Menu Sidebar
Menu

Force synchronization for DFSR-replicated SYSVOL

One of my clients had a problem with processing GPO on client computers. Different computers applied different settings from the same GPO but from different domain controllers. All tests related to replication was successful, all GPOs are applied, but replication between domain controllers was a problem, and because of that most clients had a different GPO configuration.

I had a similar problem with a newly promoted domain controller which I previously blogged about here.

Scenarios where this problem typically occurs:

  • Replication was moved  from FRS to DFSR
  • Demoting an old domain controller in the environment
  • When there is a problem with the DFS replication of the SYSVOL folder

To solve this problem, I had to manually perform an authoritative synchronization between the domain controllers.

I am including steps for authoritative and non-authoritative synchronization, but before we get started we need to see the state of the replication.

Steps:

  1. Find the state of the replication state. Typically the problem DCs will be at 0 or 2. The goal is to get to state 4.
  2. Get to State 2
  3. Get to State 4

Find the state of the replication of all DCs

The states should translate as below

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

Non-authoritative synchronization of DFSR-replicated SYSVOL

  • Stop the DFS Replication service ( net stop dfsr).
  • In the ADSIEDIT.MSC tool modify the following distinguished name (DN) value and attribute on each of the domain controllers that you want to make non-authoritative:
    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
    msDFSR-Enabled=FALSE
  • Force Active Directory replication throughout the domain  ( repadmin /syncall primary_dc_name /APed )
  • Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
    DFSRDIAG POLLAD 
  • You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication).
  • On the same DN from Step 1, set:
    msDFSR-Enabled=TRUE
  • Force Active Directory replication throughout the domain ( repadmin /syncall primary_dc_name /APed).
  • Start the DFS Replication service ( net start dfsr).
  • Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
  • You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done non-authoritative sync of SYSVOL.
  • Run Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,stat and make sure the state is at 4. If it is at 2, it may take some time to reach state 4. Wait a few minutes and try again until all DCs are at state 4.

Authoritative synchronization of DFSR-replicated SYSVOL

  1. Find the PDC Emulator (Elevated Command Prompt: netdom query fsmo ) – which is usually the most up to date for SYSVOL contents. Or the server holding all the policies and scripts. Consider this the primary server.
  2. Stop the DFS Replication service ( net stop dfsr) on the primary server.
  3. On the primary server, In the ADSIEDIT.MSC tool, modify the following DN and two attributes to make authoritative:
    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
    msDFSR-Enabled=FALSE
    msDFSR-options=1
  4. Modify the following DN and single attribute on all other domain controllers in that domain:
    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
    msDFSR-Enabled=FALSE
  5. Force Active Directory replication throughout the domain and validate its success on all DCs ( repadmin /syncall primary_dc_name /APed). Probably need to run the same command 3-4 times.
  6. Start the DFSR service set as authoritative ( net start dfsr) on the primary DC.
  7. You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication).
  8. On the same DN from Step 1, set:
    msDFSR-Enabled=TRUE
  9. Force Active Directory replication throughout the domain and validate its success on all DCs ( repadmin /syncall primary_dc_name /APed ). Probably need to run the same command 3-4 times.
  10. Run the following command from an elevated command prompt on the same server that you set as authoritative (primary server):
    DFSRDIAG POLLAD 
  11. Wait a few minutes you will see Event ID 4602 in the DFSR event log (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication) indicating SYSVOL has been initialized. That domain controller has now done an authoritative sync of SYSVOL.
  12. Start the DFSR service on the other non-authoritative DCs ( net start dfsr). You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.
  13. Modify the following DN and single attribute on all other domain controllers in that domain:
    CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
    msDFSR-Enabled=TRUE
  14. Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):
  15. Verify you see Event ID 2002 and 4602 on all other domain controllers.
  16. Run Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,stat and make sure the state is at 4. If it is at 2, it may take some time to reach state 4. Wait a few minutes and try again until all DCs are at state 4.
If setting the authoritative flag on one DC, you must non-authoritatively synchronize all other DCs in the domain. Otherwise, you will see conflicts on DCs, originating from any DCs where you did not set auth/non-auth and restarted the DFSR service. For example, if all logon scripts were accidentally deleted and a manual copy of them was placed back on the PDC Emulator role holder, making that server authoritative and all other servers non-authoritative would guarantee success and prevent conflicts. If making any DC authoritative, the PDC Emulator as authoritative is preferable, since its SYSVOL contents are usually most up to date. The use of the authoritative flag is only necessary if you need to force synchronization of all DCs. If only repairing one DC, simply make it non-authoritative and do not touch other servers. This article is designed with a 2-DC environment in mind, for simplicity of description. If you had more than one affected DC, expand the steps to includeALL of those as well. It also assumes you have the ability to restore data that was deleted, overwritten, damaged, etc. previously if this is a disaster recovery scenario on all DCs in the domain.

