Search code examples
active-directorywindows-server

No SYSVOL or NETLOGON shares created after fresh install

I created a fresh, brand new, Windows Server 2016 instance this morning. (Let's call it DC2) Then I added the Active Directory Domain Controller role. No SYSVOL or NETLOGON shares were created. This machine is meant to be a replica of the existing DC. (let's called that one DC1) Eventually, I mean to transfer the FSMO roles to DC2 and then decommission DC1. (DC1 is a Windows Server 2008 R2 instance. So this is part of that natural infrastructure-upgrade process that we all have to do now and then)

Uncertain where the problem is, I installed the DFS Management Tool on both machines. It shows nothing under namespaces and nothing under replication. I'm not sure if it even should show anything here. I got this idea from reading about this problem. When I right check and choose "Add Replication Groups to Display", it reports "There are no replication groups in this domain. Again, I'm not certain that this is where I should be looking.

For debugging purposes, I turned off the firewall on both machines and rebooted them.

Next, I ran this:

NTFRSUTL DS dc1
NTFRSUTL DS dc2

This shows the settings for File Replication Service. I'm uncertain how to read it to tell if it's OK. It does appear to mention that DC1 and DC2 are there and that there's a share on DC1 (SYSVOL). I don't see it mentioning the share on DC2. Which I guess could be part of the problem.

This works and shows a database in there

DIR \\dc1\admin$\ntfrs\jet
DIR \\dc2\admin$\ntfrs\jet

I have not yet tried to mess with the Burflags yet. That looks like the next logical step. But there are warnings about this, so I wanted to ask for ideas before attempting this:

https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi

Solution

  • Burflags did it.

    At the moment, Active Directory can sync the SYSVOL and NETLOGON files either using FRS or DFS-R. These are two different file syncing systems present in Windows. The one that is active is dependent on which version of Windows you have and the functional level of the domain. In my case, I had FRS.

    There is a long set of instructions available here:

    FRS - https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi

    DFS-R - https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

    Initially, I tried a non-authoritative restore from one of my non-syncing replicas. This didn't fix it. In the end, I had to do an authoritative restore.

    I performed the high level steps as follows: (I could do this because my network was rather small)

    • Identify which machine has the best copy of SYSVOL
    • Transfer the FSMO roles to it
    • Check that it worked by using netdom query fsmo
    • Shutdown all the replicas
    • Perform an authoritative restore (I was on FRS, so I used the Bursflags)
    • Wait a minute or two
    • Bring up the replicas
    • Wait a little while
    • It worked (do a little dance) :-)

    Since I was on FRS and I'm on a small network, I took the easy way out and shutdown replicas. If you have a larger setup, you probably need to follow the Microsoft steps more closely.

    Additionally, there are a number of other things that can get your AD out of sync and you have to check that they are all fixed, otherwise you might end up right back at this spot again down the road (and you may also have lost GPOs as well)