What Causes SYSVOL and NETLOGON Shares to be Deleted?

ms tech 1 Reputation point
2021-09-10T19:17:42.35+00:00

I have a perplexing problem on a test network I have. It was the victim of a ransomware attack recently but, being a test network, all of the encryption didn't really cause a problem. However, none of the DC's work now. If I try to open any of the AD** utilities, they tell me that the domain doesn't exist. After some initial troubleshooting, I discovered that the SYSVOL and NETLOGON shares had been deleted. The strange part is that I copied the vhdx file for a DC on another network and spun it up as the only running DC on the network. Its shares ended up deleted as well. Even after manually recreating the shares and rebooting, the shares were gone again.

So, what would cause these shares to be deleted? Since this is the only DC on the network now, it can't be a replication or GPO issue. DNS appears to be solid so it can't be the problem, either. Scratching my head...

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,841 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.1K Reputation points MVP
    2021-09-10T19:26:58.137+00:00
    0 comments
  2. ms tech 1 Reputation point
    2021-09-10T19:31:11.54+00:00

    But, there is only one DC so how could replication be a/the problem?

  3. Limitless Technology 39,351 Reputation points
    2021-09-13T12:45:52.68+00:00

    Hello MsTech,

    This sounds like a common issue after you restore a DC, and it forces authoritative synchronization.

    Please check this document that explains the checklist and troubleshooting: https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/missing-sysvol-and-netlogon-shares

    Initially I would try the next:

    1. Open the registry and navigate to "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
    2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If the DWORD Value does not exist, create a new one, including spaces but without the quotes.
    3. Stop the NTFRS Service (from an elevated command prompt and type "net stop ntfrs")
    4. Start the NTFRS Service (net start ntfrs)
    5. Check for File Replication Services events in Event Viewer:
      • 13553 – The DC is performing the recovery process.
      • 13554 – The DC is ready to pull the replica from another DC.
      • 13516 - If you receive this Event ID everything went fine, then you can continue:
    6. From the elevated command prompt type: "net share" and look for SYSVOL and NETLOGON. The issue will be resolved when the new SYSVOL replica from a peer Domain Controller. This may take some minutes.
    7. Revert the value for "Enable Journal Wrap Automatic Restore" from 1 to 0.

    Hope this helps in your case,
    Best regards,

    0 comments