Can't access netlogon folder on a domain controller that has DFSR

G O'Connor 96

Hello all,

I have been troubleshooting a group policy issue and it has led to me realise that I can't access the netlogon folder on one of our dc's.

When running Get-ADReplicationFailure -Target DC1

I get the following error:

PS C:\Users> Get-ADReplicationFailure -Target DC1
Get-ADReplicationFailure : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
At line:1 char:1

Get-ADReplicationFailure -Target DC1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : ResourceUnavailable: (DC1:String) [Get-ADReplicationFailure], ADServerDownException
FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADReplicationFailure

If I run the same command on any other dc, connection is fine.

When trying to access the netlogon folder. I receive the message 'Network access is denied' (I'm logged on as domain admin)

At dc1 I have the following folder:

\dc1\c$\Windows\SYSVOL_DFSR

But for the other 3 dc's they have:

\dc2\c$\Windows\SYSVOL

It appears that DC1 has distributed file system replication enabled but I inherited this set-up and have no idea what has been configured. I'll be honest and say I know very little about how this even works. Can someone point me in the right direction of what the implications of having DFSR enabled on a sysvol and why I can't access the netlogon folder. The server in question is our oldest running Server 2012 standard. I plan to retire it in the near future but for now, would like to have healthy replication.

Many Thanks in advance for any help with this matter.

Accepted answer

Anonymous

2021-07-09T17:22:48.937+00:00

Sounds good, the simplest thing to do then may be to remove the failed domain controller from the network then seize roles (if necessary)
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

then perform cleanup
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

then stand up a new one from replacement.

--please don't forget to upvote and Accept as answer if the reply is helpful--
Please sign in to rate this answer.

1 person found this answer helpful.
G O'Connor 96 Reputation points

2021-07-09T20:05:54.653+00:00

Thanks so much for all of your help with this, it has been much appreciated.

Anonymous

2021-07-09T20:07:03.877+00:00

You're quite welcome.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

10 additional answers

Anonymous

2021-07-09T15:11:40.16+00:00

Do not edit the commands, run exactly as is
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Anonymous

2021-07-09T16:10:12.397+00:00

Just checking if there's any progress?
Please sign in to rate this answer.
G O'Connor 96 Reputation points

2021-07-09T17:17:24.587+00:00

I had to leave the building so will have to come back to it on Monday now but I'm pretty sure the commands you supplied have helped me realise that's it's no longer functioning as a DC.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Can't access netlogon folder on a domain controller that has DFSR

10 additional answers

Your answer