After you create distribution groups and mail-enabled security groups in the Exchange admin center, their names and user lists appear on the Office 365 Security groups page.You can delete these groups in both locations, but you can edit them only in the Exchange admin center.

It just requires a little understanding of what you have to do, which is all it’s doing is simply copying a good SYSVOL folder and subfolders from a good DC to the bad DC (the one with the errors.

Basically, you first choose which DC is the good DC to be your “source” DC for the SYSVOL folder. Yes, NTFRS must to be stopped on all DCs to perform this.

If the Bur Flags key does not exist, simply create it. More importantly, it references change the Bur Flags to one of two options: D4 or D2.

Therefore, before going further, I would like to squelch the confusion on what the D2 and D4 settings mean: So circling back, to fix this and make it work, just copy the contents of SYSVOL to another location, then follow the KB, which simply states you must stop the NTFR service on ALL DCs.

To get yourself out of this quandary, it’s rather simple.

Yea, you might say yea, right, this is not so simple, but it really isn’t that hard.

This blog almost mimics my class lecture on this topic.

Check back for updates periodically, which I will notate with a timestamp above with whatever I’ve added or modified.

If you are seeing them, you’re best bet is to forcedemote the machine, run a metadata cleanup, and re-promote it, and make sure you configure your firewall and/or AV to allow replication traffic or stop using the ISP’s or router as a DNS address, or disable IP routing and WINS Proxy, to prevent this in the future.

And while you’re at it bump up your AD tombstone to 180 days, As for the NTFRS, after talking to numerous folks whether directly assisting a customer, or through the Tech Net forums, there seems to be some confusion associated with how to handle Journal Wrap errors, what caused them, and what are the differences between the D2 and D4 options.

Only global and user management administrators have permissions to create, edit, or delete security groups; for more information about administrator roles, see Assigning admin roles.