Server2025 new DC wont sync with SERVER2016 DC

Hello Craig Meyers,

Just following up. Your description lacks details regarding your current functional levels and replication engine state. Please confirm whether your Domain and Forest Functional Levels are at least Windows Server 2016, as Server 2025 strictly requires this baseline before it can successfully operate as a domain controller. Furthermore, you must verify that your existing domain has been fully migrated to Distributed File System Replication by executing dfsrmig /getglobalstate on the Server 2016 DC, which must explicitly return State 3, indicating the old FRS system is completely eliminated.

If the migration state is correct and repadmin /showrepl indicates no underlying Active Directory topology errors, the new Server 2025 DC is likely failing to transition its local state after the initial replication phase rather than suffering from a corrupted subscription. Check the DFS Replication event logs on the new server for Event ID 4604, which signals initial replication completion. If this event is absent, inspect the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry path on the Server 2025 machine. Look for the SysvolReady DWORD; if it is set to 0, the server is intentionally suppressing the advertisement of the SYSVOL and NETLOGON shares while it waits for an initial inbound replication token. You can manually expedite this polling process by running dfsrdiag pollad in an elevated prompt and subsequently restarting the DFS Replication service. Only if these baseline configuration checks and forced polling attempts fail should you proceed with the non-authoritative attribute modifications.

VP

Hello Craig Meyers,

Windows Server 2025 has fully removed the File Replication Service (FRS) binaries, if your existing domain is still using FRS for SYSVOL replication instead of DFS Replication (DFSR), the new domain controller will never be able to sync, regardless of troubleshooting steps. Before proceeding with fix, you must clarify two details to ensure the solution is applicable:

First, run dfsrmig /getglobalstate on the Server 2016 DC to confirm the output is "Eliminated" (State 3),

Second, provide the output of repadmin /showrepl to confirm that standard Active Directory object replication is functioning, as DFSR relies on the AD topology to initiate.

If dfsrmig confirms you're using DFSR and repadmin shows no errors, the issue is likely a "fenced" source or a stale subscription. Check the DFS Replication event log on the source Server 2016 DC for Event ID 2213, if present, the database is shut down cleanly to prevent corruption, and you must run the specific wmic command provided in the event text to resume replication. If the source is clean, proceed with a non-authoritative synchronization on the new Server 2025 DC. Open ADSI Edit (adsiedit.msc), navigate to the configuration for the new DC (OU=Domain Controllers > CN=NewDC > CN=DFSR-LocalSettings > CN=Domain System Volume > CN=SYSVOL Subscription), and change the msDFSR-Enabled attribute to FALSE. Force AD replication (repadmin /syncall /AdeP), wait for Event 4114 on the new DC indicating the subscription is disabled, then switch the attribute back to TRUE and trigger replication again. This forces the DFSR service to re-evaluate the topology and pull a fresh copy of SYSVOL from the upstream partner.

Hope you found something useful in the answer. If it helped you get more insight into the issue, please consider accepting it. Thank you and have a nice day!

VP

To troubleshoot the issue where your new Server 2025 Domain Controller (DC) is not syncing with the Server 2016 DC and is failing to create the SYSVOL and NETLOGON shares, you can follow these steps:

1. Check Initial Synchronization: Ensure that the new DC has completed its initial synchronization. You can do this by running the dfsrdiag pollad command on the new DC to trigger it to complete the initial sync. Look for event ID 4614, which indicates that the DC is waiting to do initial synchronization.
2. Verify SYSVOL Sharing: If the new DC is healthy and the SYSVOL is not shared, check the DFS Replication event logs on the new DC for any errors. You may need to examine the DFSR Debug logs as well.
3. Run Migration Commands: If the new DC is stuck in the initialization phase, you can run the following commands:
   • DFSRMIG.EXE /CREATEGLOBALOBJECTS to create the necessary global objects.
   • After that, run DFSRDIAG.EXE POLLAD again to check the migration state.
4. Check Group Policy: Ensure that the Group Policy settings are correctly applied to the new DC. You can use GPRESULT.EXE /H secpol.htm to generate a report and check for any policies that might be affecting the replication.
5. Restart DFSR Service: If necessary, restart the DFSR service on the new DC to refresh the replication process.
6. Event Logs: Monitor the event logs for any specific errors related to DFS Replication or SYSVOL sharing, such as event IDs 2213, 2214, 4604, and 4602, which can provide insights into what might be going wrong.

By following these steps, you should be able to identify and resolve the synchronization issue between your Server 2025 and Server 2016 DCs.

References:

• How to troubleshoot missing SYSVOL and Netlogon shares
• DFSR SYSVOL fails to migrate or replicate, SYSVOL not shared, Event IDs 8028 or 6016