Forum Discussion
Solved
Active Directory DFSR headache
We have 23 DC's, all but one of which are 2012R2. The one-off, I upgraded a couple weeks ago directly from 2012R2 to 2019. For the past year or two we've had 2 DC's that weren't doing SYSVOL repl...
- So it's fixed. Finally. I had to check replication for each GPO individually in the GPMC to find the two that were causing problems. All 467 policies.
I still have no idea what was wrong with those 2 policies. The ACL's were fine. Using icacls to remove/re-add the domain admins permission didn't help. Eventually I gave up and recreated those two policies from scratch, then deleted the old ones, and suddenly everything is hunky dory!
So it's fixed. Finally. I had to check replication for each GPO individually in the GPMC to find the two that were causing problems. All 467 policies.
I still have no idea what was wrong with those 2 policies. The ACL's were fine. Using icacls to remove/re-add the domain admins permission didn't help. Eventually I gave up and recreated those two policies from scratch, then deleted the old ones, and suddenly everything is hunky dory!
I still have no idea what was wrong with those 2 policies. The ACL's were fine. Using icacls to remove/re-add the domain admins permission didn't help. Eventually I gave up and recreated those two policies from scratch, then deleted the old ones, and suddenly everything is hunky dory!
- How u discover them
- I had to click each GPO listed under "Group Policy Objects" in GPMC, then click the "Status" tab, then "Detect Now" to check the SYSVOL replication status of that GPO on each domain controller. The two problematic GPOs were the only ones that showed "Inaccessible" or other errors on one or more DC's under the SYSVOL column.
Once I deleted and recreated those two GPOs from scratch, everything was happy.
