Consider the following scenario:
You want to force the non-authoritative synchronization of SYSVOL on a
domain controller. In the File Replication Service (FRS), this was
controlled through the D2 and D4 data values for the Burflags
registry values, but these values do not exist for the Distributed File
System Replication (DFSR) service. You cannot use the DFS Management
snap-in (Dfsmgmt.msc) or the Dfsradmin.exe command-line tool to achieve
this. Unlike custom DFSR replicated folders, SYSVOL is intentionally
protected from any editing through its management interfaces to prevent
accidents.
How to perform a non-authoritative synchronization of DFSR-replicated SYSVOL (like "D2" for FRS)
- In the ADSIEDIT.MSC tool modify the
following distinguished name (DN) value and attribute on each of the
domain controllers that you want to make non-authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
- Force Active Directory replication throughout the domain.
- Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
DFSRDIAG POLLAD
- You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
-
On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
-
Force Active Directory replication throughout the domain.
-
Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
DFSRDIAG POLLAD
-
You will see Event ID 4614 and 4604 in the DFSR event log indicating
SYSVOL has been initialized. That domain controller has now done a "D2”
of SYSVOL.
How to perform an authoritative synchronization of DFSR-replicated SYSVOL (like "D4" for FRS)
- In the ADSIEDIT.MSC tool, modify the following DN
and two attributes on the domain controller you want to make
authoritative (preferrably the PDC Emulator, which is usually the most
up to date for SYSVOL contents):
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
msDFSR-options=1
- Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
- Force Active Directory replication throughout the domain and validate its success on all DCs.
- Start the DFSR service set as authoritative:
- You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
- On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
- Force Active Directory replication throughout the domain and validate its success on all DCs.
- Run the following command from an elevated command prompt on the same server that you set as authoritative:
DFSRDIAG POLLAD
- You will see Event ID 4602 in the DFSR event log indicating SYSVOL
has been initialized. That domain controller has now done a "D4” of
SYSVOL.
- Start the DFSR service on the other non-authoritative DCs. You will
see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer
being replicated on each of them.
- Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=TRUE
- Run the following command from an elevated command prompt on
all non-authoritative DCs (i.e. all but the formerly authoritative one):
DFSRDIAG POLLAD
If setting the authoritative flag on one DC, you must non-authoritatively synchronize
all other DCs in the domain. Otherwise you
will see conflicts on DCs, originating from any DCs where you did not
set auth/non-auth and restarted the DFSR service.
For example, if all logon scripts were accidentally deleted and a
manual copy of them was placed back on the PDC Emulator role holder,
making that server authoritative and all other servers non-authoritative
would guarantee success and prevent conflicts.
If making any DC authoritative, the PDC Emulator as authoritative is
preferable, since its SYSVOL contents are usually most up to date.
The use of the authoritative flag is only necessary if you need
to force synchronization of all DCs. If only repairing one DC, simply
make it non-authoritative and do not touch other servers.
This article is designed with a 2-DC environment in mind, for
simplicity of description. If you had more than one affected DC, expand
the steps to include
ALL of those as well. It also assumes you have
the ability to restore data that was deleted, overwritten, damaged,
etc. previously if this is a disaster recovery scenario on all DCs in
the domain.
Note
This is a "FAST PUBLISH" article created directly from within the
Microsoft support organization. The information contained herein is
provided as-is in response to emerging issues. As a result of the speed
in making it available, the materials may include typographical errors
and may be revised at any time without notice. See
Terms of Use for other considerations.
Article ID: 2218556 - Last Review: April 17, 2012 - Revision: 26.0
APPLIES TO
- Windows Server 2008 R2 Datacenter
- Windows Server 2008 R2 Enterprise
- Windows Server 2008 R2 Service Pack 1
- Windows Server 2008 R2 Standard
- Windows Server 2008 Service Pack 2
- Windows Server 2008 Datacenter
- Windows Server 2008 Enterprise
- Windows Server 2008 Standard