DCDiag VerifyReferences test fails when you use DFSR to replicate SYSVOL

Applies to: Windows Server 2008 DatacenterWindows Server 2008 EnterpriseWindows Server 2008 R2 Datacenter More


Consider the following scenario:

  • You use the Distributed File System Replication (DFSR) service to replicate the SYSVOL folder.
  • All domain controllers (DC) are running Windows Server 2008 R2 or a later version.
  • You run the Domain Controller Diagnostics Tool (DCDiag) to generate a report about the replication.
In this scenario, DCDiag returns the following error message:
failed test VerifyReferences

The DCDiag report contains the following entry:

Problem: Missing Expected Value
Base Object: CN=<DCNAME>,OU=Domain Controllers,DC=<DOMAIN>,DC=<COM>
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
When this problem occurs, DCDiag validates the reference object for DFSR. Also, the NT File Replication Service (NTFRS) stops.


This problem occurs because there is no FRS reference in the Active Directory database under the domain controller object when DFSR is used for SYSVOL replication. Instead, there is only an object for DFSR.

This logic is not included in earlier versions of DCDiag, such as DCDiag for Windows Server 2008 or DCDiag installed together with Windows Server 2003 Support Tools. Therefore, these versions search for the FRS member reference, and this generates a false error in DCDiag.


To resolve this problem, run Dcdiag.exe from %windir%\System32. This folder contains the latest version of DCDiag in Windows 2008 and Windows 2008 R2. By running the latest version of DCDiag, the SYSVOL replication will pass the VerifyReferences test.

Alternatively, if the Windows Support Tools suite is installed on Windows Server 2008 R2, uninstall it. This resolves the problem and lets you run Dcdiag.exe from any location.

More Information

Even if you use the latest DCDiag releases, the error that is mentioned in the "Symptoms" section may still occur if the msDFSR-Flags attribute in the CN=<DCNAME>,OU=Domain Controllers,DC=<DOMAIN>,DC=<COM> line in the DCDiag entry is missing or doesn't match one of the following flags:

  • Redirected phase: msDFSR-Flags on CN=dfsr-LocalSettings is 0x20 (32 dez)
  • Eliminated phase: msDFSR-Flags on CN=dfsr-LocalSettings is 0x30 (48 dez)

In this case, DCDiag assumes falsely that the File Replication Service (FRS) is still configured for SYSVOL, and it tries to verify FRS objects and attributes in an Active Directory database that doesn't exist. Therefore, you can expect the verification to fail.