March 18, 2021

DC not replicating and DFSR Error 4012

I finally got a second domain controller added to my [production] network, and couldn't get the domain to replicate. The second DC was missing NETLOGON and SYSVOL, and clients were still authenticating against the first DC. I always thought additional DC is supposed to automatically replicate, but apparently not.

I followed Microsoft's troubleshooting guide but didn't think that I needed to go through all that since I'm not actually having a failure condition. Fortunately, event log came to the rescue. I discovered that my DC has not been disconnected from other partners for 457 days, which is the exact number of days since I brought this DC online.

Since there are no other partners to replicate, I thought this must definitionly be a warning condition and not a failure condition. Searching for the error message I discovered there's content freshness protection in DFSR and the default value is 60 days like it says in the event log. So I set the MaxOfflineTimeInDays to 458, restarted the DFSR service, and suddenly the second DC came online, and everyone lived happily ever after.