Empty SYSVOL share

Question

After a restore, my standalone (Yes, I know, horrible practice, I shot myself in the foot, etc.) Windows 2012 R2 domain controller no longer has data in the SYSVOL share. Immediately after the restore, it refused to function both as a DC and as a DNS server, until I flipped HKLM\CurrentControlSet\Services\Netlogon\Parameters\SysvolReady to 1 in the registry.

Once I more or less got it working again, I started noticing entries of Error 1058 in the log about every 5 to 10 minutes, basically saying it cannot read the gpt.ini file for the configured group policies. I checked manually and the SYSVOL, which the error message is referring to, is basically empty. It has the default folders, but it is exactly 0 bytes (as reported by Windows Explorer). The NETLOGON share does not exist.

I did some research, and the only solution I found was to mark the DC as non-authoritative and have it overwritten by the SYSVOL contents of a replica DC. Unfortunately this isn't really an option, since the DC is standalone. I've also gone through the MS docs (mostly https://support.microsoft.com/en-us/help/257338/troubleshooting-missing-sysvol-and-netlogon-shares-on-windows-domain-c and https://support.microsoft.com/en-us/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain) but did not find a solution.

In order to test it replication would actually help somehow (I am grasping at straws here), I promoted a second machine to DC and verified repadmin reports replication works fine. Strangely enough I am now unable to resolve the [domain name] DNS entry from my Windows machines to reach the SYSVOL share. From my Linux machines, I can resolve the DNS entry fine. The DNS entry is correctly registered in DNS, in the [domain name] zone, 2 A-records with name "(same as parent folder)" and the IPs of the two DCs. I am querying the correct DNS server (original DC) and getting an answer for other records in the DNS zone, from both environments.

So, my questions:

1. Is there any way to recreate SYSVOL and NETLOGON from scratch?
2. Why am I unable to resolve the [domain name] DNS entry from Windows machines in my domain?

I'd be very grateful for any hints.

Answer 1

I don't guarantee results, obviously, but.

After hours (to avoid an outage), take down both your new DCs and run a restore of the DC from Veeam. I'm hoping that the data is there but not showing up for ACL/NTFS/hidden or system files/magical unicorns and pixie dust reasons. Either way, it's probably worth a try, and if the data isn't there you can bring the other two back up and destroy the restored copy.

If the data is there, I strongly suggest you create a second DC.

I personally would not attempt to recreate the contents of SYSVOL or NETLOGON on the new DCs. I would bite the password change bullet (it's possible that people or machines have changed their passwords and you would need to fix that) and proceed with the restored VM. It looks like Tom disagrees with me, though, so your mileage may vary on that.

(Why not? Because 1. the restored-by-snapshot DC didn't have SYSVOL or NETLOGON, so I don't fully trust it, and 2. I would feel like I'd already shot myself in the foot once and wouldn't want to try for two. ;) )

You should also not have the restored from Veeam and restored from snapshot DC on the same network, nor will the restored from Veeam DC know about your new second DC (so leave it off and promote a new one).

Good luck!