question

mstech-5681 avatar image
0 Votes"
mstech-5681 asked DSPatrick commented

What Causes SYSVOL and NETLOGON Shares to be Deleted?

I have a perplexing problem on a test network I have. It was the victim of a ransomware attack recently but, being a test network, all of the encryption didn't really cause a problem. However, none of the DC's work now. If I try to open any of the AD** utilities, they tell me that the domain doesn't exist. After some initial troubleshooting, I discovered that the SYSVOL and NETLOGON shares had been deleted. The strange part is that I copied the vhdx file for a DC on another network and spun it up as the only running DC on the network. Its shares ended up deleted as well. Even after manually recreating the shares and rebooting, the shares were gone again.

So, what would cause these shares to be deleted? Since this is the only DC on the network now, it can't be a replication or GPO issue. DNS appears to be solid so it can't be the problem, either. Scratching my head...

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mstech-5681 avatar image
0 Votes"
mstech-5681 answered DSPatrick commented

But, there is only one DC so how could replication be a/the problem?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Regardless this is still a part of windows active directory.

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello MsTech,

This sounds like a common issue after you restore a DC, and it forces authoritative synchronization.

Please check this document that explains the checklist and troubleshooting: https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/missing-sysvol-and-netlogon-shares

Initially I would try the next:
1. Open the registry and navigate to "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If the DWORD Value does not exist, create a new one, including spaces but without the quotes.
3. Stop the NTFRS Service (from an elevated command prompt and type "net stop ntfrs")
4. Start the NTFRS Service (net start ntfrs)
5. Check for File Replication Services events in Event Viewer:
• 13553 – The DC is performing the recovery process.
• 13554 – The DC is ready to pull the replica from another DC.
• 13516 - If you receive this Event ID everything went fine, then you can continue:
6. From the elevated command prompt type: "net share" and look for SYSVOL and NETLOGON. The issue will be resolved when the new SYSVOL replica from a peer Domain Controller. This may take some minutes.
7. Revert the value for "Enable Journal Wrap Automatic Restore" from 1 to 0.

Hope this helps in your case,
Best regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.