After these actions, all problems with GPO processing and SYSVOL replication disappeared. 🙂

Get Inactive Users Report for the past 60 days in a multi domain environment

I had a request recently to provide an inactive user report for the past 60 days. Basically, find out which accounts have not logged in for the past 60 days so action can be taken against them.

The request was for a multi domain forest which queries every domain controller and gets the latest lastlogon value by comparing value from each. I wrote a script and wanted to share as other might find it handy too.

 

Get Primary, Secondary, Tertiary DNS values and more from Multiple Servers

Came across a unique request to get primary, secondary, and tertiary DNS values for multiple computers/servers across the domain. I started writing the script and got what I wanted.

Now this started off as just to query for DNS Server information, but then I thought to add other pieces to get myself a good Network Inventory of all the servers in the environment.

I am utilizing the Win32_NetworkAdapterConfiguration WMI Class to get the required information.

You can modify the script below to suit your needs. The complete list of settings that can be captured:

Since the scripts are querying for information it is best if it runs from a DC or a privileged server with an account that has privileged access.

To get the results you need the following two scripts:

Get-NetworkInfo.ps1:

Get-Remote-NetworkInfo.ps1

This will get the information and export to an excel file that you can have handy for reference or auditing. Hope this helps!

Backup & Restore Active Directory integrated DNS zones

DNS is one of the core components for Active Directory Domain Services. In a disaster scenario, it becomes impossible to locate resources within the network and all AD operations come to a screeching halt. Therefore, it’s absolutely necessary to restore the DNS servers. One way to set this right is by performing an AD DS authoritative restore by using Microsoft’s preferred method for backing up a DNS server by performing a system state backup. That process is a time-consuming and a complex process in which the domain controllers must be restarted for the changes to take effect also you will also end up restoring the Registry, Active Directory database and a number of other components. Eventually, it leads to increased downtime, which impacts productivity.

Luckily, it’s possible to back up a DNS server independently using PowerShell.

Backup:

For AD integrated zones, the support tool dnscmd.exe can get the job done. To back up any DNS zone with dnscmd.exe, you just need to use the /zoneexport switch with the command. To back up the Zone1.com zone locally on a DNS server, you’d run the below command on the DNS server:

where DC1 is DNS server name, This command writes a copy of the Zone1.com zone to the %systemroot%\system32\dns\backup\Zone1.com.dns.bak file.

Note that the command doesn’t overwrite existing files, so if you’re including it with a backup script, be sure to move the file to an alternate location after the export completes, or to rename or delete the current backup file before you run a new dnscmd /zoneexport job.

PowerShell Script to backup DNS:

Restore:

Make sure the zone does not exist on DNS manager as it will give an error. If you need to re-create a new zone from the export file, you’ll find that you can do this by using dnscmd.exe with the /zoneadd switch. The only catch with this approach is that if you’re looking to recover an AD-integrated zone, you need to add the zone as a primary first and then convert it to AD-integrated. For example, to recover my Zone1.com zone:

Note that the backup file needs to reside in the %systemroot%\system32\dns folder for it to be properly discovered.

The /load switch to tell the command to load the configuration from the existing file. Without it, the command will create a new zone data file that will overwrite the contents of the backup file.

