How to relocate a SYSVOL tree that uses FRS for replication
This article describes two options for relocating the system volume (SYSVOL) tree on your domain controller.
Original product version: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2
Original KB number: 842162
*The SYSVOL is a collection of folders, file system reparse points, and Group Policy settings that are replicated by the File Replication Service (FRS). Replication distributes a consistent copy of Group Policy settings and scripts among domain controllers in a domain. Member computers and domain controllers access the contents of the SYSVOL tree through two shared folders, Sysvol and Netlogon.
This article describes how to move the SYSVOL tree and its shares to a different logical or physical drive letter.*
This section discusses how to move the SYSVOL tree from the C:\Winnt\Sysvol folder to the X:\Winnt\Sysvol folder. In this example, the domain controller is named DC1, and the domain name is CONTOSO.COM.
Use the Active Directory Installation Wizard to demote and to repromote the domain controller
Confirm that inbound and outbound replication is occurring for the Active Directory directory service and for the SYSVOL tree.
Use the Active Directory Installation Wizard to do a network-based demotion of the DC1 domain controller. Restart DC1 immediately after the demotion.
Before you repromote DC1, wait for the following events to occur:
- All domain controllers in the forest must inbound replicate the removal of the demoted domain controller's NTDS file system settings object. This object is located in the configuration partition. The NTDS settings object is the parent of Active Directory connection objects that are visible in the Active Directory Sites and Services snap-in.
- All global catalog domain controllers in the forest must inbound replicate the read-only copy of DC1's domain partition.
Use the Active Directory Installation Wizard to specify a new drive and path on an NTFS-formatted partition. Demotion and repromotion of a domain controller is a simple and supported option for relocating the SYSVOL tree and its shares if the following conditions are true:
- A small-to-medium number of objects exist in Active Directory.
- Local area network (LAN)-speed connectivity is available.
- Additional domain controllers are available in the affected Active Directory domain and Active Directory site.
However, network-based Active Directory Installation Wizard promotions in domains with multi-gigabyte Active Directory databases may take 2-7 days if network connectivity is slow.
To avoid delays when you promote replica domain controllers that are running Windows Server 2003 or later, you can do installations from media-based promotions, where the bulk of Active Directory is sourced from a locally restored system state backup.
To estimate the required time for a network-based promotion, compare the start and end times for a previous promotion that was comparable in scope. These times are available in the %Systemroot%\Debug\Dcpromo.log file.
Manually relocate an existing SYSVOL tree to a new location
In the life cycle of a domain controller that is using the File Replication Service (FRS), you may have to relocate the SYSVOL tree to a different logical or physical drive. You may relocate the SYSVOL tree to enhance system performance or to obtain more free disk space for the SYSVOL tree or for the FRS staging folder.
For more information about changing the FRS staging folder to a location that is independent of the SYSVOL tree, click the following article numbers to view the articles in the Microsoft Knowledge Base:
265085 Moving FRSStagingPath requires non-authoritative restoration pre-Service Pack 3 versions of FRS
291823 How to reset the File Replication Service staging folder to a different logical drive
To move a SYSVOL tree to a new drive, use one of the following options:
- Do a network-based Active Directory Installation Wizard (Dcpromo.exe) demotion. Specify a new drive and path for the SYSVOL tree during promotion.
- Modify the registry and manually move the SYSVOL tree to a new drive.> [!IMPORTANT]
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 How to back up and restore the registry in Windows
To manually move the SYSVOL tree, move the SYSVOL tree from its drive and path to a new destination drive and path by modifying several registry keys and by resetting reparse points in the file system. To do this task, follow these steps:
- Prepare your domain controller. To do this task, follow these steps:
- Confirm that inbound and outbound Active Directory replication is occurring on the domain controller.
- Confirm that inbound and outbound FRS replication of the SYSVOL replica set is occurring on the domain controller.
- Turn off antivirus programs or other services that create locks on files or on folders that reside in the SYSVOL tree.
- Back up the system state of the domain controller. Back up the file system part of the SYSVOL tree on the domain controller so that you can return the computer to its current configuration if you experience problems with the relocation process.
- Stop the FRS.
- Use Windows Explorer or an equivalent program to copy the original SYSVOL domain tree to the Clipboard.
For example, if the SYSVOL domain tree is located in the C:\Winnt\Sysvol folder, click to select this folder, click Edit on the menu bar, and then click Copy. 3. Use Windows Explorer or an equivalent program to paste the contents of the Clipboard in the new path.
For example, to move the SYSVOL tree to the
X:\Winnt\Sysvol folder, click to select this folder, click Edit, and then click Paste.
The parent folder for the moved SYSVOL tree may be modified. However, we recommend that you maintain the same relative path for the moved SYSVOL tree. For example, if the SYSVOL tree was originally located in the C:\Winnt\Sysvol folder and you want to moved the SYSVOL tree on logical drive X, create a
X:\Winnt folder, and then paste the SYSVOL tree in that folder.
