You've recently restored an Active Directory domain controller either via WinIR, VMIR or straight restore via host-based or file-based backup.
Upon attempting to authenticate with domain credentials for any domain computer or member server, you're presented with the following error.
After restoring a domain controller, login and confirm that the SYSVOL share is present. The command to do this is `net share | findstr /b SYSVOL`.
If the SYSVOL share is not present, then you need to perform a series of steps (below) to make it available again, including your group policy objects and scripts.
- Log in to the domain controller
- Open File Explorer and navigate to C:\Windows\SYSVOL\domain\
- Follow the link for your domain
- Enter folder “NtFrs_PreExisting__See_EventLog”
- Copy the content to a new folder on the desktop
- Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- Set SysVolReady to 0
- In the Registry Editor, navigate to HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
- Set BurFlags to D4
- Open services.msc
- Restart the “File Replication” service
- Copy the data from the new folder (see step #5) back to the folder for your domain location under C:\Windows\SYSVOL\domain\
- In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- Set SysVolReady to 1
- [Optional] Reboot
There can be many causes for this particular condition. In most cases, the domain services did not come up in the proper order on the affected domain controller.
Please keep in mind that restoring a domain controller is not recommended unless you have no other domain controllers in your environment. The majority of situations that we've seen this particular issue in is where a domain controller is spun up in a DR environment.
Unable to manage Active Directory for a recently restored Domain Controller