DCDiag VerifyReferences test fails when you use DFSR to replicate SYSVOL
This article provides a solution to an error that occurs when you use the Distributed File System Replication (DFSR) service to replicate the sysvol folder.
Original product version: Windows Server 2012 R2
Original KB number: 3110032
Consider the following scenario:
- You use the Distributed File System Replication (DFSR) service to replicate the sysvol folder.
- All domain controllers (DC) are running Windows Server 2008 R2 or a later version.
- You run the Domain Controller Diagnostics Tool (DCDiag) to generate a report about the replication.
In this scenario, DCDiag returns the following error message:
failed test VerifyReferences
The DCDiag report contains the following entry:
Problem: Missing Expected Value Base Object: CN=<DCNAME>,OU=Domain Controllers,DC=<DOMAIN>,DC=<COM> Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862
When this problem occurs, DCDiag validates the reference object for DFSR. Also, the NT File Replication Service (NTFRS) stops.
This problem occurs because there's no File Replication Service (FRS) reference in the Active Directory database under the domain controller object when DFSR is used for sysvol replication. Instead, there's only an object for DFSR.
This logic isn't included in earlier versions of DCDiag, such as DCDiag for Windows Server 2008 or DCDiag installed together with Windows Server 2003 Support Tools. So these versions search for the FRS member reference, and it generates a false error in DCDiag.
To resolve this problem, run Dcdiag.exe from
%windir%\System32. This folder contains the latest version of DCDiag in Windows 2008 and Windows 2008 R2. By running the latest version of DCDiag, the sysvol replication will pass the VerifyReferences test.
Instead, if the Windows Support Tools suite is installed on Windows Server 2008 R2, uninstall it. Which resolves the problem and lets you run Dcdiag.exe from any location.
Even if you use the latest DCDiag releases, the error that is mentioned in the Symptoms section may still occur if the msDFSR-Flags attribute in the CN=<DCNAME>,OU=Domain Controllers,DC=<DOMAIN>,DC=<COM> line in the DCDiag entry is missing or doesn't match one of the following flags:
- Redirected phase: msDFSR-Flags on CN=dfsr-LocalSettings is 0x20 (32 dez)
- Eliminated phase: msDFSR-Flags on CN=dfsr-LocalSettings is 0x30 (48 dez)
In this case, DCDiag assumes falsely that the File Replication Service (FRS) is still configured for SYSVOL, and it tries to verify FRS objects and attributes in an Active Directory database that doesn't exist. So you can expect the verification to fail.