Tips for Active Directory Administration with Multiple Domain Controllers

A practical exercise for Helpdesk on Active Directory (AD) administration. For those of you Helpdesk who only manage 1 to 2 Domain Controllers (DCs), synchronous administration between DCs is not too difficult and complicated, but in fact sometimes you will have to manage more than 100 DCs in more than 100 different branches.

At this point, SYSVOL synchronization between DCs is a huge concern for Helpdesk. We’ll go into reality. Have you ever wondered why a GPO is created at the center (HQ) but not at the branch even though you are sure that the GPO is completely configured correctly.

In another situation, many units use logon script to perform tasks when the computer boots and authenticate with DCs but for some reason the end users at the branch are not getting the results they deserve. out the logon script task to perform. Check EvenID, you see ID 13568 caption “..The File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” is in JRNL_WRAP_ERROR”.

Checking the SYSVOL of the PDC and other DCs found it asynchronous, missing many GUIDs of the GPO. If you are in this situation then you are not alone as it happens quite often.

Microsoft has two synchronization methods for SYSVOL. One is FRS (File Replication Service) which exists in Windows Server 2003. The other is DFS-R (Distributed File System Replication) which is supported in Windows Server 2008 and above.

Of course, DFS-R has many advantages over its predecessor FRS. More stable, you can see more information from DFS report, faster sync. Many of you certainly want to convert from FRS to DFS but that will be another article.

In this article, Vien will talk about how to handle SYSVOL and Scripts as well as policies in SYSVOL asynchronously. Let’s say your AD is using FRS.

To know what method SYSVOL is using to synchronize, you use this command on any DC.

DfsrMig /GetMigrationState
DfsrMig /GetGlobalState

If the results show that: “DFSR migration has not yet initialized” then it means you are using FRS. Contrary to that result, it means you are using DFS, if the value is 0 (started), 1 (prepared), 2(redirected), 3(eliminated).

Determining the method is very important in deciding how to deal with the problem. In the tutorial below, Vien for example you are using FRS.

To synchronize SYSVOL, GPO and Script between DCs, please choose the best DC or the DC that you use the most. It is best to choose PDC. Temporarily called good DC. There are two cases here when it comes to DC with SYSVOL sync failure.

1. One branch DC is out of sync, other branch DCs are fine. (non-authorized restore)

You must conduct a Replication Topology check first.

Test Repadmin /showrepl <== check if there are any Inbound errors or not

Test Repadmin /replsummary <== check if the synchronization with other DCs has failed.

If there is an error, you must handle the error of the Repadmin part first.

The next step is to use CMD to type net stop ntfrs

The best solution for this situation is to set the Hex value for Burflags with D2. D2 will tell FRS to save a copy of SYSVOL and initiate synchronization with the upper member in the Replicata Set. Burflags are located at:

HKLMSystemCurrentControlSetServiceNtfrsParametersBackup/RestoreProcess at Startup

If you don’t have this attribute, you create it REG_DWORD 32bit then assign the value D2 go back to CMD type net start ntfrs

Open Event Viewer item File Replicate Service check ID 13565 (starts the synchronous process) and 13516 (end process)

At this time, the bad DC will re-initialize SYSVOL and synchronize with the DCs in the Replica set.

2. If too many DCs fail to synchronize, we will use the authorized restore method

Similar to non-authorized, we have to choose the best DC. The remaining DCs are considered bad and need to start the synchronization process.

The first thing you have to do is turn OFF the FRS service. Disabling service for more than 100 DCs is also not complicated. You use the following PS command

Invoke-command -Computer danh sách DCs -Scriptblock {net stop ntfrs}

Eg: Invoke-Command -Computer DC1,DC2,DC3,DC4 -Scriptblock {net stop ntfrs}

Open Registry of the good DC out, times to Burflags and assigns the value hex D4

In bad DCs, open Registry out and attach the value hex D2 for Burflags

Next step, in good DC use CMD type net start ntfrs

In each bad DC (should not be done once) or you should only do 15 DCs at a time, use CMD to type net start ntfrs

In EVERY bad DC, open Event Viewer check out ID 13565 (boot) until you see ID 13561 synchronization ends.

Continue execution in the remaining DCs or remaining groups of DCs.

Whether non-authorized or authorized, these two methods cannot handle problems related to Repadmin errors, DNS, and basic network infrastructure.

If the errors not related to SYSVOL are not handled, then on the next Replication, you will get the SYSVOL out of sync error again.
In another article, Vien will guide the Helpdesk on how to start the SYSVOL synchronization process using DFS.

And also in another article, if you like to switch to DFS from FRS, then Vien can write a brief guide because the process is quite simple.

Author: Vien Huynh

Leave a Reply