๐ D4/D2 Manual Process Has Been Mentioned Here -> Microsoft KB
- 1. Missing SysVol/Netlogon folders on Domain Controller/s.
- 2. GPO Inconsistencies across the Domain Controller/s.- ๐ ๐๐ญ๐ฐ๐ฏ๐ฆ ๐ต๐ฉ๐ฆ ๐๐ฆ๐ฑ๐ฐ : ๐จ๐ช๐ต ๐ค๐ญ๐ฐ๐ฏ๐ฆ ๐ฉ๐ต๐ต๐ฑ๐ด:https://๐จ๐ช๐ต๐ฉ๐ถ๐ฃ.๐ค๐ฐ๐ฎ/21๐ฃ๐ด๐ฉ๐ธ๐ซ๐ต/๐๐บ๐ด๐๐ฐ๐ญ-๐4-๐๐ฐ๐ธ๐ฆ๐ณ๐๐ฉ๐ฆ๐ญ๐ญ.๐จ๐ช๐ต
- ๐ ๐๐ฐ๐ฑ๐บ ๐๐ค๐ณ๐ช๐ฑ๐ต๐ด ๐ง๐ฐ๐ญ๐ฅ๐ฆ๐ณ ๐ช๐ฏ๐ต๐ฐ ๐ต๐ฉ๐ฆ ๐๐๐
- ๐ ๐๐ฐ๐ฎ๐ข๐ช๐ฏ ๐๐ฅ๐ฎ๐ช๐ฏ๐ด ๐๐ณ๐ช๐ท๐ช๐ญ๐ฆ๐จ๐ฆ๐ด
- ๐ ๐๐ฆ๐ฒ๐ถ๐ช๐ณ๐ฆ๐ด ๐๐ค๐ต๐ช๐ท๐ฆ ๐๐ช๐ณ๐ฆ๐ค๐ต๐ฐ๐ณ๐บ ๐๐ฐ๐ฅ๐ถ๐ญ๐ฆ
- ๐ ๐๐ถ๐ฏ ๐ต๐ฉ๐ฐ๐ด๐ฆ ๐๐ค๐ณ๐ช๐ฑ๐ต๐ด ๐ช๐ฏ ๐ด๐ฆ๐ฒ๐ถ๐ฆ๐ฏ๐ค๐ฆ
- ๐ ๐๐ค๐ณ๐ช๐ฑ๐ต ๐ฏ๐ถ๐ฎ๐ฃ๐ฆ๐ณ๐ช๐ฏ๐จ ๐ฉ๐ข๐ท๐ฆ ๐ฃ๐ฆ๐ฆ๐ฏ ๐ฅ๐ฐ๐ฏ๐ฆ ๐ฃ๐ข๐ด๐ฆ๐ฅ ๐ฐ๐ฏ ๐ณ๐ฆ๐ข๐ฅ๐ฎ๐ฆ ๐ง๐ช๐ญ๐ฆ ๐ฏ๐ถ๐ฎ๐ฃ๐ฆ๐ณ๐ช๐ฏ๐จ ๐ฉ๐ฆ๐ฏ๐ค๐ฆ 3, 8 & 12 ๐ข๐ณ๐ฆ ๐ฏ๐ฐ๐ต ๐ต๐ฉ๐ฆ๐ณ๐ฆ
- ๐ ๐๐ค๐ณ๐ช๐ฑ๐ต๐ด 18 ๐ข๐ฏ๐ฅ 19 ๐ข๐ณ๐ฆ ๐ง๐ฐ๐ณ ๐ฑ๐ฐ๐ด๐ต-๐ท๐ข๐ญ๐ช๐ฅ๐ข๐ต๐ช๐ฐ๐ฏ๐ด
- ๐ ๐๐ฆ๐ข๐ฅ ๐ต๐ฉ๐ฆ ๐ข๐ฃ๐ฐ๐ท๐ฆ ๐ฎ๐ฆ๐ฏ๐ต๐ช๐ฐ๐ฏ๐ฆ๐ฅ ๐๐๐๐ ๐๐
๐ 1. Set the DFS Replication service Startup Type to Manual and stop the service on all domain controllers in the domain.
