Depending on your location, power grid, and weather in the world your environment may be prone to power outages. All production environments should have a good uninterruptable power supply (UPS) and potentially even generator back up power available for mission critical workloads that are still run in-house. However, if your environment has frequent power outages and your domain controllers are suffering from non-graceful power offs instead of graceful shutdowns, that could lead to some Active Directory issues.
Users still may be able to sign in. Computers may still be able to be joined to the domain. Repadmin /showrepl may show clean replication. Oddities may surface and give you reason to believe that something is faulty with the directory.
Testing for Active Directory Issues
Typical tests for health and a place to check for issues in Active Directory include:
- Repadmin /showrepl
- Event viewer
A potential add to that list is to verify that each domain controller in the environment has a SYSVOL and NETLOGON share. From the domain controller server itself you attempt to browse to \\localhost\NETLOGON and \\localhost\SYSVOL to see if the shares exists. From any other server you can attempt to browse to \\DCNAME\NETLOGON and \\DCNAME\SYSVOL to check. However Microsoft has a quick way to check for all servers: DSQuery.
DSQuery is already available on any domain controller in your environment. It is also available by installing Remote Server Administration Tools (RSAT) on an AD member computer.
DSQuery requires being ran in a Command Prompt window. It will fail in PowerShell.
At the command prompt type:
For /f %i IN ('dsquery server -o rdn') do @echo %i && @(net view \\%i | find "SYSVOL")
If you are already in PowerShell you can quickly change to a command prompt by typing in
CMD <enter>. Bonus note: you can get back to a PowerShell prompt by typing in
Running the statement will return all domain controllers and their share state for the SYSVOL share. If it isn’t shared it will show blank.
Troubleshooting the Active Directory
A first troubleshooting step to this would be checking the DFS replication state on the domain controllers. This can be done by querying WMI in a Command Prompt window ran as Administrator. Note: If you get Description = Access Denied, then you are not running the Command Prompt window as Administrator. At the command prompt type:
For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
For each domain controller, the replication state for DFSR values are:
- 0 – Uninitialized
- 1 – Initialized
- 2 – Initial Sync
- 3 – Auto Recovery
- 4 – Normal
- 5 – In Error
Anything other than 4 means there is some Active Directory work needing to be done to get the directory healthy. Microsoft has a very good article written regarding this subject and to assist in recovery. It is located here: Troubleshoot missing SYSVOL and Netlogon shares for Distributed File System (DFS) Replication – Windows Server | Microsoft Learn
For my environment the FMSO holder was DC4, and DC4 was not in a normal state. I transferred all the FSMO roles back to one of the healthy domain controllers before I began any additional work. I then did a file copy backup of the SYSVOL folders on all domain controllers. This is located at C:\Windows\SYSVOL.
I performed an authoritative synchronization of DFSR-replicated sysvol replication as described here: Force synchronization for Distributed File System Replication (DFSR) replicated sysvol replication – Windows Server | Microsoft Learn
Afterwards the states went to 4 – Normal.
The SYSVOL and NETLOGON shares were present.
There could be many reasons why replication of the directory isn’t healthy but after these steps were completed the symptoms in this environment were no longer present.
Have any questions about troubleshooting potential missing SYSVOL and NETLOGON shares or any other issues with your Active Directory environment? Please reach out to us at any time!