Troubleshooting Netlogon Share Issues in Active Directory Domain Controllers
A common issue encountered in Active Directory environments is the failure of the Netlogon share on a Domain Controller (DC). When running dcdiag /test:NetLogons, you may encounter an error similar to:
Starting test: NetLogons
Unable to connect to the NETLOGON share! (DC-02\netlogon)
[DC-02] A net use or LsaPolicy operation failed with error 67, The network name cannot be found DC-02 failed test NetLogons
This issue can lead to authentication failures, broken logon scripts, and Group Policy processing errors. Here’s how to troubleshoot and resolve the issue step by step.
Step 1: Verify SYSVOL and NETLOGON Shares
Check if the Netlogon Share exists Run this command on the affected DC:
net share
Expected output should be:
NETLOGON C:\Windows\SYSVOL\sysvol\yourdomain.com\SCRIPTS
SYSVOL C:\Windows\SYSVOL\sysvol
If the NETLOGON share is missing, proceed with further troubleshooting.
Step 2: Verify SYSVOL Folder Exists
Check if the SYSVOL folder is present: C:\Windows\SYSVOL\sysvol
- If the folder is missing, you may have a replication issue.
- If it’s there but empty, try restarting the DFS Replication service.
Step 3: Restart NETLOGON and DFS Services:
Restarting the necessary services can sometimes restore the missing shares.
net stop netlogon
net stop dfsr
net start dfsr
net start netlogon
Then, re-register DNS and Netlogon records:
nltest /dsregdns
ipconfig /flushdns
ipconfig /registerdns
Now, test Netlogon again: dcdiag /test:netlogons
Step 4: Check Event Logs for Errors
Open Event Viewer (eventvwr.msc) and navigate to:
- System Logs → Look for Netlogon errors (Event ID 5719, 5722, 5805).
- Directory Service Logs → Look for Active Directory replication errors.
Step 5: Force SYSVOL Replication (If DFSR Is Used)
If your environment uses DFS-R for SYSVOL replication, reinitialize it:
- Stop DFSR on the affected DC: net stop dfsr
- Set the DC as non-authoritative: reg add HKLM\System\CurrentControlSet\Services\DFSR\Parameters\Backup /v Restore /t REG_DWORD /d 0 /f
- Restart DFSR: net start dfsr
- Force SYSVOL replication: repadmin /syncall /AeD
- Verify SYSVOL and Netlogon shares: net share
In my Case it got Failed in the 1 step itself as SCRIPT folder was missing and I have figured out and fixed it by following:
Step 1: Manually Create the Missing “SCRIPTS” Folder
- Check if the folder exists:
- C:\Windows\SYSVOL\sysvol\domain.com\
- If SCRIPTS is not listed, create it manually:
- mkdir C:\Windows\SYSVOL\sysvol\domain.com\SCRIPTS
- Confirm the folder was created:
- C:\Windows\SYSVOL\sysvol\domain.com\
Step 2: Recreate the NETLOGON Share
Now that the SCRIPTS folder exists, try creating the share again:
net share NETLOGON=C:\Windows\SYSVOL\sysvol\yourdomain.com\SCRIPTS /grant:everyone,full
Then verify: net share
Step 3: Restart the NETLOGON Service
After adding the share, restart the Netlogon service:
net stop netlogon
net start netlogon
Then check if the share is now accessible: dcdiag /test:netlogons
Conclusion
By following these steps, you should be able to restore the NETLOGON share, fix SYSVOL replication issues, and ensure Active Directory functions properly. If problems persist, consider checking NTDS database health, Group Policy application logs, or performing a DC demotion and re-promotion if necessary.
!!! THANKS FOR READING !!!
Regards,
HARISH KUMAR
Knowledge is not a finite resource to hoard; it’s a boundless treasure that grows when shared