Windows 10: Fix: Missing Sysvol and Netlogon after domain controller promotion

Many cases I found an issue with the newly promoted domain controller is missing the SYSVOL and NETLOGON shares. Most of the cases it would also be a new domain controller for a new forest. In most cases, you would need to update the flag as below.

Open Regedit
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Set SysVolReady from 0 to 1
Close Regedit

This will create the SYSVOL share. If the NETLOGON share is not created you would need to create the folder scripts in C:\Windows\SYSVOL\domain\. When this is done, restart the NETLOGON service.

This is the easy part. In some cases, although the NETLOGON and SYSVOL shares are working, no group policies or scripts are being replicated using the DFS or DFRS.

We can verify the replication by running the following command.

For /f %i IN ('dsquery server -o rdn') do @Echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

The states should translate as below

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

In my case, I have noticed that the newly promoted server was showing 2 and the main domain controller was showing “No Instance(s) Available” which is quite strange.

Here you would need to look into the original Active Directory server for any problems and you would see a warning on the DFS Replication under Applications with Event ID 2213 as below.



It says that the DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled.

What we need to do here is from the event viewer take note of the volumeGUID and run the below command and replacing GUID-NUMBER with your GUID.

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="GUID-NUMBER" call ResumeReplication

This will restart the replication and recreate the database. This can be seen with an event with ID 2214 saying The DFS Replication service successfully recovered from an unexpected shutdown on volume C:.This can occur if the service terminated abnormally (due to a power loss, for example) or an error occurred on the volume. No user action is required.

If you run the command to see the state of the replication you will see that the servers are all showing state 4 as below and the both Sysvol and Netlogon will be replicated.



(26109)

read more...

 

Windows 10 cannot be access Sysvol & Netlogon folder on the server 2012 r2

We are using, Windows 10 Professsional and Windows 8.1 Professional software, on the our clients. Out Domain controller server version is Windows Server 2012 R2 Standart.

But, we have a problem, cannot be access to, shared system folder, "Netlogon & Sysvol" with Windows 10 Professional client Pc.

We able to Access this same username on the Windows 8.1 Professional client.

Could you Help me please?

HAKAN ÖNCEL

 

Domain Controllers Windows update to address Netlogon Elevation of Privilege Vulnerability

Hi,

We are planning to update Domain Controllers runing Windows server 2012 R2 to address Netlogon Elevation of Privilege Vulnerability.

For this we are installing following updates:

1. KB4566425 (pre-requisite)

2. KB4571723 (Security update only)

With reference to roll back these updates what are our options?, if someone can please suggest exact steps for roll back or uninstalling the updates.

Also, if anyone can please share their past experiences on installing these updates on Domain Controllers (preparations, issues, back-ups etc.)

Best Regards,

Ali

 

Raising the windows domain and forest issues?


hi,

I run a domain that was all 2003 r2 servers. I recently upgraded all my domain controllers to windows 2012 r2.
That went off without any problems.. Our trust relationships had no issues also.

My first step was to raise the Domain and Forest levels past 2003 to 2008. This went off without a hitch.
These are the features for raising the levels to 2008:

• Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
• Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Forest Level Windows Server 2008

• Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

My next step is to raise the domain and forest to 2008 r2, then 2012, and finally 2012 r2. I have been trying to find out exactly what I could expect from raising the Domain and Forest for each step.

The step involving 2008 r2 seems relatively a non issue. But getting the couple of new features seem very nice

Domain Level Windows Server 2008 R2

• All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features

Forest Level Windows Server 2008 R2

• All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

• Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. <== New Feature very cool
• All domains subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Here is my big concerns for the next raising of domain and forest to 2012.

Forest Level Windows Server 2012:

• All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
• All domains subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Domain Level Windows Server 2012 R2: <=====Need to investigate more and why this post

• DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

• Authenticate with NTLM authentication <==============(what issues may arise)
• Use DES or RC4 cipher suites in Kerberos pre-authentication
• Be delegated with unconstrained or constrained delegation
• Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Will this affect my exchange anywhere users with remote access authenticating either clear of NTLM???
and what would/may not to work properly day 1 when I raise the domain and forest to 2012. I cant really find anyone that can answer a straight question.

Has anyone gone through this? what problems did you have, if any , if a lot???

Any thoughts and suggestions will be much appreciated??

thanks


- - - Updated - - -

One more point... I am not sure if I posted this to the correct forum.. So if I was wrong and it should be in a different one..
PLEASE LET ME KNOW