In using the standard/auditor version of PingCastle against 100+ domains, I can confirm that the detection method used to report domains still using NTFRS is not accurate. I have seen at least 20 false positives.
The rule text says, “…PingCastle reads the following LDAP entry: CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System. If there is any entry found, the program consider that NTFRS is in use for SYSVOL replication.”.
That detection logic is inaccurate. After a supported SYSVOL migration from NTFRS to DFSR (DFSRMIG state Eliminated), legacy FRS objects remain present in Active Directory by design, despite NTFRS no longer being used or even runnable. The object’s presence reflects historical metadata, not operational replication state.
As a result, the rule produces false positives in correctly migrated and fully supported environments. Determining whether NTFRS is used for SYSVOL replication requires evaluating migration state and replication ownership, not LDAP object existence alone.
