JSI Tip 7394. How do I troubleshoot missing SYSVOL and NETLOGON shares on Windows Server 2003 domain controllers?

Jerold Schulman

October 29, 2003

8 Min Read
ITPro Today logo in a gray background | ITPro Today

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q327781 contains:

SUMMARY

This article describes how to troubleshoot missing SYSVOL and NETLOGON shares on Windows Server 2003 domain controllers.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The File Replication Service (FRS) is a multi-threaded, multi-master replication engine that replaces the LMREPL service in Microsoft Windows NT version 3.x and 4.0. Microsoft Window Server 2003-based domain controllers and servers use FRS to replicate system policy and login scripts for Windows Server 2003-based clients and clients that are running earlier versions of Windows.

FRS can also replicate content between Windows Server 2003-based servers that are hosting the same fault-tolerant DFS roots or child node replicas.

The information in this article may be useful if your Window Server 2003-based domain controllers are missing the SYSVOL and NETLOGON shares.

How to Troubleshoot Missing SYSVOL and NETLOGON Shares

Missing SYSVOL and NETLOGON shares typically occur on replica domain controllers in an existing domain, but may also occur on the first domain controller in a new domain. You following these steps with the replica domain controllers, but you can also use them with the first domain controller in the domain by ignoring the replication-specific steps.

  • NTDS Connection objects exist in the DS of each replication partner. NTDS Connections are one way connections. These connections are used by the Directory service to replicate the Active Directory and the File Replication Service (FRS) to replicate the file system portion of system policy in the SYSVOL folder. The Knowledge Consistency Checker (KCC) is responsible for building NTDS connection objects to form a well-connected topology between domain controllers in the domain and forest. If you do not have automatic connections, an administrator may also create manual connection objects. Use the "Sites and Services" (Dssite.msc) snap-in to examine the connection objects that exist between the problem computer and existing domain controllers. For replication to occur between computer \M1 and \M2, \M1 must have an inbound connection object from \M2, and \M2 must have an inbound connection object from \M1. Use the Connect to Domain Controller command in Dssites.msc to view and compare each domain controller's perspective of the intra-domain connection objects. If no connection objects exist for the new replica member, use the Check Replication Topology command in Dssites.msc to force KCC to build the automatic connection objects. After you do so, press F5 to refresh the view. If KCC cannot build automatic connections, administrators must build manual connection objects for domain controllers with no inbound or outbound connections to or from other domain controllers in the domain. KCC may successfully build the automatic connection objects if you build a single working manual connection object. Delete duplicate manual or automatic connections from the same domain controller in the domain to avoid a replication-blocking configuration.For additional information about this issue, click the article number below to view the article in the Microsoft Knowledge Base:

    251250 NTFRS Event ID 13557 Is Recorded When Duplicate NTDS Connection Objects Exist

  • Active Directory replication occurs between the new and existing domain controllers in the domain. Use Repadmin.exe to confirm that Active Directory replication occurs between the source and destination domain controllers in the same domain in the scheduled replication interval. Default replication intervals are 5 minutes between domain controllers in the same site, and one time every 3 hours between domain controllers in different sites with a minimum of 15 minutes.

    REPADMIN /SHOWREPS %UPSTREAMCOMPUTER% REPADMIN /SHOWREPS %DOWNSTREAMCOMPUTER%

    FRS replication is dependent on the Active Directory to replicate the configuration information between domain controllers in the domain. If you think that replication is the problem, examine replication events in Event Viewer. Do so after you set the "replication events" entry in the following registry key to 5 on potential source computers (\M1) and the destination computer (\M2):

    HKEY_LOCAL_MACHINESystemCCSServicesNTDSDiagnostics

    After you set this entry, force replication from \M1 to \M2 and \M2 to \M1 by using the replicate now command in Dssites.msc or its equivalent command in REPLMON.

  • The server that is used to source the Active Directory and SYSVOL folder should have created NETLOGON and SYSVOL shares itself. After the Dcpromo.exe program has restarted the computer, FRS first tries to source the SYSVOL share from the computer that is identified in the following "Replica Set Parent" registry key:

    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTFRSParametersSysVol DomainName

    NOTE: This key is temporary and is deleted after SYSVOL is sourced or the information under SYSVOL has been successfully replicated. The 2195 release of Ntfrs.exe prevents replication from this initial source server. This delays SYSVOL replication until FRS can try replication from an inbound replication partner in the domain over an automatic or manual NTDS connection object. All potential source domain controllers in the domain typically have already shared the NETLOGON and SYSVOL shares and applied default domain and domain controllers policy. SYSVOL folder structure:

