DFS Replication: How to troubleshoot missing SYSVOL and Netlogon shares

Symptoms
You may encounter a situation in which SYSVOL and Netlogon shares are not shared on a domain controller. The following additional symptoms or conditions may also apply:
  • The SYSVOL folder is empty.
  • The affected domain controller was recently promoted.
  • The environment contains domain controllers running versions of Windows earlier than Windows Server 2012 R2.
  • DFS Replication is used to replicate the SYSVOL Share replicated folder.
  • An upstream domain controller's DFS Replication service is in an error state.

Cause
Domain controllers without SYSVOL shared cannot replicate inbound because of upstream (source) domain controllers being in an error state. Frequently (but not limited to), the upstream servers have stopped replication because of a dirty shutdown (event ID 2213). The event message is as follows:

Event Type: Warning
Event Source: DFSR
Event Category: Disk
Event ID: 2213
Description:
"The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication."


Resolution
What follows are recommended methods for troubleshooting and resolving missing SYSVOL and Netlogon shares on domain controllers that replicate by using the DFS Replication service. 

The process, detailed in KB article 2218556 "How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)," reinitializes DFS Replication if SYSVOL is not shared on domain controllers. This is unnecessary in most cases, and it may cause data loss if done incorrectly. It also prevents determining the cause of the issue and averting future occurrences of the issue.

What follows are general steps to investigate the missing shares. Determine if the problem is caused by a one-time occurrence, or if the upstream domain controller(s) cannot support replication by using DFS Replication.

Deleting the DFS Replication database from the volume should not be required and is discouraged. Deleting the database causes DFS Replication to consider all local data on the server to be nonauthoritative. By letting DFS Replication recover the database gracefully (as instructed in the 2213 event), the last writer will still win any conflicting versions of SYSVOL data.

Step 1 - Evaluate the state of DFS Replication on all domain controllers

Evaluate how many domain controllers are not sharing SYSVOL, have recently logged an Error event, and are in an "error" state. To do this, follow these steps.

Check for the SYSVOL share

You may manually check whether SYSVOL is shared or you can run the following command to inspect each domain controller by using the net view command:
For /f %i IN ('dsquery server -o rdn') do @echo %i && @(net view \\%i | find "SYSVOL") & echo

Check DFS Replication state

To check DFS Replication's state on domain controllers, you may query WMI. You can query all domain controllers in the domain for the SYSVOL Share replicated folder by using WMI as follows:
For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

The "state" values can be any of the following:
0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

Note Depending on a domain controller's condition, it may fail to report a state value and indicate "No Instance(s) Available."

Check Event logs for recent errors or warnings

If any domain controllers do not report the "SYSVOL Share" replicated folder as being in a state "4" (normal), check the event log of those domain controller(s) to evaluate their condition. Review each domain controller for recent errors or warnings in the DFS Replication event log, such as the warning event ID 2213, which indicates that DFS Replication is currently paused.

Check the Content Freshness configuration

Determine whether DFS Replication triggered content freshness protection on the affected domain controllers. Content Freshness is enabled on Windows Server 2012 (and later versions) domain controllers by default, but may also be manually enabled on Windows Server 2008 and 2008 R2 servers.  

To evaluate if content freshness is enabled, the MaxOfflineTimeInDays setting will be set to 60. If content freshness is disabled, MaxOfflineTimeInDays will be set to 0. To check MaxOfflineTimeInDays, run the following command:
wmic.exe /node:%computername% /namespace:\\root\microsoftdfs path DfsrMachineConfig get MaxOfflineTimeInDays

To query all domain controllers in the domain, run the following command:
For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path DfsrMachineConfig get MaxOfflineTimeInDays

For each domain controller enabled for content freshness, evaluate if DFS Replication has logged an event ID 4012 that indicates replication of the folder has stopped because replication has failed for longer than the MaxOfflineTimeInDays parameter.  

Step 2 - Prepare the domain controllers that are in an error state

Install appropriate updates

For any domain controllers running Windows Server 2008 or 2008 R2, first install DFS Replication updates to prevent data loss and to fix known issues. It is a best practice to use the latest version of DFS Replication. The latest version of DFS Replication is discussed in article 968429.

Back up SYSVOL data

Perform a backup of SYSVOL data (if present) on each domain controller. Backups may be a simple file copy of the SYSVOL contents to a safe location or, it may be a backup that uses backup software.  

Depending on the situation, policy files could be moved to "PreExisting" or "Conflict and Deleted." "PreExisting" and "Conflict and Deleted" contents will be purged if initial synchronization is performed multiple times on a server. Back up data in these locations to avoid data loss.

Step 3 - Recover DFS Replication on the domain controllers in the error state

Based on the number of domain controllers in the domain, select the appropriate method to recover the DFS Replication service.  

