How to solve the problem of the NETLOGON folder not replicating

  • Logon scripts are typically stored on the domain controller in the Netlogon share, which is located in the %systemroot%System32ReplImportsScripts folder.
  • Once the script is placed in the share, it is automatically replicated to all domain controllers in the domain.
  • Domain controllers without an SYSVOL share cannot do inbound replication because the original (source) domain controllers are in an error state.
Updated February 2024This tool will stop these errors and fix common problems: Get it at this link
  1. Download and install the software.
  2. It will scan your computer to find problems.
  3. The tool will then correct the issues that were discovered.

Where Is The Netlogon Folder

Files such as the logon script, as well as other files, can be stored in the NETLOGON share on the %LOGONSERVER%.

There are several executable files contained in the Netlogon folder, including Group Policy login scripts. In the Netlogon share, which is located in %systemroot%System32ReplImportsScripts folder on the domain controller, logon scripts are typically stored. All domain controllers in the domain automatically receive the script once it is placed in Netlogon share.

Domain Controllers Not Replicating

Active Directory replication troubleshooting can be tricky because there can be several potential reasons behind a replication failure. Two of the more common causes include a loss of network connectivity or a DNS configuration error. Replication errors can also occur as a result of authentication errors or a situation when the domain controller lacks the hardware resources to keep pace with the current demand. This is by no means a comprehensive list, but rather a rundown of some of the issues that commonly cause Active Directory replication failures.

Check Sysvol Replication

It is likely that if you upgraded from Windows 2003 domain to Windows Server 2008 or later, the first domain controller within that domain is using DFS-R (Distributed File System Replication).

 

Why is the NETLOGON folder not replicated?

Why is the NETLOGON folder not replicated?

What Is The Sysvol Folder

System volumes (SYSVOL) are special directories on DCs, which are divided into several folders, one of which is shared with other DCs.

Netlogon Share

Script files for group policy logins, as well as other executable files, are located in the Netlogon folder.

In the case of missing SYSVOL and Netlogon shares on the domain controller, our Support Techs typically encounter the following:

There are two main data sets that are stored within the SYSVOL folder hierarchy on all Active Directory domain controllers:

SYSVOL shares cannot be used by domain controllers without SYSVOL shares, since the source (original) domain controller is either down or in error.

 

How do you make sure that the NETLOGON folder is replicated correctly?



Updated: February 2024

We highly recommend that you use this tool for your error. Furthermore, this tool detects and removes common computer errors, protects you from loss of files, malware, and hardware failures, and optimizes your device for maximum performance. This software will help you fix your PC problems and prevent others from happening again:

  • Step 1 : Install PC Repair & Optimizer Tool (Windows 10, 8, 7, XP, Vista).
  • Step 2 : Click Start Scan to find out what issues are causing PC problems.
  • Step 3 : Click on Repair All to correct all issues.

download



Hello, I have 3 Domain Controllers on my domain. For some reason, the Netlogon folder and Sysvol folder don’t replicate. I made changes to these folders on my primary domain controller, along with Group Policy objects. Active Directory does replicate between the domain controllers and the tests run successfully, just that the Netlogon and Sysvol folder do not replicate. My primary domain controller is running Windows Server 2008 R2, my second domain controller is running Windows Server 2019 and my third domain controller is running Windows Server 2012 R2. They use DFS as in the DFS Namespaces it shows the Domain System Volume replication group, but in C:\Windows, the SYSVOL folder shows up as just that and I have been seeing that if it is replicated with DFS-R instead of FRS, that the SYSVOL folder would be named SYSVOL_DFSR.

Anyway… I was able to set the NAS up as an additional domain controller, but part way through setting itself up (during the Please Wait phase), I got an AJAX error. However, the NAS was still responding via the browser and I could see that the NAS was still transferring data from the distant site (router Internet light and port light that the NAS is connected to flashing simultaneously and quickly). After some time I was able to see the list of users, groups and computers. However, the SYSVOL and NETLOGON shares are not replicating from the server. Also, the NETLOGON is inaccessible (access denied) and the SYSVOL is read-only, even though I have logged on to the shares as a domain admin.

How do you make sure that the NETLOGON folder is replicated correctly?

Identify the folder with the most recent content, or the one with the smoothest scripts.

Force Sysvol Replication

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL_DFSR\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner DC01.Local.Domain. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.