    • domain

      • DO_NOT_REMOVE_NtFrs_PreInstall_Directory

      • Policies

        • {GUID}

          • Adm

          • MACHINE

          • USER

        • {GUID}

          • Adm

          • MACHINE

          • USER

        • {etc.,}

        • scripts

        • staging

        • staging areas

        • MyDomainName.com

        • scripts

        • sysvol(sysvol share)

        • MyDomainName.com

        • DO_NOT_REMOVE_NtFrs_PreInstall_Directory

        • Policies

        • {GUID}

          • Adm

          • MACHINE

          • USER

        • {GUID}

          • Adm

          • MACHINE

          • USER

        • {etc.,}

      • scripts(NETLOGON share)

    For additional information about the problem of sourcing from the initial replica, click the article number below to view the article in the Microsoft Knowledge Base:

    250545 SYSVOL Directory Is Slow to Synchronize, Delays Creation of SYSVOL Share and Domain Controller Registration

  • The "Enterprise Domain Controllers" group must be granted the "access this computer from network" right in the default domain controllers policy on the domain controllers organizational unit.

    Replication of the Active Directory during the use of the Dcpromo.exe program uses the credentials that are provided in the Active Directory Installation Wizard. Upon restart, replication occurs in the context of the domain controller's computer account. All source domain controllers in the domain must successfully replicate and apply the policy that gives the "Enterprise Domain Controllers" group the "Access this computer from network right. For quick verification, look for event 1704s in the Application log of potential source domain controllers. For detailed verification, run a security configuration analysis against the Basicdc.inf template and examine the log output. Note that this requires defining environment variables for SYSVOL, DSLOG and DSIT. For additional information about how to do this, click the article number below to view the article in the Microsoft Knowledge Base:

    250454 Error Returned Importing Security Template

    In Windows Server 2003, the Basicdc.inf template no longer exists. To reapply the default settings or to compare current settings with the default settings, use the "Setup security.inf" template.

  • Each domain controller must be able to resolve (ping) the fully qualified computer names of computers that are participating in the replica set.

    For SYSVOL, this means pinging the fully qualified computer name of all domain controllers in the domain. Confirm that the address that is returned by the ping command matches the IP address that is returned by IPCONFIG at the console of each replica set partner.

  • The FRS service must have created an NTFRS jet database.

    Run the DIR \computernameAdmin$NTFRSJet command against each domain controller in the domain to confirm the existence of the Ntfrs.jdb file. The date and size of the jet database may be incorrect while the NTFRS service is running. This behavior is by design.

  • Each domain controller must be a member of the SYSVOL replica set.

    Run the NTFRSUTL DS [computername] command on all replica set members. Confirm that all domain controllers in the domain show up under the "SET: DOMAIN SYSTEMVOLUME (SYSVOL SHARE)" portion of the NTFRSUTL output. The SYSVOL Replica set and its members can also be displayed under cn="domain system volume",cn=file replication service,cn=system,dc=FQDN in the User and Computers (Dsa.msc) snap-in when "Advanced Features" is turned on under the View menu.

  • Each domain controller must be a subscriber of the replica set.

    Run the NTFRSUTL DS [computername] command on all replica set members. Subscriber objects appear in cn=domain system volume (SYSVOL share),cn=NTFRS Subscriptions,CN=DCNAME,OU=Domain Controllers,DC=FQDN. This requires that the machine object exists and has replicated in. NTFRSUTL generates the following message when the subscriber object is missing:
    SUBSCRIPTION: NTFRS SUBSCRIPTIONS DN : cn=ntfrs
    subscriptions,cn=W2KPDC,ou=domain controllers,dc=d... Guid :
    5c44b60b-8f01-48c6-8604c630a695dcdd
    Working : f:winnttfrs
    Actual Working: f:winnttfrs
    WIN2K-PDC IS NOT A MEMBER OF A REPLICA SET!

  • The Replication Schedule must be turned on.

  • The logical drive that is hosting the SYSVOL share and staging folder has plenty of available disk space on upstream and downstream partners. For example, 50 percent of the content that you are trying to replicate and three times the largest file size that is being replicated.

  • Check the destination folder and the staging folder (displayed in "NTFRSUTL DS") of the new replica to see if files are replicating. Files in the staging folder must be in the process of being moved to the final location. That the number of files in the staging or destination folder is constantly changing is a good sign as either files are being replicated in, or transitioned to the destination folder.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like