For environments that have two domain controllers 

Determine whether a dirty shutdown was detected (event ID 2213) on either domain controller. You may find the second domain controller is waiting to complete initialization of SYSVOL, This is because after promotion, it will have logged a 4614 event that indicates that DFS Replication is waiting to perform initial replication, and it will not have logged a 4604 event signaling that DFS Replication has initialized SYSVOL.

If content freshness is enabled on both domain controllers

If the second domain controller is waiting to perform initial synchronization (event 4614 logged without the 4604 anti-event), follow the section of article 2218556 to set the first domain controller as authoritative. You do not have to configure the second domain controller as nonauthoritative, because it is already waiting to perform initial synchronization.

Or, if the second domain controller is healthy and SYSVOL is shared, perform the following steps:
  1. Back up all SYSVOL contents of the first domain controller.
  2. Evaluate if the second domain controller's SYSVOL data is up to date. If it is not, you may want to copy updated SYSVOL files to the second domain controller from the first domain controller. Otherwise, any existing data present on first domain controller not present on the second will go into the 'PreExisting' and 'Conflict and Deleted' folders.
  3. Set the first domain controller as nonauthoritative by disabling the membership per 2218556. Confirm that an event ID 4114 is logged to indicate the membership is disabled.
  4. Enable the first domain controller's membership, and wait for the 4614 and 4604 events that report completion of the initial synchronization. If it is necessary, restore any updated files from "PreExisting" to the original location.

If content freshness is not enabled or triggered on both domain controllers

If the first domain controller is in the event ID 2213 state and the second domain controller has never completed initialization after it was promoted and content freshness has not been triggered, perform the following steps:
  1. Run the ResumeReplication WMI method on the first domain controller as instructed in the 2213 event.
  2. After replication resumes, it will log an event ID 4602 that indicates that DFS Replication initialized the SYSVOL replicated folder and designated it as the primary member.
  3. Run the dfsrdiag pollad command on the second domain controller to trigger it to complete initial sync (event ID 4614). As soon as initial sync is finished, event ID 4604 is logged, signaling SYSVOL has completed initialization.

Or, if the first domain controller is in the 2213 state and the second domain controller is healthy (SYSVOL is shared), run the ResumeReplication WMI method on the first domain controller. It will log event ID 2214 at the completion of dirty shutdown recovery.  

For environments that have three or more domain controllers

Determine whether a dirty shutdown was detected and whether DFS Replication is paused on any domain controllers (event ID 2213). You may find a domain controller is waiting to complete initialization of SYSVOL after promotion. It will have logged a 4614 event that indicates that DFS Replication is waiting to perform initial replication, and it will not have logged a 4604 event signaling that DFS Replication has initialized SYSVOL.

If content freshness is enabled and there are three or more domain controllers in the domain

Content freshness protection will log an event ID 4012 that indicates that replication has stopped because replication on the folder has failed for longer than the MaxOfflineTimeInDays parameter. You must follow the instructions in article 2218556 to reinitialize DFS Replication on the affected domain controller(s).  

If all domain controllers have logged the 4012 event and their "state" is "5," then follow the instructions in article 2218556 to completely initialize SYSVOL. This is the only situation to set a DFS Replication server as authoritative. Make sure that the domain controller configured as authoritative has the most up-to-date copy of all SYSVOL contents.

Or, if one or more domain controllers are blocking replication because of content freshness, they each must be non-authoritatively recovered. To do this, follow these steps:
  1. Backup all SYSVOL contents of the domain controller(s). Typically, policy edits are performed on the PDC Emulator, but this is not guaranteed. Any data present on the recovered domain controller(s) not matching the partners will go into the "PreExisting" or "Conflict and Deleted" folder, or both.
  2. Next, set the domain controller(s) as nonauthoritative by disabling the membership as described in article 2218556. You must be aware of the replication topology, and you must "fan out" from a healthy domain controller by selecting direct partners of it, then recovering further downstream domain controllers, and so on. Event ID 4144 will be logged to confirm the membership is disabled. Make sure all domain controllers requiring recovery log this event. It may be necessary to force Active Directory replication and then run the dfsrdiag pollad command on each domain controller to detect the disabled membership quickly.
  3. Enable the membership and wait for the 4614 and 4604 events to report completion of the initial synchronization. Restore any required files from backup or from "PreExisting" and "Conflict and Deleted" as necessary.

If content freshness is not enabled or triggered and there are three or more domain controllers in the domain

If content freshness protection was not triggered, run the ResumeReplication WMI method on the affected domain controllers. You must be aware of the replication topology, and you must "fan out" from a healthy domain controller by selecting direct partners of it, then recovering further downstream domain controllers, and so on. After replication is resumed, DFS Replication will log events 2212, 2218, and then 2214 (indicating that DFS Replication initialized the SYSVOL replicated folder).  

