SYSVOL / DFSR replication failure

Indicators

• Event IDs 4012, 4614, 4622, 5002 in DFS Replication log
• GPO changes reach one DC but never propagate
• dfsrdiag replicationstate shows backlog or stopped
• Login script differences across sites

Likely causes

• Journal wrap → DFSR stops replication for the affected member
• Auto-recovery disabled (default behaviour post-2008R2 patch)
• Disk full on volume hosting SYSVOL
• FRS-to-DFSR migration left in mid-state (PrepareForUpgrade / Redirected)
• Antivirus exclusion missing on SYSVOL / DFSR Private folder

Diagnostic steps

1. Check DFSR event log for 4012 (journal wrap) — this is the most common failure
2. Verify the SYSVOL share is present: net share — must show SYSVOL and NETLOGON
3. dfsrdiag replicationstate, dfsrdiag backlog /smem:<source> /rmem:<receiving>
4. If journal wrap with auto-recovery disabled: enable auto-recovery via registry (HKLM\System\CurrentControlSet\Services\DFSR\Parameters\StopReplicationOnAutoRecovery = 0) then restart DFSR
5. For full SYSVOL rebuild — non-authoritative on bad DC, authoritative on good DC, follow the burflags D2/D4 equivalents for DFSR

Resolution path

• Diagnose specific failure (journal wrap, disk space, AV exclusion)
• Enable auto-recovery or perform manual authoritative sync
• Verify backlog clears: dfsrdiag backlog returns 0
• Confirm SYSVOL contents identical across all DCs (file count + hash spot-check)

Prevention

• AV exclusions for SYSVOL and DFSR private folder per Microsoft KB 822158
• Disk space monitoring on volumes hosting SYSVOL
• Auto-recovery left enabled (Microsoft now recommends this)
• Regular dfsrdiag scheduled checks

Tools

• dfsrdiag, dfsrmig
• Event Viewer (DFS Replication)
• PowerShell: Get-DfsrState, Get-DfsrBacklog
• Registry editor for StopReplicationOnAutoRecovery

References

• Microsoft Learn — DFSR journal wrap recovery
• Microsoft Learn — Authoritative / non-authoritative SYSVOL DFSR sync