Forum Discussion
Solved
Domain controller, 2 sites 4 servers - network configuration issues - GPO not replicating
I have an issue with our 4 DC's which have an legacy network config that I can't resolve to get GPO replication correctly. AD and DNS all show as replicating OK, but GPO is out of sync most of the t...
- Always good to check things out like that, 15 minutes is the inter-site replication between the sites and the lowest value you can configure in Sites and Services. So, that seems good and now the ACL's on the Group Policy folders like the sceenshot you posted. I have seen this before in the past, it listed a double Domain Admins group on it giving the ACL error.
icacls.exe \\dc02\sysvol\xxxxx.nl\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /remove:g "yyyyy\Domain Admins"
icacls.exe \\dc02\sysvol\xxxxx\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /grant "yyyyy\Domain Admins":(OI)(CI)(F)
( Got that from https://social.microsoft.com/Forums/security/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016 )
Apologies for the late reply.
I have a FRS environment - the issue is a IP configuration mis-understanding on my side, from a legacy config not documented by others.
2 x 2012R2 DC's (a= FSMO & b= Azure connector) on one site A
2 x 2016 local DC's (c & d ) on 2nd site B (accept mixed OS's is not good!)
All access/users connect via the 2 site B DC's
AD is replicating - dcdiag show no issue and each object get replicated to all 4 server.
GPO is the real issue here - It does not seem to replicate ALL GPO to all 4 servers, so users don't get all the policies - but I can't figure out why the GPO's don't evenly replication.
I have a FRS environment - the issue is a IP configuration mis-understanding on my side, from a legacy config not documented by others.
2 x 2012R2 DC's (a= FSMO & b= Azure connector) on one site A
2 x 2016 local DC's (c & d ) on 2nd site B (accept mixed OS's is not good!)
All access/users connect via the 2 site B DC's
AD is replicating - dcdiag show no issue and each object get replicated to all 4 server.
GPO is the real issue here - It does not seem to replicate ALL GPO to all 4 servers, so users don't get all the policies - but I can't figure out why the GPO's don't evenly replication.
You can always test replication using dcdiag /test:replications or by just putting a test file (test.txt for example) in the SYSVOL\Scripts folder. Browse to each DC's sysvol individually (\\dc\sysvol\..\scripts) and see which DCs receive the test.txt file to check which do receive file. Reverse it by deleting it on another DC and check all 4 SYSOL\script folders again.
You could switch to DFSR, but perhaps not a good idea if you have issues now which need to be fixed (https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405)
You could switch to DFSR, but perhaps not a good idea if you have issues now which need to be fixed (https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405)
Thanks Harm,
Interesting? site B replicated instantly - site A 15 min's later - reversed process with a new file with same result, then deleted files, it all followed through ok - so replication is working as expected.
It sort of indicates it's a problem with old existing GPO's and permissions and not an IP routing issue.
I have some work to do to go through each and check ACL's or maybe re-write and deploy.
Thank you
- You could also backup the settings from the effected Group Policy's, Create a new one and just restore the settings from the backup (Don't forget to link the new GPO and check the permissions (Apply Group policy on..)
- Yep - will do backups.
Thanks again
- If my answer helped, please mark it as solution to mark it as solved
- Always good to check things out like that, 15 minutes is the inter-site replication between the sites and the lowest value you can configure in Sites and Services. So, that seems good and now the ACL's on the Group Policy folders like the sceenshot you posted. I have seen this before in the past, it listed a double Domain Admins group on it giving the ACL error.
icacls.exe \\dc02\sysvol\xxxxx.nl\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /remove:g "yyyyy\Domain Admins"
icacls.exe \\dc02\sysvol\xxxxx\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /grant "yyyyy\Domain Admins":(OI)(CI)(F)
( Got that from https://social.microsoft.com/Forums/security/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016 )