After adding the zone to the DNS server, you can convert it to an AD-integrated zone by running:

At this point, you can then enable secure dynamic updates for the zone by running:

This command configures the zone to accept only secure dynamic updates, as specified by the allowupdate value of 2 (use 0 to specify No dynamic updates, 1 for nonsecure and secure dynamic updates).

PowerShell Script to restore DNS:

Note that this script will work to “recreate” a DNS zone. If the zone you are trying to restore is still present on the DNS Server, the dnscmd.exe utility will return a warning information telling you that the zone already exists. You might need to delete the zones before restoring them.

Fix Active Directory broken security inheritance problem

Ran into a situation at a client location where in Active Directory, the security permissions applied to an OU were not getting inherited permissions on to the objects. Basically, security inheritance was broken.This causes a problem when the administrative accounts or groups needing to modify an attribute on the AD object throw errors, or are unable to edit the AD object.

To find out which objects were not getting the inherited permissions run the following :

I ran it on the entire domain to identity potential problem accounts. 🙂

To fix the issue:

Reference:

https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectsecurity.areaccessrulesprotected?view=netframework-4.8
https://blogs.msdn.microsoft.com/adpowershell/2009/10/22/viewconfigure-protected-acl-and-fixing-broken-inheritance/

Missing SYSVOL & NETLOGON after domain controller promotion

Recently I found an issue with a newly promoted domain controller missing the SYSVOL and NETLOGON shares. Most of the cases it would also be a new domain controller for an existing or new forest. In most cases, you would need to update the flag below.

Open Regedit
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Set SysVolReady  from 0 to 1
Close Regedit

This will create the SYSVOL share. If the NETLOGON share is not created you would need to create the folder scripts in C:\Windows\SYSVOL\domain\. When this is done, restart the NETLOGON service.

This is the easy part. In some cases, although the NETLOGON and SYSVOL shares are working, no group policies or scripts are being replicated using the DFSR. I have post talking about this issue in detail here.

We can verify the replication by running the following command.

The states should translate as below

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

In my case, I have noticed that the newly promoted server was showing 2 and the primary domain controller was showing “No Instance(s) Available” which is quite strange.

Here you would need to look into the original Active Directory server for any problems and you would see a warning on the DFS Replication under Applications with Event ID 2213 as below.

It says that the DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled.

What we need to do here is from the event viewer take note of the volumeGUID and run the below command and replacing GUID-NUMBER with your GUID.

This will restart the replication and recreate the database. This can be seen with an event with ID 2214 saying The DFS Replication service successfully recovered from an unexpected shutdown on volume C. This can occur if the service terminated abnormally (due to the VM shutting down incorrectly, for example) or an error occurred on the volume. No user action is required.

If you run the command again to see the state of the replication you will see that the servers are all showing state 4 as below and both SYSVOL and NETLOGON will be replicated.

List all SPNs in Active Directory

Ran into a situation where I needed to get all the SPNs that are listed in AD.

Find duplicate SPNs

Listing duplicate SPNs is fairly easy, just use setspn -X on your command-line and you’ll find out.

What is a SPN?

An SPN or Service Principal Name is a unique identity for a service, mapped with a specific account (mostly service account). Using an SPN, you can create multiple aliases for a service mapped with a domain account.

SetSPN command-line

To set, list or delete the SPN, we use an in-built command line tool SETSPN provided by Microsoft.

Quite some scripts assume you’re looking for a specific SPN (HTTP/…), a specific user, or a specific computer. For example, using setspn to find SPNs linked to a certain computer:

Or setspn to find SPNs linked to a certain user account:

Now we need a script to list all SPNs, for all users and all computers.

Get All SPNs

SPNs are set as an attribute on the user or computer accounts. That makes it fairly easy to query for that attribute.

Powershell to the rescue!

 

Get All DCs in the Entire Forest

Getting a know a new environment for a new client and I a quickly needed information about all domain controllers in the entire forest.

Wrote a small little script to provide me all the information I needed:

 

Older Posts

Mohammed Wasay

Dallas based Design Technologist & Hybrid Developer

Secured By miniOrange