Windows Server 2008-based domain controllers that are installed with Active Directory Domain Services are not able to access the NETLOGON share

Declare the master component to be the master, the slave components to be slaves, and then schedule replications between them.

Performing non-authoritative synchronization

ADSIEDIT.msc must be downloaded and installed.
You can make non-authoritative domain controllers by changing the DN and attribute values in the ADSIEDIT.MSC tool.

  • Subscription to SYSVOL
  • A domain system volume is represented by CN
  • CN = DFSR-Localization
  • The CN is equal to the name of the server
  • Regulator = domain
  • DC=(domain)
  • False for msDFSR-Enabled

The entire domain should be replicated with Active Directory

  1. To verify that the non-authoritative servers are still running, run the following command:
    POLLAD FOR DFSRDIAG.
  2. According to the event log in the DFSR, SYSVOL no longer replicates. Event ID 4114 is displayed.
  3. Continue with step 1 by setting the same domain name:
    MSDFSR=true.

To force replication of Active Directory across all domains, follow these steps:

  1. To set the same servers as non-authoritative, run the following command from the extended command line:
    POLLAD FOR DFSRDIAG.

This domain controller is currently running “D2” SYSVOL, as indicated by event IDs 4614 and 4604 in the DFSR event log.

Perform an authoritative synchronization

On the domain controller you wish to make authoritative, use ADSIEDIT.MSC to modify its DN and attributes as follows:

  • Subscription to SYSVOL
  • A domain system volume is represented by CN
  • CN = DFSR-Localization
  • The CN is equal to the name of the server
  • Controllers of domains
  • DC=(domain)
  • False for msDFSR-Enabled
  • msDFSR-Options is set to 1

All other domain controllers in this domain should be updated with the following DN and unique attribute:

  • Subscription to SYSVOL
  • A domain system volume is represented by CN
  • CN = DFSR-Localization
  • Names of any other servers can be used as CN
  • Controllers of domains, DC=(domain)
  • False for msDFSR-Enabled

Testing the success of Active Directory replication on all the domain controllers is step two of the process

  1. Assign DFSR as an authoritative service set.
  2. The DFSR event log shows event ID 4114, which indicates that the replication of SYSVOL has stopped.
  3. In step 1, set the DN to the same value
    MSDFSR=true.

The domain should be forced to replicate Active Directory to all DCs as well as verifying its success.

  1. From the extended command line of the authorized server, run the following command:
    POLLAD FOR DFSRDIAG.
  2. This domain controller now runs “D4” SYSVOL as indicated by DFSR event ID 4602 in the DFSR event log.
  3. Make sure other unauthorized DCs are running the DFSR service.
  4. A new event ID 4114 appears in the DFSR event log, signifying that SYSVOL is no longer replicated across them all.
  5. This domain controller’s DN and attribute should be changed to:
    Subscription to SYSVOL
    A domain system volume is represented by CN
    CN = DFSR-Localization
    Names of any other servers can be used as CN
    Controllers of domains, DC=(domain)
    msDFSR-Enabled=TRUE
  6. On all non-authoritative DCs, run the following command:
    DFSRDIAG POLLAD

 



RECOMMENATION: Click here for help with Windows errors.

Frequently Asked Questions

  1. Forcibly remove AD DS in Directory Services Recovery Mode (DSRM), clean up server metadata, and then reinstall AD DS.
  2. Reinstall the operating system and restore the domain controller.

  1. Make sure that the SYSVOL share is present. You can manually check if SYSVOL is shared, or you can check each domain controller with the net view command.
  2. Check the status of DFS replication.
  3. Check the event logs for recent errors or warnings.
  4. Check the fresh content configuration.

  1. Run the Active Directory Sites and Services snap-in from the Microsoft Management Console (MMC).
  2. Expand the Sites branch to display the sites.
  3. Expand the site that contains the DC.
  4. Expand Servers.
  5. Select the server you want to replicate to and expand it.
  6. Double-click the NTDS settings for the server.

Migration can take anywhere from 15 minutes to an hour. The process copies the sysvol and domain folders from the sysvol folder to the new SYSVOL_DFSR folder.

Website | + posts

Mark Ginter is a tech blogger with a passion for all things gadgets and gizmos. A self-proclaimed "geek", Mark has been blogging about technology for over 15 years. His blog, techquack.com, covers a wide range of topics including new product releases, industry news, and tips and tricks for getting the most out of your devices. If you're looking for someone who can keep you up-to-date with all the latest tech news and developments, then be sure to follow him over at Microsoft.