How to resync Windows AD Policy


Reference
Major: http://support.microsoft.com/KB/315457/EN-US
Minor: http://support.microsoft.com/kb/290762

Assumption: The policy on DC1 is ok, others are dirty.
Impact: No Windows Logon, login'd user may be not able to user share drive

DC1 -> authoritative , reference domain controller
Other DCs -> nonauthoritative , other domain controllers
  1. Stop ntfrs at all DC -> net stop ntfrs !!! Winlogon service will fail.  File sharing/windows login may affected.

    It is very important that you stop NTFRS on all DCs and do not miss any or
    else you will have to go through the process again.
  2. The NETLOGON ans SYSVOL net share at each DC will gone.  It is normal.
  3. Backup C$\WINDOWS\SYSVOL for all DCs
  4. (Manual Sync) For others DC, clean up the files in below folders.  Manually copy the below folders from DC1:
    1. C$\WINDOWS\SYSVOL\domain\Policies
    2. C$\WINDOWS\SYSVOL\domain\scripts
    3. C$\WINDOWS\SYSVOL\sysvol
  5. at DC1, perform authoritative restore as follow:
    To complete an authoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
    1. Click Start, and then click Run.
    2. In the Open box, type cmd and then press ENTER.
    3. In the Command box, type net stop ntfrs.  (You should have done this step before)
    4. Click Start, and then click Run.
    5. In the Open box, type regedit and then press ENTER.
    6. Locate the following subkey in the registry:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
    7. In the right pane, double click BurFlags.
    8. In the Edit DWORD Value dialog box, type D4 and then click OK.
    9. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\aa4b527a-20b2-46b8-b4d2e5b8172dfa45
    10. Change BurFlags to D4 (create BurFlags if it is not here)
    11. Quit Registry Editor, and then switch to the Command box.
    12. In the Command box, type net start ntfrs.
    13. Quit the Command box.
  6. Please check netlogon service might be stoped.   Start the service as needed.
  7. [Don't Rush!  Be Patience] You may need to wait as much as 15 mins for the SYSVOL and NETLOGON share to come back.  Once the 2 shares come back, then user can resume Windows Logon.
  8. [Do this only the previous checking step is passed]
    For all other DC, perform nonauthoritative restore as follow:
    To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
    1. Click Start, and then click Run.
    2. In the Open box, type cmd and then press ENTER.
    3. In the Command box, type net stop ntfrs (You should have done this step before)
    4. Click Start, and then click Run.
    5. In the Open box, type regedit and then press ENTER.
    6. Locate the following subkey in the registry:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
    7. In the right pane, double-click BurFlags.
    8. In the Edit DWORD Value dialog box, type D2 and then click OK.
    9. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\aa4b527a-20b2-46b8-b4d2e5b8172dfa45
    10. Change BurFlags to D2  (create BurFlags if it is not here)
    11. Quit Registry Editor, and then switch to the Command box.
    12. In the Command box, type net start ntfrs.
    13. Quit the Command box.
  9. Please check netlogon service might be stoped.   Please check and manully restart netlogon service on all DCs.

Comments