DC Non-Authoritative (D2) Restore for DFSR

DISCLAIMER: The information in this guide is provided "as is" without any guarantee of completeness, accuracy, timeliness, or of the results obtained from the use of this information. The author assumes no responsibility for any errors or omissions in the content. It is meant for general information purposes only and should not be used as a substitute for professional advice. The author is not responsible for any damages caused by the use of this information. By using this guide, you agree to hold the author harmless from any and all claims, damages, or expenses that may arise from your use of the information.

Introduction

A non-authoritative (D2) restore is sometimes also reffered to as a non-authoritative (D2) synchronization. This procedure is for performing a non-authoritative restore with a multiple domain controller environment.

There are 2 type of restore modes for Microsoft Windows Domain Controllers:

Authoritative Restore - A Domain Controller authoritative restore is a process used to fix a big problem in the Active Directory. The Active Directory is like a big phone book that stores information about all the users and computers in a network. When you do an authoritative restore, you're taking a previous version of the phone book from a backup (or source) and using it to completely overwrite the current phone book. So, for example, if the current phone book was lost or became corrupt, you could use the previous version (or existing source) to restore the entire phone book to its previous state. The restored phone book is then sent to the other Domain Controllers in the network to keep them all in sync. This is why it's called an "authoritative" restore – you're making the restored phone book the official and correct version, and all other versions are updated to match it.

Non-Authoritative Restore - A non-authoritative restore of a Domain Controller (DC) is a process used to fix a small problem in the Active Directory. Think of the Active Directory as a big phone book that stores information about all the users and computers in a network. When you do a non-authoritative restore, you're taking a previous version of the phone book from a backup (or source) and using it to fix a specific part of the current phone book. So, for example, if someone's name was misspelled or a phone number was accidentally deleted, you could use the previous version of the phone book to fix just that one problem. The rest of the phone book (Active Directory) stays the same, and the fixed information gets sent to the other Domain Controllers in the network to keep them all in sync. This is why it's called a "non-authoritative" restore – you're not changing the entire phone book, just fixing a small part of it.

It's important to note that you should only perform a non-authoritative restore on a secondary (non-authoritative) domain controller, as making changes to the primary domain controller (PDC) can have unintended consequences. Additionally, it's recommended to test the restore process in a non-production environment before performing it in a production environment

Requirements

• Domain Controller environment is using DFSR.

Instructions

Run all commands from a non-authoritative domain controller.

1. Backup the existing SYSVOL - this can be done by copying the SYSVOL folder from the domain controller that is having DFS replication issues to a secure location.
   
   
2. Log in to the Domain Controller that is having DFS replication issues as Domain Admin/Enterprise Admin.
   
   
3. Launch ADSIEDIT.MSC tool and connect to Default Naming Context.
   

   

   
   
4. Browse to DC=<domain>,DC=local ⮞ OU=Domain Controllers ⮞ CN=<DC NAME> ⮞ CN=DFSR-LocalSettings ⮞ Domain System Volume ⮞ SYSVOL Subscription.
   
   
5. Change the Attribute Value for msDFSR-Enabled to FALSE.
   

   

   
   
6. Force Active Directory replication for all domain controllers:
   

   repadmin /syncall /AdP

7. If not already installed, run the following PowerShell command to install the DFS Management Tools:
   

   Add-WindowsFeature RSAT-DFS-Mgmt-Con

   Alternatively, DFS Management Tools can be installed from the Add Roles and Features Wizard:
   

   

    
   
8. Run following command from an elevated Command Prompt to update the DFRS global state:
   

   dfsrdiag PollAD

9. Using PowerShell, search for the event 4114 to confirm SYSVOL replication is disabled:
   

   Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl

   Screenshot Example from Event Viewer:

   
   
   

10. Change the attribute value for msDFSR-Enabled back to TRUE (step 5).
    
    
11. Force the Active Directory replication for all domain controllers as in step 6.
    
    
12. Update DFRS global state as in step 8.
    
    
13. Using PowerShell, search for events 4614 and 4604 to confirm successful non-authoritative synchronization: 
    

    Get-EventLog -Log "DFS Replication" | where {{$_.eventID -eq 4614} -or {$_.eventID -eq 4604}} | fl

    Alternatively, the event log can be used to verify successful non-authoritative synchronization:
    

    

    
    

    

    
    

    

Sources

• rebeladmin.com - Non-Authoritative and Authoritative SYSVOL Restore (DFS Replication)
  
• experts-exchange.com - Active Directory DFSR Sysvol - Authoritative and Non Authoritative Restore Sequence
• learn.microsoft.com - How to force authoritative and non-authoritative synchronization for DFSR

KB Change/Issue Log

yyyy/mm/dd - Title

Issue

N/A

Solution

N/A

KB Meta