This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 22%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Dear Experts ,
We have faced ransomware attack recently , it encrypted files of Domain Controller 2012 SysVol Windows Server 2012 Standard working as Primary Domain Controller while two more additional domain controllers are there with GC enabled, what's the easiest way to recover the SysVol folders only ?
We have taken System State Backup of DC that's older after that many Policies have been made, 600+ users were created, if we go with recovery option, we have to create them all a very hectic job.
Please suggest and share the easiest way to recover only the SysVol from the backup, if there is any option available to reconstruct sysvol from the scratch, please suggest.
I always taken benefits from this community and expecting again from you.
Regards,
Kamal
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Then you can restore the backup some where then use this one as a guide to replace contents.
https://support.microsoft.com/en-us/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain
--please don't forget to Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
》》》If I restore system estate backup on any other location and copy the entire contents of SYSVOL as per mentioned detail, can i be able to restore all files ?
According to my knowledge, it is possible.
Hope this information can help you
Best wishes
Vicky
Dear DSPatrick & VickyWang-MFST,
Thank you for your Support and and confidence, Let me write brief about what I have done to restore SYSVOL Files,
1- First I stopped Domain Controller FRS Services and disabled it,
2- Then I cleaned all encrypted files in windows\SYSVOL\sysvol folders,
3- Once it was ensured that all encrypted files are cleaned, I copied data from backup to Sysvol.
On Additional Domain Controllers, I repeat the same steps,
(Performing a Nonauthoritative Restore of an FRS-Replicated SYSVOL Folder)
1- First I stopped Domain Controller FRS Services and disabled it,
2- Then I cleaned all encrypted files in windows\SYSVOL\sysvol folders,
3- Configure the BurFlags registry key by setting the value of the following registry key to the DWORD value D2.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\BurFlags
4- Restart the FRS service on Primary Domain Controller, Additional Domain Controllers.
5- When the FRS service is restarted, the following actions occur:
The value of the BurFlags registry key is reset to zero.
Files in the reinitialized FRS folders are moved to a pre-existing folder.
The FRS database is rebuilt.
This has worked for me and made it simple for the whole community. :)