Back to All Scenarios
PASSEDinfrastructure / dfs_replication_backlog
DFS Replication Backlog Critical
DFS Replication backlog between two domain controllers reaches critical levels, with SYSVOL replication lagging by thousands of files. Group Policy is inconsistent across the domain, and some users receive stale GPOs depending on which DC they authenticate against.
Pattern
ACTIVE_DIRECTORY
Severity
CRITICAL
Confidence
92%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | ACTIVE_DIRECTORY | ACTIVE_DIRECTORY | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 6 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
4 domain controllers across 2 sites. DFSR backlog on SYSVOL: 12,847 files pending. Active directory replication of SYSVOL stalled. GPO version mismatch between DCs. Some workstations applying stale security policies.
Injected Error Messages (1)
DFS Replication critical backlog — active directory SYSVOL replication backlog at 12,847 files between dc01 and dc03, DFSR event ID 4012: insufficient resources to replicate, active directory GPO versions inconsistent: dc01 has GPO v47 while dc03 has GPO v39, users authenticating against different DCs receiving different group policy settings, active directory integrity at risk
Neural Engine Root Cause Analysis
The DFS Replication service is experiencing a critical backlog of 12,847 files in SYSVOL replication between domain controllers dc01 and dc03, caused by insufficient system resources (DFSR event ID 4012). This has resulted in inconsistent GPO versions (v47 vs v39) across domain controllers, causing users to receive different group policy settings depending on which DC they authenticate against. The 5 correlated incidents suggest this is part of a broader Active Directory infrastructure failure, likely stemming from resource exhaustion on one or more domain controllers.
Remediation Plan
1. Immediately check disk space, memory, and CPU utilization on both dc01 and dc03. 2. Clear any temporary files and logs consuming excessive disk space. 3. Restart the DFS Replication service on both domain controllers. 4. Force SYSVOL replication synchronization using 'dfsrdiag syncnow'. 5. Monitor replication progress with 'dfsrdiag backlog' until backlog clears. 6. Verify GPO consistency across all domain controllers. 7. Implement resource monitoring and alerting to prevent recurrence.
Tested: 2026-03-30Monitors: 1 | Incidents: 1Test ID: cmnck0zjs063xobqeju4us28p