Can't access netlogon folder on a domain controller that has DFSR

Question

Hello all,

I have been troubleshooting a group policy issue and it has led to me realise that I can't access the netlogon folder on one of our dc's.

When running Get-ADReplicationFailure -Target DC1

I get the following error:

PS C:\Users> Get-ADReplicationFailure -Target DC1
Get-ADReplicationFailure : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
At line:1 char:1

• Get-ADReplicationFailure -Target DC1
• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
• CategoryInfo : ResourceUnavailable: (DC1:String) [Get-ADReplicationFailure], ADServerDownException
• FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADReplicationFailure

If I run the same command on any other dc, connection is fine.

When trying to access the netlogon folder. I receive the message 'Network access is denied' (I'm logged on as domain admin)

At dc1 I have the following folder:

\dc1\c$\Windows\SYSVOL_DFSR

But for the other 3 dc's they have:

\dc2\c$\Windows\SYSVOL

It appears that DC1 has distributed file system replication enabled but I inherited this set-up and have no idea what has been configured. I'll be honest and say I know very little about how this even works. Can someone point me in the right direction of what the implications of having DFSR enabled on a sysvol and why I can't access the netlogon folder. The server in question is our oldest running Server 2012 standard. I plan to retire it in the near future but for now, would like to have healthy replication.

Many Thanks in advance for any help with this matter.

Answer 1

Sounds good, the simplest thing to do then may be to remove the failed domain controller from the network then seize roles (if necessary)
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

then perform cleanup
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

then stand up a new one from replacement.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

Sounds problematic, try another dc

Answer 3

It sounds terribly stupid but I'm actually wondering if the server we have called dc1 is actually running as a dc. I always assumed it was because of the name and the fact that it has all the AD tools but perhaps it was demoted prior to me starting this role.

if I run

nltest /dclist:domain.local

It doesn't show dc1

When I run dcdiag from dc1, it tells me it is not a directory server. Also, its not shown under Active Directory Sites and Services.

Is there another way or anything else I can check to be sure it was demoted and hasn't just gone wrong?

Answer 4

I wouldn't worry about that. Just run the commands exactly as is on each of the domain controllers. The files names are inconsequential.

Answer 5

If I run

Dcdiag /v /c /d /e /s:dc2 >C:\dcdiag.log

repadmin /showrepl >C:\repl.txt

There is nothing whatsoever relating to dc1 in these logs. Replication appears fine, no errors at all.