$DCs = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
# Change Service startup type to manual & stop the DFSR Service
$DCs | ForEach-Object -Process {
try {
# Action that will run in parallel. Reference the current object via $PSItem and bring in outside variables with $USING:varname
Invoke-Command -ComputerName $PSItem -ScriptBlock {
Set-Service -Name 'DFSR' -StartupType Manual -Verbose
Stop-Service -Name 'DFS Replication' -Force -Verbose
} -ErrorAction Stop
} catch {
Write-Error "Failed to modify DFSR service on $PSItem Error: $_"
}
}# Get the DFSR Service Status
$DCs = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
$GetoBj = Foreach ($DC in $DCs) {
Invoke-Command -ComputerName $DC {
[PSCustomObject]@{
DomainController = ($env:COMPUTERNAME).ToUpper()
ServiceName = (Get-Service -Name DFSR).Name
Status = (Get-Service -Name DFSR).Status
StartType = (Get-Service -Name DFSR).StartType
}
}
}
$GetoBj | Select-Object -Property DomainController, ServiceName, Status, StartType ๐ 3. In the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferably the PDC Emulator, which is usually the most up-to-date for sysvol replication contents) - Manual
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
msDFSR-options=1# Change PDC on ADSIEDIT
# Get the PDC Emulator for the domain
$PDCNameFull = (Get-ADDomain).PDCEmulator
# Split the full server name to get only the server name part
$PDCName = $PDCNameFull -split '\.' | Select-Object -First 1
$domain = (Get-ADDomain).DistinguishedName
# Construct the DN (Distinguished Name)
$dn = "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$PDCName,OU=Domain Controllers,$domain"
# Set the attributes
Set-ADObject -Identity $dn -Replace @{
"msDFSR-Enabled" = $False
"msDFSR-options" = 1
} -Verbose $domain = (Get-ADDomain).DistinguishedName
$DCs = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
foreach ($DC in $DCs) {
# Construct the DN (Distinguished Name)
$dn = "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC,OU=Domain Controllers,$domain"
# Set the attributes
Set-ADObject -Identity $dn -Replace @{
"msDFSR-Enabled" = $False
} -Verbose
} ๐ 6. Force Active Directory replication throughout the domain and validate its success on all DCs.
repadmin /syncall /A /e /P /d /q# Get the PDC Emulator for the domain
$PDCNameFull = (Get-ADDomain).PDCEmulator
# Split the full server name to get only the server name part
$PDCName = $PDCNameFull -split '\.' | Select-Object -First 1
Invoke-Command -ComputerName $PDCName {Start-Service -Name 'DFS Replication' -Verbose} ๐ 8. You'll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated.
# Change PDC on ADSIEDIT
# Get the PDC Emulator for the domain
$PDCNameFull = (Get-ADDomain).PDCEmulator
# Split the full server name to get only the server name part
$PDCName = $PDCNameFull -split '\.' | Select-Object -First 1
$domain = (Get-ADDomain).DistinguishedName
# Construct the DN (Distinguished Name)
$dn = "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$PDCName,OU=Domain Controllers,$domain"
# Set the attributes
Set-ADObject -Identity $dn -Replace @{
"msDFSR-Enabled" = $True
} -Verbose ๐ 10. Force Active Directory replication throughout the domain and validate its success on all DCs.
repadmin /syncall /A /e /P /d /q๐ 11. Run the following command from an elevated command prompt on the same server that you set as authoritative:
DFSRDIAG POLLAD ๐ 12. You'll see Event ID 4602 in the DFSR event log indicating sysvol replication has been initialized. That domain controller has now done a D4 of sysvol replication.
