Manually Force SysVol Replication to RODC

When editing the logon scripts/GPOs this should be performed on a writable DC (preferably replication partner for the RODC). I have seen issues where the Sysvol share has taken a long time to replicate the changes to the RODC delaying testing etc.

In order to manually replicate the Sysvol folder you need to run the following command:

ntfrsutl.exe forcerepl fqdn.of.RODC /r “Domain System Volume (SYSVOL share)” /p fqdn.of.writableDC

When you attempt to run this command you may receive an error like the one below:

Failure to force replication. The file replication service cannot satisfy the re

quest because the user has insufficient privileges. The event log may have more


You will also see an alert in the FRS event log which luckily provides the solution:

The File Replication Service did not grant the user “sccengineer” access to the API “Force Replication”.


Permissions for “Force Replication” can be changed by running regedit.


Click on Start, Run, and type regedit.


Expand HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NtFrs, Parameters, Access Checks, and highlight “Force Replication”. Click on the toolbar option Security and then Permissions…


Access checks can be disabled for “Force Replication”. Double click on “Access checks are [Enabled or Disabled]” and change the string to Disabled.

If you follow the steps in the alert and restart the File Replication Service and run the above script again it should replicate the sysvol share and you will see the updated logon scripts files

Remember to put back the registry key.

Facebooktwittergoogle_pluslinkedinby feather

Leave a Reply

Your email address will not be published. Required fields are marked *