Newly Promoted Domain Controller does not create and replicate SYSVOL and NETLOGON folders

Question

There seems to be something wrong with my primary domain controller. No matter what I do, I cannot get other domain controllers to create sysvol and netlogon folders when they've been promoted. my dcdiag shows these errors on my new domain controllers:

Starting test: Advertising
   Warning: DsGetDcName returned information for \\ds1.directory.myorg.com, when we were trying to
   reach DS3.
   SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
   ......................... DS3 failed test Advertising

Starting test: NetLogons
   Unable to connect to the NETLOGON share! (\\DS3\netlogon)
   [DS3] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
   ......................... DS3 failed test NetLogons

dfsrmig.exe /getmigrationstate shows this on both domain controllers:

All domain controllers have migrated successfully to the Global state ('Eliminated').

I've tried manually sharing C:/Windows/SYSVOL/sysvol to match my primary DC, but that didn't seem to work. Other than the SYSVOL and NETLOGON folders to being created/replicated, everything looks OK.

Answer 1

My SYSVOL and NETLOGON folders were not being synchronized because my primary DC was not set as an authoritative DFSR member. It was still trying to replicate to a demoted DC. I followed the "How to perform an authoritative synchronization of DFSR-replicated SYSVOL" in this guide on my Primary DC: https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

Answer 2

I had three DCs in my test domain where two had sysvol+netlogon in "Initial Sync" state 2, and the third had no sysvol+netlogon shares or state at all. I followed this blog and made it into a powershell script. Perhaps it can help others as well.

This is my scenario :

• DC1 alone for long time : Windows 2012 R2 (domain + forest level)
• DC2 added for quite long time : Windows 2012 R2
• DC3 added recently : Windows 2022 core
• DC3 took over FSMO roles as I wanted this to become new PDC
• Found sync issues and other problems when trying to raise domain/forest level to 2016 since DCs were not above 2016
• DC2 in-place upgrade to Windows 2025
• DC1 in-place upgrade to Windows 2025
• Found further issues and DC3 secure channel didn't work
• Put back FSMO roles to DC1
• Ran this script to fix it and now all looks good

https://www.checkyourlogs.net/how-to-fix-missing-sysvol-and-netlogon-share-and-replication-issues-on-new-domain-controller-at-azure

# https://www.checkyourlogs.net/how-to-fix-missing-sysvol-and-netlogon-share-and-replication-issues-on-new-domain-controller-at-azure
# Verify in admin cmd 
# For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
#The states should translate as below and be #4 if all is ok
#0 = Uninitialized
#1 = Initialized
#2 = Initial Sync
#3 = Auto Recovery
#4 = Normal
#5 = In Error
$MyDomain = 'DC=nikdom,DC=local'
$DC1 = 'NIKLASDC01'
$DC2 = 'NIKLASDC02'
$DC3 = 'NIKLASDC03'
$DCs = $DC1,$DC2,$DC3
ICM $DCS {
Stop-Service -Name DFSR }
$DC1, change : "msDFSR-Enabled"=$true;"msDFSR-Options"=0 to "msDFSR-Enabled"=$false;"msDFSR-Options"=1
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC1,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC1,OU=Domain Controllers,$MyDomain" -Replace @{"msDFSR-Enabled"=$false;"msDFSR-Options"=1}
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC1,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
$DC2, change : "msDFSR-Enabled"=$true to "msDFSR-Enabled"=$false
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC2,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC2,OU=Domain Controllers,$MyDomain" -Replace @{"msDFSR-Enabled"=$false}
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC2,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
$DC3, change : "msDFSR-Enabled"=$true to "msDFSR-Enabled"=$false
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC3,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC3,OU=Domain Controllers,$MyDomain" -Replace @{"msDFSR-Enabled"=$false}
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC3,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
$DCs = $DC1,$DC2,$DC3
ICM $DCS {
repadmin /kcc
repadmin /syncall /e
repadmin /syncall /e /P
Net Stop Netlogon
Net Start Netlogon
IPconfig /registerdns }
Start DFSR only on PDC
$DCs = $DC1
ICM $DCS {
Start-Service -Name DFSR }
Check event log DFSR and You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.
The replicated folder at local path C:\Windows\SYSVOL\domain has been disabled. The replicated folder will not participate in replication until it is enabled. All data in the replicated folder will be treated as pre-existing data when this replicated folder is enabled.
$DC1, change : "msDFSR-Enabled"=$false to "msDFSR-Enabled"=$true
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC1,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC1,OU=Domain Controllers,$MyDomain" -Replace @{"msDFSR-Enabled"=$true}
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC1,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
$DCs = $DC1,$DC2,$DC3
ICM $DCS {
repadmin /kcc
repadmin /syncall /e
repadmin /syncall /e /P
Net Stop Netlogon
Net Start Netlogon
IPconfig /registerdns }
Run dfsrdiag.exe PollAD , Add dfsrdiag if missing with : Add-WindowsFeature RSAT-DFS-Mgmt-Con
dfsrdiag.exe PollAD
You will see DFSR Event ID 4602 indicating SYSVOL has been initialized.
Start DFSR on remaining servers
$DCs = $DC2,$DC3
ICM $DCS {
Start-Service -Name DFSR }
NIKLASDC02, change : "msDFSR-Enabled"=$false to "msDFSR-Enabled"=$true
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC2,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC2,OU=Domain Controllers,$MyDomain" -Replace @{"msDFSR-Enabled"=$true}
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC2,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
NIKLASDC03, change : "msDFSR-Enabled"=$false to "msDFSR-Enabled"=$true
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC3,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC3,OU=Domain Controllers,$MyDomain" -Replace @{"msDFSR-Enabled"=$true}
Get-ADObject -Identity "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=$DC3,OU=Domain Controllers,$MyDomain" -Properties msDFSR-Enabled, msDFSR-Options
$DCs = $DC1,$DC2,$DC3
ICM $DCS {
repadmin /kcc
repadmin /syncall /e
repadmin /syncall /e /P
Net Stop Netlogon
Net Start Netlogon
IPconfig /registerdns }
Run dfsrdiag.exe PollAD , Add dfsrdiag if missing with : Add-WindowsFeature RSAT-DFS-Mgmt-Con, executer remotely on Core servers as RSAT is not possible to add there
$DCs = $DC2,$DC3
ICM $DCS {
$DC1 = 'NIKLASDC01'
$dfsrdiagPath = "\$DC1\c$\windows\system32\dfsrdiag.exe"
& "$dfsrdiagPath" PollAD}
You will see DFSR Event ID 4602 indicating SYSVOL has been initialized.
Verify in admin cmd
For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
#The states should translate as below and be #4 if all is ok
#0 = Uninitialized
#1 = Initialized
#2 = Initial Sync
#3 = Auto Recovery
#4 = Normal
#5 = In Error
$DCs = $DC1,$DC2,$DC3
ICM $DCS {net share}