How to perform a non-authoritative SYSVOL restoration

If you are facing issues with some Group Policies or scripts not available on DC(s) in the SYSVOL domain folder to a specific Domain Controller or if you have realized that the GPOs are not up to date, this post shows how to fix that by doing the steps to perform a non-authoritative Sysvol restore on FRS and DFSR.

Table of Content

Steps if your environment is using FRS to replicate SYSVOL
Steps if your environment is using DFSR to replicate SYSVOL
Still need help to perform a non-authoritative SYSVOL?
Check out more similar articles below

Steps if your environment is using FRS to replicate SYSVOL

This procedure is due only if your environment is using FRS to replicate SYSVOL. Continue reading below for DFSR environment.

On the failed Domain Controller execute the following steps:

1 – Open the prompt as administrator and run: net stop ntfrs;

2 – Open services.msc and set “File Replication” service as Manual;

3 – Open regedit, and edit the registry key to the value “d2“:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\BurFlags

4 – On the prompt, now run the command: net start ntfrs;

5 – Set “File Replication” service as Automatic;

6 – Open Event Viewer and look for the event ID 13566 and 13516 in the File Replication Service.

In the case the above steps doesn’t work, try the following:

1 – Copy the script folder from a healthy DC, and paste it on c:\Sysvol\sysvol\contoso.com of the failed DC;

2 – Set the value “1” for the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\sysvolReady

3 – Restart the services netlogon and ntfrs.

Steps if your environment is using DFSR to replicate SYSVOL

To perform a non-authoritative SYSVOL folder restoration on a DFSR environment, follow these steps:

Determine the Cause:
- Identify why you need to perform a non-authoritative restore. Common reasons include corruption of the SYSVOL folder or replication issues.
Stop the DFS Replication Service:
- On the domain controller that requires the non-authoritative restore, open a Command Prompt with administrative privileges and type:
net stop dfsr
- This stops the DFS Replication service.
Delete the DFSR Database:
- Navigate to the C:\\\\System Volume Information\\\\DFSR folder and delete the dfsr.db file. This forces the domain controller to reinitialize the DFSR database.
Modify the Registry:
- Open the Registry Editor (regedit) and navigate to:
HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\DFSR\\\\Parameters\\\\SysVols\\\\Migrating SysVols
- Change the SysVolReady value to 0.
Restart the DFS Replication Service:
- Start the DFS Replication service again by typing:
net start dfsr
Force a Replication:
- Force replication from a healthy domain controller by opening a Command Prompt with administrative privileges and typing:
dfsrdiag pollad
- This command forces DFSR to poll Active Directory for configuration changes.
Verify the Replication:
- Monitor the Event Viewer for any errors or warnings related to DFS Replication. Ensure that the SYSVOL folder is properly replicating by checking the DFSR logs under “Applications and Services Logs” in Event Viewer.
Check SYSVOL Status:
- Ensure that the SysVolReady registry key is set back to 1. This can be checked again in the Registry Editor under:
HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\DFSR\\\\Parameters\\\\SysVols\\\\Migrating SysVols

By following these steps, you can perform a non-authoritative restore of the SYSVOL folder, allowing the domain controller to synchronize its SYSVOL contents from a healthy replication partner.