting skills.
Thanks bro so much as I was fighting with this case for 3 straight days. xxx
If I have only 1 problematic server, then I have to change the DFSR to false only on it, or on all DCs in the whole domain? (Master server part is clear)
Tried this on Server 2012 STD. Not R2 and every command worked but if I open shares DC1 and DC2 to netlogon and make a text file it does not replicate to the other. But it says replication is working. Makes no sense to me why does it report working but fails this simple test of creating a text file.
I still have a bit of challenge i followed all the steps but still the results where just like you but my DFS issue was not cleared what else can i try
Hi, is it possible that this can cause a miss replication? If i create a user at HQ, it will show up at sites. But if i create a user account at this one site, it will not show up at ADUC hq and other site. I've only found one site that have this problem.
DCA (hq) | DCB (hq) | DCC (site1) | DCD (site1):
DCA / DCB ---> DCC / DCD ✅
DCC / DCD ---> DCA / DCB ❎
Really helpful. resolved my GPO replication issue. Thanks a lot
what if NONE of the DCs have msDFSR-Options = 1 on them? Yet, we do have one designated as the Operations Master according to the ADUC GUI? Is that completely separate from DFSR?
Won't DFS Namespace and DFS Replication features be installed first?
We Had a major power outagelast week- both DC's went downfor hours, and when they came up - DC2 had NetLogon disabled. This should work right?
How did you identify which DC is master server?
Thank you thank you thank you You saved me two days worth of headache just a discover this was the issue
The best video on UA-cam. Thank you so much man.
Thank you mate for taking the time to watch. I’m glad it was helpful.
Fantastic, thank you for this. It sorted my issue with two DC's not replicating.
Mmm this is about 3rd of 4th source i have found that tells you how to do this.
However for some reason NONE of my 3x DC's have "msDFSR-Options" in ADSI Edit... :-(
I tried every other step but no luck fixing replication.
WOW - Super Useful - seems to be a far to frequent issue. saved many hours (after many hours) of headache!!
Great help! I couldn't follow step by step because there was a difference in my configuration but it worked great!
Super well done tutorial! Very clear and concise. Thank you so much for making this video! You saved me a LOT of time and worry.
nice. what if you have more than 2 domain controllers? do you have to disable the DFSR on all? thank you for this
Thank you for great guide! Does this also work on a more complicated scenario where there are two child domains? Root-DC1 Root-DC2 / Child-DC1 Child-DC2 / Child2-DC1 Child2-DC2. I have a replication issue with Root-DC2 , even the initial replication is not done after dcpromo, there are no sysvol and netlogon shares. Non-authoritative restore did not work. I am a little afraid to do Authoritative restore, as most instructions say you have to change msDFSR-Enabled = False on all DC's.
Thank you very much!! Everyhthing perfect for me. Greetings from Spain!
I experienced this identical issue at work and these steps resolved the replication issue perfectly, but I don't know what caused the issue to begin with. How did you set up your lab to have this issue, as I would like to understand what causes this?
Thank you! Thank you! Thank you! This solved our replication problems!🎉
Thanks for the insight. This didn't resolve my issue, but I was able to resolve one item that was helpful.
Please tell, when shall we remove the ms-dfsr options back to 0 from 1 which we changed of dc01
Once everything is confirmed working and replication is good again, you can revert the settings
You are the best. Thank you so much for this video. I can't say how thankfull I am.
By just watching this video without doing anything, all DFSR issues got fixed ;p
Thanks for this video, following your steps I just resolved problem on my client's DC.
Excellent explanation with good efforts...
Worked like a charm! Brilliant!
I have lot of doubts in the start u told that there is a problem with the sysvol foler replication and we know it uses dfsr service so why u have gone to netlogon folder to check the files created replicating .....Second u have show that changing values in adsi edit tool but have not told what actually it does I got ur point of setting the value of primary to 1 and all other dc to 0 but whyenabled is set to false and changed after what actual it does .....third is this the only fix we have to perform everytime when there is an issue related to sysvol folder or group policy in it is that theonly fix we have to perform or there are some other ways as well
So your saying a value of 1 is essentially saying the main server is the PDC. That conflicts with information I was able to find on the web.
If the "msDFSR-Options" attribute on your Primary Domain Controller (PDC) is set to 1, it means that the PDC is in non-authoritative restore mode for the Distributed File System Replication (DFS-R) service. In this mode, the PDC will discard its current local version of the replicated folders and sync fresh data from other members of the replication group.
The other domain controllers (DCs), having "msDFSR-Options" set to 0, are in normal mode. They will continue their regular DFS-R operations and will not discard their current data.
In this scenario, the PDC will essentially become a "learner" and will pull the DFS-R data from the other DCs. It will not push any of its DFS-R data to the other DCs.
This configuration is typically used when the data on the PDC has become inconsistent or corrupted, and you want to replace it with a fresh copy from the other DCs. However, it's important to note that this operation can generate significant network traffic and should be planned accordingly.
Remember, changes to the "msDFSR-Options" attribute should be made with caution, as they can have significant impacts on your DFS-R environment. Always make sure to have a backup and plan before making changes to your DFS-R configuration.
Amazing! It worked like a charm. Thanks a lot for the video - other guides (including the ones from Microsoft) show a bit different actions and they did not work for me.
Thanks, I appreciate your effort and a great video. I have another issue is the Netlogon folder is missing for additional DC.
I have been trying to fix this shit for hours, video saved me, THANK YOU!
Would this be the same for when a DC says SYSVOL is inaccessible?
Not necessarily - you'll want to check why its not accessible. If its not accessible because its not there. You can view this article to get setup. thesysadminchannel.com/solved-sysvol-and-netlogon-shares-missing-2016-2019-domain-controller/
You're a life saver, subscribed
Thank you so much! this video gave me a good idea to troubleshoot the domain controller sync issue.
Thank you so much for your assistance and clear explaination in this video
Some Domain Users are getting this error "The processing of Group Policy failed. Windows attempted to read the file \\domain.com\SysVol\domain.com\Policies\{9ED3C1B0-B1v5-46B4-8B33-1F9F2A123BD3}\gpt.ini from a domain controller and was not successful" Would this process fix this? Domain Admins do not get this error. Also, it looks like that by default, Admins do not have permissions to \\DC\NETLOGON\ so do we change the permissions before the process? Thanks!!
This looks more like a permissions issue rather than a replication issue.
Hi Paul/SysAdmin, i have a DC rep issue ,( 2012R ) can you remote in for a fee to fix please .. thks
Really appreciate this, I found the same process in a Microsoft guide but being able to watch someone do it was re-assuring, thank you! One quick question, I've followed this process as a newly promoted DC wasn't syncing. I plan to remove the current DC, would I have to manually update the option from 1 to 0 again when transferring the roles?
Thank you very much for helping. This resolve my Problem with four DCs.
very spot on! works flawlessly! Kudos!
Thank's for this nice tutorial, easy to understand it solved my problem :)
Thank you, that helped me with an ongoing problem :)
"and one days someone come in the use of it"
here is that one day .
thanks alot