Académique Documents
Professionnel Documents
Culture Documents
Note that you can see 3 GPT's are available in above screenshot.
When you create new group policy in your active directory then a set
of folder are created under Policies folder.
For Eg - I am Creating a Policy called disable screen saver in my
domain and linking that policy to my OU. When I hit create new
policy button in GPMC , It will create one GUID Name folder under
Policies folder which will be associated to Disable screen saver
GPO.
To make this simple , Above screen shot has 3 GPT's that mean 3
Group Policies are present in test.tld domain.
So when you make changes to particular Group policy objects that
changes will be committed to Assocaited GUID name folder under
Sysvol.
Conclusion
Importance of Sysvol folder is , it holds the GPT , and whenever an
administrator makes any changes to any of the policies , that
changes will be committed to assocated GUID name folder and then
they will be replicated to all Domain controllers.
> Sysvol replication methods.
Sysvol can be replicated to all the domain controllers using
Distributed File System Replication (DFS-R) if the domain functional
level This link is external to TechNet Wiki. It will open in a new
window. is Windows Server 2008 or higher, or it is replicated using
File Replication System (FRS).
For FRS, the SYSVOL schedule is an attribute associated with each
NTFRS Replica Set object and with each NTDS Connection object. FRS
replicates SYSVOL using the same intrasite connection objects and
schedule built by the KCC for Active Directory replication. FRS uses
two replication protocols for SYSVOL:
SYSVOL connection within a site. The connection is always considered
to be on; any schedule is ignored and changed files are replicated
immediately.
SYSVOL connection between sites. SYSVOL replication is initiated
between two intersite members at the start of the 15-minute
interval, assuming the schedule is open. The connection is treated
as a trigger schedule. The upstream partner ignores its schedule and
responds to any request by the downstream partner. When the schedule
closes, the upstream partner unjoins the connection only after the
current contents of the outbound log, at the time of join, have been
sent and acknowledged.
> Common sysvol error and problems.
A . Sysvol and Netlogon shares are missing.
Take a senario , when you add a new domain controller to your domain
and you see there is no sysvol and netlogon folder available on the
domain controller
Normal operations:
-> Someone makes a change to test.txt.
-> The NTFS Journal is updated to #5.
-> FRS notes that the NTFS journal says that a change has been made
to test.txt and it sees that it hasn t processed that change.
->Stage/Replicate and update the FRS database to reflect that we
have processed that NTFS Journal entry.
Now, an Admin stops the FRS service for 30 minutes.
- Someone makes 10 changes to test.txt
o The NTFS Journal is updated 20 times and is now at #24 (remember
we have a log size limit of the last 10 entries so therefore need to
wrap around).
o FRS is stopped so it isn t monitoring the NTFS Journal log.
At this point, we have changes on the disk which FRS isn t aware of.
FRS still knows the last NTFS Journal entry that it processed and it
will compare this with the current NTFS Journal the next time it
restarts.
The next time the FRS service starts, it sees that it has missed
NTFS operations on the disk (it last processed NTFS operation #4 but
the NTFS Journal is now at #24 and we only have a log that goes back
10 entries so we re missing operations #5-#14 from the database.
This is when FRS complains it has reached a Journal Wrap state, the
NTFS Journal log has wrapped around and it doesn t know the current
state of things on the disk.
The impact of this on an affected DC is that FRS will not set the
IsSysvolReady registry key to indicate to the Netlogon service that
all is well, Sysvol will therefore not be shared out and the DC will
not be able to authenticate users fully until the Journal Wrap
condition has been resolved.
Manually sharing out Sysvol or setting the IsSysvolReady registry
key to 1 are not valid methods of resolving this issue and are not
addressing the real problem.
For FRS to recover from a Journal wrap, you ll basically have to
start from scratch and reset the FRS database and start counting the
NTFS Journal from the current values it has.
This means either:
- Replicating in data from an existing inbound partner (The d2 or
non-authoritative FRS restore approach).
- Making your own data authoritative and let everyone else replicate
from you (the d4 or authoritative FRS restore approach).
The d2 approach is fairly simple to perform, the requirements are
however that you have a good network connection with the inbound
replication partner and the time it will take is dependent on the
amount of data to be replicated vs. the capacity of the link
On the other hand, this may not always be sufficient and you can
find yourself being forced to go with the d4 option.
Above are most common errors when you consider sysvol in Active
Directory.
Finally what are the steps we can follow when this Above errors are
encoutered.
> Troubleshooting Sysvol Error messages
A . Sysvol and Netlogon shares are missing.
As I mentioned before it might be an issue with sysvol replication
broken between Domain controllers.
How can I force the Sysvol replication in an active directory
Your can restart the FRS service to force the FRS replication
To restart the FRS service, launch services.msc from the Run option
on the Start Menu
And restart the FRS service and you will get the Event ID 13516 on
FRS event log this will ensure the FRS status is fine.
Sysvol replication through NTFRSUTL
If you want to force sysvol replication between two domain
controllers in an active directory then use the below procedure
NTFRSUTL FORCEREPL Command-Line Option to Force Replication
You can use the new ntfrsutl forcerepl command to enforce
replication regardless of the predefined replication schedule. This
is only implemented for the domain controller Sysvol replica set.
ntfrsutl forcerepl [Computer] /r [SetName] /p [DnsName]
This command forces FRS to start a replication cycle. You must
specify the Computer, SetName and DnsName.
Note In this command, the following placeholders are used:
[Computer] = Connect with the NtFrs service on this machine.
[SetName] = The name of the replica set.
[DnsName] = The DNS name of the inbound partner to force replication
from.
For example:
ntfrsutl.exe forcerepl DestinationDC /r "Domain System Volume
(SYSVOL share)" /p SourceDC.domain.com
The quotation marks in this example are required when you use the /r
option. If the quotation marks are not present, the command will not
work.
If above does not help then,
Most popular method to resolve this is in below MS KB.
SYMPTOMS:
After you install Active Directory Domain Services on a new full or
read-only Windows Server 2008-based domain controller in an existing
domain, the SYSVOL share is present. However, the NETLOGON share is
not present on the new domain controller.
Note This article does not apply if both NETLOGON and SYSVOL shares
are missing.
CAUSE:
This problem occurs when the Netlogon service reads the SysvolReady
Flag in the registry very quickly. Then, the Netlogon service tries
to share out the \Windows\SYSVOL\domain\scripts folder before the NT