๐ 13. Start the DFSR service on the other non-authoritative DCs. You'll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated on each of them
$DCs = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
# Start the DRSR Service
$DCs | Foreach-Object -Process {
#Action that will run in Parallel. Reference the current object via $PSItem and bring in outside variables with $USING:varname
Invoke-Command -ComputerName $PSItem { Start-Service -Name 'DFS Replication' -Verbose
}
} ๐ 14. Modify the following DN and single attribute on all other domain controllers in that domain:
$domain = (Get-ADDomain).DistinguishedName
$DCs = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
foreach ($DC in $DCs) {
$dn = "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC,OU=Domain Controllers,$domain"
Set-ADObject -Identity $dn -Replace @{
"msDFSR-Enabled" = $True
} -Verbose
}๐ 15. Run the following command from an elevated command prompt on all non-authoritative DCs (that is, all but the formerly authoritative one):
# Get members of the "Domain Controllers" group and store their names in $servers array
$servers = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
# Get the PDC Emulator for the domain
$PDCNameFull = (Get-ADDomain).PDCEmulator
# Split the full server name to get only the server name part
$PDCName = $PDCNameFull -split '\.' | Select-Object -First 1
# Remove PDC from the $servers array
$servers = $servers | Where-Object { $_ -ne "$PDCName" }
# Run DFSRDIAG POLLAD to all Non Auth DCs
$servers | ForEach-Object -Process {
Invoke-Command -ComputerName $PSItem { DFSRDIAG POLLAD -Verbose }
}$DCs = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
# Change Service startup type Autometic
$DCs | Foreach-Object -Process {
Invoke-Command -ComputerName $PSItem { Set-Service -Name 'DFSR' -StartupType Automatic -Verbose
}
} # Get the DFSR Service Status
$DCs = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
$GetoBj = foreach ($DC in $DCs) {
try {
$result = Invoke-Command -ComputerName $DC -ScriptBlock {
[PSCustomObject]@{
DomainController = $env:COMPUTERNAME.ToUpper()
ServiceName = (Get-Service -Name DFSR -ErrorAction Stop).Name
Status = (Get-Service -Name DFSR -ErrorAction Stop).Status
StartType = (Get-Service -Name DFSR -ErrorAction Stop).StartType
}
}
}
catch {
$result = [PSCustomObject]@{
DomainController = $DC.ToUpper()
ServiceName = "DFSR"
Status = "Error: $($Error[0].Exception.Message)"
StartType = "Unknown"
}
}
$result
}
$GetoBj | Select-Object -Property DomainController, ServiceName, Status, StartType+ SysVol Health Checkups for all the Domain Controllers across the domain, Expected "State" values are '4' after sometime.<#
State values are:
0: Uninitialized
1: Initialized
2: Initial Sync
3: Auto Recovery
4: Normal
5: In Error
Expected value is '4'.
#>
$servers = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
foreach ($server in $servers) {
try {
$result = Get-WmiObject -Namespace "root\microsoftdfs" -Class "dfsrreplicatedfolderinfo" -ComputerName $server -Filter "replicatedfoldername='SYSVOL share'" |
Select-Object @{Name = 'DomainController'; Expression = { $_.MemberName } }, ReplicationGroupName, ReplicatedFolderName, State
if ($result) {
$result # | Format-Table -AutoSize
}
else {
Write-Warning "No DFSR information found on $server for 'SYSVOL share'."
}
}
catch {
Write-Warning "Error querying $server : $_"
}
}
๐ 19. Verify msDFSR-Enabled for msDFSR-options attribute values from all Domain Controllers (Optional)
+ msDFSR-options value will be "0" from "1" automatically into PDC after some time.# msDFSR-options value will be "0" from "1" automatically into PDC after some time.
$domain = (Get-ADDomain).DistinguishedName
$DCs = Get-ADGroupMember -Identity "Domain Controllers" | Select-Object -ExpandProperty Name
$Objs = Foreach ($DC in $DCs){
Get-ADObject -Filter {Name -eq "SYSVOL Subscription"} -SearchBase "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC,OU=Domain Controllers,$domain" -Properties DistinguishedName, msDFSR-Enabled, msDFSR-options |
Select-Object DistinguishedName, msDFSR-Enabled, msDFSR-options
}
foreach ($Obj in $Objs){
$msDFSR_options = $Obj.'msDFSR-options'
if ([string]::IsNullOrWhiteSpace($msDFSR_options)) {
$msDFSR_options = "<not set>"
}
[PSCustomObject]@{
DomainController = ($($Obj.DistinguishedName) -split ",")[3].Substring(3)
"msDFSR-Enabled" = $($Obj.'msDFSR-Enabled')
"msDFSR-options" = $msDFSR_options
}
}๐๐ช๐ด๐ธ๐ข๐ซ๐ช๐ต ๐๐ช๐ด๐ธ๐ข๐ด ๐ข.๐ฌ.๐ข ๐ฃ๐ด๐ฉ๐ธ๐ซ๐ต
๐๐ฎ๐ข๐ช๐ญ: ๐ฃ๐ด๐ฉ๐ธ๐ซ๐ต@๐จ๐ฎ๐ข๐ช๐ญ.๐ค๐ฐ๐ฎ
๐๐ช๐ฏ๐ฌ๐ฆ๐ฅ๐๐ฏ
๐ฆ ๐ฆ ๐ฆ