4. Use the Ldp.exe or ADSIedit.msc editors to modify the value of the FRSRootPath attribute in Active Directory. The FRSRootPath attribute must reflect the new replica set root drive and the folder that you specified in step 3. In this example, you would modify the FRSRootPath attribute as follows:
- DN Path: cn=Domain System Volume (SYSVOL share),CN=NTFRS Subscriptions,CN=DC1,OU=Domain Controller,DC=CONTOSO.COM
- FRSRootPath Value: X:\Winnt\Sysvol\Domain
Use the Ldp.exe or ADSIedit.msc editors to modify the value for the FRSStagingPath attribute. This attribute must reflect the new staging path, including the new drive and folder that you selected in step 3.
- DN path: cn=Domain System Volume (SYSVOL share),CN=NTFRS Subscriptions,CN=DC1,OU=Domain Controller,DC=CONTOSO.COM
- FRSStagingPath Value: X:\Winnt\Sysvol\Staging\Domain
Modify the registry to reflect the new staging drive and folder. To do this task, follow these steps.
Click Start, click Run, type regedt32, and then click OK.
Locate and then right-click the following registry subkey:
Right-click the SYSVOL value, and then click Modify. Type a new path for the SYSVOL replica set root. For example, type
Configure FRS to do a non-authoritative restore of the SYSVOL replica set. To do this task, follow these steps:
Locate and then select the following registry subkey: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Right-click the BurFlags value, and then select Modify. Set the value to D2 hexadecimal if there are other domain controllers in the same domain. Set the BurFlags value to D4 hexadecimal if only one domain controller exists in the domain.
Do not restart FRS now.
If the domain controller hosts any FRS-replicated DFS roots or links, you may want to set the replica set-specific BurFlags registry key to prevent a temporary service outage and re-replication of data in FRS-replicated DFS roots or links.
For more information, select the following article number to view the article in the Microsoft Knowledge Base:
290762 Using the BurFlags registry key to reinitialize file replication service replica sets
- Apply default permissions to the new path of the SYSVOL tree. To do this task, copy the following text, and then paste it in a Notepad file:
[Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Profile Description] Description=default perms for sysvol [File Security] ;"%SystemRoot%\SYSVOL",0,"D:AR(A;OICI;FA;;;BA)" ;--------------------------------------------------------------------------------------------- ;Sysvol. THIS ENVIRONMENT VARIABLE MUST BE SET!!!!!!!!!!!!!!!!!!!!!!!!! ;--------------------------------------------------------------------------------------------- "%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)" "%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
- Use the following parameters to save the contents of the Notepad file that you created in step 8:
- File name: %systemroot%\security\templates\sysvol.inf
- Save as type: All Files
- Encoding: Unicode
The SYSVOL environment variable must be set to point to the new location. Otherwise, the Secedit command does not run successfully. 10. Import the SYSVOL security template. To do this operation, select Start, select Run, type cmd, and then select OK. Type the following, and then press ENTER: secedit /configure /cfg %systemroot%\security\templates\sysvol.inf /db %systemroot%\security\templates\sysvol.db /overwrite
- Use the
Linkdcommand to update the reparse points in the file system to reflect the new path of the SYSVOL tree. For example, if your domain controller is in the CONTOSO.COM domain, and the SYSVOL tree is located in the
X:\Windows\Sysvolfolder, type the following commands at the command prompt on your domain controller. Press ENTER after each command.
linkd X:\Winnt\Sysvol\Sysvol\CONTOSO.COM X:\Winnt\Sysvol\Domain linkd X:\Winnt\Sysvol\Staging areas\CONTOSO.COM X:\Winnt\Sysvol\Staging\Domain
Make sure that the SYSVOL directory tree is created before you run the Linkd command. The command fails if there is data in the CONTOSO.COM directory or subdirectories.
- Restart FRS.
- Look for events in the FRS event log that indicate that the replica set is joined and that the SYSVOL folder is changed. For example, you may see an event that is similar to the following example:
In the example that is used in this article, the event would include the following information:
On the domain controller, use the
net logoncommand or the net view command to verify that the domain controller has shared the Netlogon and Sysvol folders. If the shared folders don't exist, follow these steps:
If the value for the
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\Sysvolreadyregistry subkey is 1, restart the Netlogon service. If this subkey value is 0, go to step c.
Look for the shared folders again. If the folders are still not available, type the following command at a command prompt, and then press ENTER:
Look for errors in the %Systemroot%\Debug\Netlogon.log file. 3. If the value for the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\Sysvolready registry subkey is 0, don't set the registry value to 1. Review the FRS debug logs in the %Systemroot%\Debug folder to verify that inbound and outbound FRS replication is occurring. 15. Restart any services that you stopped in step 1c.