Newly Promoted Domain Controller does not create and replicate SYSVOL and NETLOGON folders

active-directory domain-controller windows-server-2016 sysvol

20,112

My SYSVOL and NETLOGON folders were not being synchronized because my primary DC was not set as an authoritative DFSR member. It was still trying to replicate to a demoted DC. I followed the "How to perform an authoritative synchronization of DFSR-replicated SYSVOL" in this guide on my Primary DC: https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

20,112

Intrepid

Updated on September 18, 2022

Comments

Intrepid over 1 year
There seems to be something wrong with my primary domain controller. No matter what I do, I cannot get other domain controllers to create sysvol and netlogon folders when they've been promoted. my dcdiag shows these errors on my new domain controllers:
```
Starting test: Advertising
   Warning: DsGetDcName returned information for \\ds1.directory.myorg.com, when we were trying to
   reach DS3.
   SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
   ......................... DS3 failed test Advertising

Starting test: NetLogons
   Unable to connect to the NETLOGON share! (\\DS3\netlogon)
   [DS3] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
   ......................... DS3 failed test NetLogons
```
dfsrmig.exe /getmigrationstate shows this on both domain controllers:
```
All domain controllers have migrated successfully to the Global state ('Eliminated').
```
I've tried manually sharing C:/Windows/SYSVOL/sysvol to match my primary DC, but that didn't seem to work. Other than the SYSVOL and NETLOGON folders to being created/replicated, everything looks OK.
- strongline almost 7 years
  
  don't manually share those folders. Why do you run dfsrmig? Did you just finish DFSR migration? Did you check the basics such as DNS settings on all DCs? In my experience, when there is replication issue, at least half of the time, it's DNS issue
- Intrepid almost 7 years
  
  DNS settings look OK. Both servers have the Primary DC listed as their DNS. The newly promoted DC has A and NS entries in the DNS server. Everything looks good DNS wise, but maybe there is some other diagnostics I can run to make sure?
- strongline almost 7 years
  
  if you have only 2 DCs, and the 2nd DC was just created, you shouldn't list it as your DNS server as it is not ready yet to answer any queries. You have to use your first DC on both boxes.
- Intrepid almost 7 years
  
  It is definitely ready to answer queries, and does successfully. Besides, like I said in my earlier comment, both DC's had the primary DC listed as it's DNS server. I have since read that the best practice is to list the other one's ip address as it's primary DNS server. I have changed it now, but it didn't make any difference.
- strongline almost 7 years
  
  how long did you promote the DC? How big the AD and SYSVOL folder are? It may take a while depending on the bandwidth. Besides the SYSVOL folder issue, is AD replication itself OK?
- strongline almost 7 years
  
  are you using FRS or DFSR? check the replication service health. If you still use FRS, maybe you can do a nonauthoritative mode restore (google burflags)
- Intrepid almost 7 years
  
  I am using DFSR... I think I found something that looks wrong. My DFSR on my Primary DC is showing errors that it is not able to replicate to it's partner. This is because I demoted it's partner a few weeks ago and removed the DC role from it. Why is it still trying to connect?
- strongline almost 7 years
  
  remove the demoted DC from replicate set.
AntoineL almost 4 years

Thanks, it helped me! Also in case someone else hits that same problem, when DFSRDIAG appears to not be installed on the target DC, the magic spell to invoke is Install-WindowsFeature RSAT-DFS-Mgmt-Con (here using Powershell dialect.)