Preventing future occurrences of the issue

Check whether the Application and System event logs are frequently reporting ESENT database recovery operations, disk performance problems, or both. These typically coincide with unexpected shutdowns of the system, with DFS Replication not stopping gracefully, or disk subsystem failures. Consider updating the system's drivers, installing appropriate updates to the disk subsystem, or contacting the system's hardware manufacturer to investigate further. You may also contact Microsoft Customer Support Services to help evaluate the system's health and DFS Replication behavior.

The Service Control Manager (SCM) uses the default time-out time of 20 seconds for stopping a service. In some complex DFS Replication implementations, this time-out value may be too short, and DFS Replication stops before the appropriate database is closed. At service restart, DFS Replication detects this condition, and then performs the database recovery. WaitToKillServiceTimeout may be used to grant DFS Replication more time to commit changes to the database during shutdown. For more information, go to article 977518.

After you have restored DFS Replication of SYSVOL, DFS Replication health must be carefully monitored in the environment to prevent this scenario. Regular review of DFS Replication event logs, collecting of DFS Replication health reports, and collecting of replication state (by using the WMI query in the "Check DFS Replication state" section under "Step 1 - Evaluate the state of DFS Replication on all domain controllers" in this article) are recommended.
More information

DFSR Event Messages Reference


Event ID=2212
Severity=Warning
The DFS Replication service has detected an unexpected shutdown on volume %2. This can occur if the service terminated abnormally (due to a power loss, for example) or an error occurred on the volume. The service has automatically initiated a recovery process. The service will rebuild the database if it determines it cannot reliably . No user action is required.
recover. No user action is required.
Additional Information:
Volume: %2
GUID: %1

Event ID=2213
Severity=Warning
"The DFS Replication service stopped replication on volume %2. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
Additional Information:
Volume: %2
GUID: %1

Event ID=2214
Severity=Informational
The DFS Replication service successfully recovered from an unexpected shutdown on volume %2.This an occur if the service terminated abnormally (due to a power loss, for example) or an error occurred on the volume. No user action is required.
Additional Information:
Volume: %2
GUID: %1

Event ID=2218
Severity=Informational
The DFS Replication service is in the second step of replication database consistency checks after an unexpected shutdown. The database will be rebuilt if it cannot be recovered. No user action is required.
Additional Information:
Volume: %2
GUID: %1

Event ID=4012
Severity=Error
The DFS Replication service stopped replication on the replicated folder at local path %3. It has been disconnected from other partners for %2 days, which is longer than the MaxOfflineTimeInDays parameter. Because of this, DFS Replication considers this data to be stale, and will replace it with data from other members of the replication group during the next replication. DFS Replication will move the stale files to the local Conflict folder. No user action is required.
Additional Information:
Error: %4 (%5)
Replicated Folder Name: %6
Replicated Folder ID: %1
Replication Group Name: %7
Replication Group ID: %8
Member ID: %9

Event ID=4114
Severity=Informational
The replicated folder at local path %2 has been disabled. The replicated folder will not participate in replication until it is enabled. All data in the replicated folder will be treated as pre-existing data when this replicated folder is enabled.
Additional Information:
Replicated Folder Name: %3
Replicated Folder ID: %1
Replication Group Name: %4
Replication Group ID: %5
Member ID: %6

Event ID=4602
Severity=Informational
The DFS Replication service successfully initialized the SYSVOL replicated folder at local path %2. This member is the designated primary member for this replicated folder. No user action is required. To check for the presence of the SYSVOL share, open a command prompt window and then type "net share".
Additional Information:
Replicated Folder Name: %3
Replicated Folder ID: %1
Replication Group Name: %4
Replication Group ID: %5
Member ID: %6
Read-Only: %8

Event ID=4604
Severity=Informational
The DFS Replication service successfully initialized the SYSVOL replicated folder at local path %2. This member has completed initial synchronization of SYSVOL with partner %7. To check for the presence of the SYSVOL share, open a command prompt window and then type "net share".
Additional Information:
Replicated Folder Name: %3
Replicated Folder ID: %1
Replication Group Name: %4
Replication Group ID: %5
Member ID: %6
Sync partner: %7

Event ID=4614
Severity=Warning
The DFS Replication service initialized SYSVOL at local path %2 and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner %7. If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
Additional Information:
Replicated Folder Name: %3
Replicated Folder ID: %1
Replication Group Name: %4
Replication Group ID: %5
Member ID: %6
Read-Only: %8


Propiedades

Id. de artículo: 2958414 - Última revisión: 05/23/2014 07:11:00 - Revisión: 2.0

Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Service Pack 1, Windows Server 2012 Standard, Windows Server 2012 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Datacenter

  • kbtshoot kbsurveynew kbexpertiseadvanced KB2958414
Comentarios