2016 SYSVOL and NETLOGON shares missing from New Domain Controllers added to 2012 and below. RRS feed

  • General discussion

  • After going through Server 2k to 2012R2 documentation and following all recommendations within said forums, the simplest solution presented itself.

    It came down to a simple registry change.

    Open administrative powershell.

    Run net share

    Review shares and find NETLOGON and SYSVOL shares, if they are there turn them off and back on in registry.

    Type regedt32 in Powershell and edit the following registry entry


    Change sysvolready=0   <<<< Turns off sysvol and netlogon shares.

    Change sysvolready=1   <<<< Creates and shares sysvol and netlogon automatically.

    Do this to all Domain Controllers

    Run DcDiag /v

    If you are tired of seeing old errors clear all logs in Powershell with this script.

    wevtutil el | Foreach-Object {wevtutil cl "$_"}

    I was able to fix all errors with DNS prior to using this fix.

    I still have one error I can not get around, it will not go away, 100 hours later.

          Starting test: VerifyReferences
             The system object reference (serverReference) CN=SRV6,OU=Domain Controllers,DC=acs,DC=local and backlink on
             CN=SRV6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acs,DC=local are correct.
             Some objects relating to the DC SRV6 have problems:
                [1] Problem: Missing Expected Value
                 Base Object:
                CN=NTDS Settings,CN=SRV6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acs,DC=local
                 Base Object Description: "DSA Object"
                 Value Object Attribute Name: serverReferenceBL
                 Value Object Description: "SYSVOL FRS Member Object"
                 Recommended Action: See Knowledge Base Article: Q312862

                [1] Problem: Missing Expected Value
                 Base Object: CN=SRV6,OU=Domain Controllers,DC=acs,DC=local
                 Base Object Description: "DC Account Object"
                 Value Object Attribute Name: msDFSR-ComputerReferenceBL
                 Value Object Description: "SYSVOL FRS Member Object"
                 Recommended Action: See Knowledge Base Article: Q312862

             ......................... SRV6 failed test VerifyReferences

    This is the last dcdiag error on the 2012R2 legacy server, with 5 new 2016 servers now properly replicating SYSVOL, NETLOGON. Hopefully I can Demote and remove this server with this error still in place, when this server is removed, No more error. If anyone has advice, please do, as this error may be an issue for someone else wishing to keep their server.

    • Edited by BucakrooBanzai Monday, July 31, 2017 7:27 AM
    • Changed type BucakrooBanzai Monday, July 31, 2017 7:28 AM It has answers and A good Question
    Monday, July 31, 2017 7:04 AM

All replies

  • My notes for commands I used to Prepair 2012 server for demotion.
    Most commands work on 2016, the rest will work on older servers.

    Public IP(ISP DNS) used for external domain name resolution,should always be configured in Forwarder of DNS servers.
    NEVER use public IP configured directly in the NIC either of the DC or clients.
    Make sure the DC points to another DC for it's primary DNS server, and itself second.  Latest from MS is to have the loopback adapter listed as a third option in network adaptor.

    Reinicialize netlogon shares if they disapear
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters  sysvolready change to 0 then back to 1

    Clear all logs powershell script
    wevtutil el | Foreach-Object {wevtutil cl "$_"}

    Domain Controller Diagnostic List
    dcdiag /v >>dcdiag.results.txt
    dcdiag /e
    dcdiag /d
    dcdiag /a
    dcdiag /c /v
    dcdiag /test:advertising
    dcdiag /test:netlogons
    dcdiag /v /c /d /e /s:YourDomain.local >>c:\dcdiag.log

    Specific source DC use /ReplSource:<DC>

    NetDom Query fsmo   <<<<Powershell App
    GPResult /H C:\secpol.htm      <read secpol.htm when done

    DFSRDIAG.EXE POLLAD     <<<< run on all servers
    DFSRDIAG.EXE PollAD /Member:DOMAIN\Server1

    repadmin /replsum
    repadmin /showrepl
    repadmin /showreps
    repadmin /syncall

    ntfrsutl ds DaServer
    ntfrsutl poll /now
    ntfrsutl sets

    dfsutil /spcinfo
    dfsutil /spcflush

    MMC/Tools/DFS Management     ---  right hand menu    >>> CREATE DIAGNOSTIC REPORTS

    Net stop and start ntfrs
    ds behavior

    IpConfig /flushDns
    IpConfig /registerDns
    net stop dns
    net stop netlogon
    net start dns
    net start netlogon

    Reset the DSRM Administrator Password
    Click, Start, click Run, type 
    and then click OK.
    At the Ntdsutil command prompt, type
    set dsrm password
    At the DSRM command prompt, type one of the following
    To reset the password on the server on which you are
    working, type
    reset password on server null
    type the password.

    forest YourDomain.local
    (DSRM PASSWORD)->   WhateverYouLike
    Reset Time Server
    w32tm /config /manualpeerlist:time.nist.gov /syncfromflags:manual /reliable:YES /update 
    W32tm /resync /rediscover 


    Fix Journal Wrap Error
    To modify the default behavior, make the following changes in the registry
    to instruct FRS to handle the JRNL_WRAP_ERROR status automatically:
    1. Stop FRS.
    2. Start Registry Editor (Regedt32.exe).
    3. Locate and click the following key in the registry:
    4. On the Edit menu, click Add Value, and then add the following registry

    I inserted this Key, it was not there.

    Value name: Enable Journal Wrap Automatic Restore
    Data type: REG_DWORD
    Radix: Hexadecimal
    Value data: 1 (Default 0)
    5. Quit Registry Editor.
    6. Restart FRS.


    >> How to rebuild the SYSVOL tree and its content in a domain <<

    SYSVOL on newly promoted DC is not synchronising, but replication looks ok?

    How to remove completely orphaned Domain Controller 

    How to remove orphaned domains from Active Directory

    DFS Replication: How to troubleshoot missing SYSVOL and Netlogon shares

    SYSVOL and Group Policy out of Sync on Server 2012 R2 DCs using DFSR

    How to configure an authoritative time server in Windows Server

    Step-By-Step: Migrating Active Directory FSMO Roles From Windows Server 2012 R2 to 2016 <<<< PROMISING

    Restoring and Rebuilding SYSVOL

    server 2012
    Fix: Active directory corrupted (NTDS ISAM Database Corruption errors in eventlog)

    Give Anyone Credentials with Azure Active Directory

    SYSVOL Replication Migration Guide: FRS to DFS Replication


    Monday, July 31, 2017 8:55 AM
  • Ran into this introducing a 2019 DC into a 2012 R2 AD with a mix of 2016 DCs.    The 2019 ran into this issue whereas the 2016 DCs did not.      
    Sunday, June 30, 2019 9:30 PM
  • This save my day ;)


    Thursday, July 23, 2020 11:10 AM