In most situations, only one or a few domain controllers (less than 50%) have replication issues at a given time. In such situations, we can issue a non-authoritative replication request so the system will replicate the SYSVOL from the Primary Domain Controller (PDC). In order to perform non-authoritative replication, follow these steps:
- First, we need to back up the existing SYSVOL. This can be done by copying the SYSVOL folder from the domain controller that has DFS Replication issues to a secure location.
- Log in to the domain controller as Domain Admin/Enterprise Admin.
- Launch the ADSIEDIT.MSC tool and connect to Default naming context:
- Browse to DC=domain,DC=local | OU=Domain Controllers | CN=(DC NAME) | CN=DFSR-LocalSettings | Domain System Volume | SYSVOL Subscription.
- Change the value of the msDFSR-Enabled attribute to False:
- Force AD replication using the following command:
repadmin /syncall /AdP
- Run the following command to install the DFS management tools (unless this is already installed):
Add-WindowsFeature RSAT-DFS-Mgmt-Con
- Run the following command to update the DFRS global state:
dfsrdiag PollAD
- Search for event 4114 to confirm that SYSVOL replication is disabled:
Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl
- Change the attribute value of msDFSR-Enabled back to True (step 5).
- Force AD replication, as in step 6.
- Update the DFRS global state by running the command in step 8.
- Search for events 4614 and 4604 to confirm successful non-authoritative synchronization:
All the commands should be run from the domain controllers that are set as non-authoritative. It's only recommended that you use this in cases where less than 50% of domain controllers have DFS Replication issues.