Problem Definition:
After simultaneously restoring all Active Directory Domain Controllers in a Domain/Forest, SYSVOL Replication stops. Changes made to one Domain Controller do not replicate to other Domain Controllers. The cause indicated in this article, applies only if all Domain Controllers are virtualized on CloudConnect or a combination of CloudConnect and on premise hypervisors with VM-Generation ID support enabled (Hyper-V 2012 or more recent, ESXi 5.0 Update 2, ESXi 5.1 Update 2 or more recent). Additionally, all Domain Controllers' Operating Systems are at least Windows Server 2012.
Cause:
To prevent a USN rollback when restoring from a Virtual Machine Snapshot, Active Directory supports VM-Generation ID beginning with Windows Server 2012. When a Windows Server 2012 (or newer) Active Directory Domain Controller is restored from a snapshot or a hypervisor-based virtual machine backup on a hypervisor that supports VM-Generation ID, the Domain Controller detects this restore event and performs a non-authoritative restore of SYSVOL on boot. When this is attempted simultaneously across all (replicating) Domain Controllers in a Domain/Forest, there is no authority from which to acquire a master copy of SYSVOL.
Note: If you only have One Active Directory Domain Controller in your Forest, this Article does not apply and no additional restore steps are necessary.
Resolution:
Use the following procedure to mark a Domain Controller’s SYSVOL as authoritative and restart replication. Note that any changes made to the other Domain Controllers prior to their last successful replication with the authoritative Domain Controller will be lost. These lost changes generally have no impact except for very large and highly transactional Active Directory environments. This can further be mitigated through strategic selection of the restored Domain Controller for which you choose to mark as authoritative.
- In the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferrably the PDC Emulator, which is usually the most up to date for SYSVOL contents):
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
msDFSR-options=1
- Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
- Force Active Directory replication throughout the domain and validate its success on all DCs.
- Start the DFSR service set as authoritative:
- You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
- On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
- Force Active Directory replication throughout the domain and validate its success on all DCs.
- Run the following command from an elevated command prompt on the same server that you set as authoritative:
DFSRDIAG POLLAD
- You will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D4” of SYSVOL.
- Start the DFSR service on the other non-authoritative DCs. You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.
- Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=TRUE
- Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):
DFSRDIAG POLLAD
Additional Information:
The Solution in this Article is sourced from Microsoft KB 2218556. For additional information, see https://support.microsoft.com/en-us/kb/2218556.
Applies To:
Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Active Directory Domain Services Schema Version 56 or newer
ESXi 5.0 Update 2, ESXi 5.1. Update 2, ESXi 5.5, ESXi 6, ESXi 6.5
Hyper-V 2012, Hyper-V 2012 R2, Hyper-V 2016