How to troubleshoot missing SYSVOL and NETLOG on a Windows Server 2003 domain controller

How to troubleshoot problems with missing SYSVOL and NETLOGON shares The lack of SYSVOL and NETLOGON shares usually occurs on replica domain controllers in existing domains, but this may also occur on the first domain controller in the new domain Kind of situation. You can perform these steps on the replica domain controller, or you can perform all of these steps except the specific steps of the replication for the first domain controller in the domain.

? The NTDS connection object exists in the DS of each replication partner. An NTDS connection is a one-way connection. The directory service uses these connections to replicate Active Directory, and the File Replication Service (FRS) uses these connections to replicate the file system portion of the system policy in the SYSVOL folder. "Knowledge Consistency Checker" (KCC) is responsible for establishing NTDS connection objects to form a well-connected topology between domains and domain controllers in the forest. If there is no automatic connection, the administrator can also create a manual connection object. Use the “Sites & Services' (Dssite.msc) snap-in to check for connection objects that exist between the problem computer and the existing domain controller. To copy between computers \\\\M1 and \\\\M2, \\\\M1 must have an inbound connection object from \\\\M2, and \\\\M2 must have an inbound connection object from \\\\M1. Use the Connect to Domain Controller command in Dssites.msc to view and compare perspectives of the in-domain connection objects for each domain controller. If the new replica member does not have a connection object, use the Check Replication Topology command in Dssites.msc to force KCC to create an automatic connection object. After doing this, press the F5 key to refresh the view. If KCC cannot establish an automatic connection, the administrator must establish a manual connection object for a domain controller that does not have an inbound or outbound connection to or from another domain controller in the domain. If you create a single valid manual connection object, KCC can successfully establish an automatic connection object. Remove duplicate manual or automatic connections from the same domain controller in the domain to avoid configurations that prohibit replication. For additional information about this issue, click the article number below to view the article in the Microsoft Knowledge Base:

251250 (http://support.microsoft.com/kb/251250/EN-US /) NTFRS Event ID 13557 Is Recorded When Duplicate NTDS Connection Objects Exist

? Active Directory replication takes place between the new domain controller in the domain and the existing domain controller. Use Repadmin.exe to verify that Active Directory replication is between the source domain controller and the target domain controller in the same domain at the scheduled replication interval. The default replication interval between domain controllers in the same site is 5 minutes, and the default replication interval between domain controllers in different sites is 3 hours, and the minimum is 15 minutes.

REPADMIN /SHOWREPS %UPSTREAMCOMPUTER% REPADMIN /SHOWREPS %DOWNSTREAMCOMPUTER%

FRS Replication Dependencies Active Directory replicates configuration information between domain controllers in the domain. If you think there is a problem with replication, check the replication event in the event viewer. Set the “copy event” entry in the following registry key to 5 on the potential source machine (\\\\M1) and the target machine (\\\\M2), and then do this:

HKEY_LOCAL_MACHINE\\System \\CCS\\Services\\NTDS\\Diagnostics\\

After setting this item, use the immediate copy command in Dssites.msc or the equivalent command in REPLMON to force copy from \\\\M1 to \\\\M2 and from \\ \\M2 Forces replication to \\\\M1.

? The server used to find the source of the Active Directory and SYSVOL folders should have created the NETLOGON and SYSVOL shares themselves. After the Dcpromo.exe program restarts the computer, FRS first tries to find the source of the SYSVOL share from the computer identified in the following "Replica Set Parent Server" registry key:

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services \\NTFRS\\Parameters\\SysVol\\Domain Name

Note: This entry is temporary and will be deleted after the source of SYSVOL is found or after the information under SYSVOL has been successfully copied. The 2195 release of Ntfrs.exe prohibits replication from this initial source server. This delays SYSVOL replication until FRS can attempt to replicate from an inbound replication partner in the domain through an automatic or manual NTDS connection object. Typically, all potential source domain controllers in the domain have shared the NETLOGON and SYSVOL shares, and the default domain and domain controller policies have been applied. SYSVOL folder structure:

? domain

? DO_NOT_REMOVE_NtFrs_PreInstall_Directory

? Policies

? {GUID}

? Adm

? MACHINE

? USER

? {GUID}

? Adm

? MACHINE

? USER

? {etc.,}

? scripts

? staging

? staging areas

? MyDomainName.com

Scripts

? sysvol(sysvol share)

? MyDomainName.com

? DO_NOT_REMOVE_NtFrs_PreInstall_Directory

? Policies

? {GUID}

? Adm

? MACHINE

? USER

? {GUID}

? Adm

? MACHINE

? USER

? {etc.,}

? scripts(NETLOGON share)

? Must be the default domain in the domain controller organizational unit In the controller policy, the “Access this computer from the network” permission is granted to the “Enterprise Domain Controller” group. The Active Directory replication that is performed during the process of using the Dcpromo.exe program uses the credentials provided in the Active Directory Installation Wizard. When restarting, it is replicated in the context of the domain controller's computer account. All source domain controllers in the domain must successfully replicate and apply the policy that grants the "Access this computer from the network" permission to the "Enterprise Domain Controllers" group. For quick verification, look for event 1704 in the application log of the potential source domain controller. For detailed verification, run a security configuration analysis and check the log output for the Basicdc.inf template. Note that this requires defining environment variables for SYSVOL, DSLOG, and DSIT. For additional information about how to do this, click the article number below to view the article in the Microsoft Knowledge Base:

250454 (http://support.microsoft.com/kb/250454/EN -US/) Error Returned Importing Security Template

In Windows
Server 2003, there is no Basicdc.inf template. To reapply the default settings or compare the current settings to the default settings, use “Install security.inf”template.

? Each domain controller must be able to resolve (ping) the fully qualified computer name of the computer that joined the replica set.