Isolate a DC - Part 2: Reset SYSVOL Sync State
This is Part 2 of a multi part blog post covering the steps to Isolate a Domain Controller - if not emotionally, then logically.
Reset your DFSR SYSVol State
A DC booting into it’s own little world wont become healthy until SYSVOL has completed a sync with a partner in its domain, now this step is optional if your
domain is temporary, but if you ever want to promote a new DC, or have a beautiful clear DCDIAG, then you’ll need to force SYSVOL into a synced state. Not by threatening to put it to bed early, but instead by tweaking its msDFSR-Options
on its SYSVol Subscription
object.
function Reset-SYSVOLSyncState{
set-adobject "cn=sysvol Subscription,cn=domain system volume,cn=dfsr-LocalSettings,$((get-adcomputer $(&hostname)).distinguishedname)" -Replace @{'msDFSR-Options'=1}
restart-service DFSR
}
Reset-SYSVOLSyncState
All the other parts of this series are available here
- Part 1: Configure the Network
- Part 2: Reset SYSVOL Sync State
- Part 3: Activate Administrator Account
- Part 4: Reset DSRM Password
- Part 5: Disable Global Catalog
- Part 6: Raise RID Pools
- Part 7: Seize all FSMO roles
- Part 8: Metadata cleanup all other DCs
- Part 9: Reset Intra-Forest trust passwords
- Part 10: Reset KrbTGT password twice