Consider the following scenario:

You want to force the non-authoritative synchronization of sysvol replication on a domain controller (DC). In the File Replication Service (FRS), it was controlled through the D2 and D4 data values for the Bur Flags registry values, but these values don’t exist for the Distributed File System Replication (DFSR) service. You can’t use the DFS Management snap-in (Dfsmgmt.msc) or the Dfsradmin.exe command-line tool to achieve this. Unlike custom DFSR replicated folders, sysvol replication is intentionally protected from any editing through its management interfaces to prevent accidents.

Symptoms of DFSR issues include: Replication issues for GPO Policies.

1.   In the ADSIEDIT.MSC tool, modify the following distinguished name (DN) value and attribute on each of the domain controllers (DCs) that you want to make non-authoritative:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=,OU=Domain Controllers,DC=

msDFSR-Enabled=FALSE

2.   Force Active Directory replication throughout the domain.

1. Open Active Directory Sites and Services from the Primary Domain Controller (PDC)
2. Navigate To Default-First-Site-Name
3. Select a member DC such as DC02 in the example
4. Right-click on NTDS Settings, and Click on “Replicate configuration to the selected DC”

3.   Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:

DFSRDIAG POLLAD

4.   You’ll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated.

5.   On the same DN from Step 1, set msDFSR-Enabled=TRUE.

6.   Force Active Directory replication throughout the domain.

7.   Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:

DFSRDIAG POLLAD

8.   You’ll see Event ID 4614 and 4604 in the DFSR event log indicating sysvol replication has been initialized. That domain controller has now done a D2 of sysvol replication.

1.   Set the DFS Replication service Startup Type to Manual, and stop the service on all domain controllers in the domain.

2.   In the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferably the PDC Emulator, which is usually the most up-to-date for sysvol replication contents):

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=,OU=Domain Controllers,DC=

msDFSR-Enabled=FALSE

msDFSR-options=1

3.   Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=,OU=Domain Controllers,DC=

msDFSR-Enabled=FALSE

4.   Force Active Directory replication throughout the domain and validate its success on all DCs.

5.   Start the DFSR service on the domain controller that was set as authoritative in Step 2.

6.   You’ll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated.

7.   On the same DN from Step 1, set msDFSR-Enabled=TRUE.

8.   Force Active Directory replication throughout the domain and validate its success on all DCs.

9.   Run the following command from an elevated command prompt on the same server that you set as authoritative:

DFSRDIAG POLLAD

10. You’ll see Event ID 4602 in the DFSR event log indicating sysvol replication has been initialized. That domain controller has now done a D4 of sysvol replication.

11. Start the DFSR service on the other non-authoritative DCs. You’ll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated on each of them.

12. Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=,OU=Domain Controllers,DC=

msDFSR-Enabled=TRUE

13. Run the following command from an elevated command prompt on all non-authoritative DCs (that is, all but the formerly authoritative one):

DFSRDIAG POLLAD

14. Return the DFSR service to its original Startup Type (Automatic) on all DCs.

If setting the authoritative flag on one DC, you must non-authoritatively synchronize all other DCs in the domain. Otherwise you’ll see conflicts on DCs, originating from any DCs where you did not set auth/non-auth and restarted the DFSR service. For example, if all logon scripts were accidentally deleted and a manual copy of them was placed back on the PDC Emulator role holder, making that server authoritative and all other servers non-authoritative would guarantee success and prevent conflicts.

If making any DC authoritative, the PDC Emulator as authoritative is preferable, since its sysvol replication contents are most up to date.

The use of the authoritative flag is only necessary if you need to force synchronization of all DCs. If only repairing one DC, make it non-authoritative and don’t touch other servers.

This article is designed with a 2-DC environment in mind, for simplicity of description. If you had more than one affected DC, expand the steps to include ALL of them as well. It also assumes you have the ability to restore data that was deleted, overwritten, damaged, and so on.

References

YouTube Video demonstrating testing and performing Authoritative Restore: https://youtu.be/UWF-pVr1JHg

Reference Official Microsoft KB: Force synchronization for Distributed File System Replication (DFSR) replicated sysvol replication - Windows Server | Microsoft Learn