Forum Discussion
Solved
Domain controller, 2 sites 4 servers - network configuration issues - GPO not replicating
I have an issue with our 4 DC's which have an legacy network config that I can't resolve to get GPO replication correctly. AD and DNS all show as replicating OK, but GPO is out of sync most of the t...
- Always good to check things out like that, 15 minutes is the inter-site replication between the sites and the lowest value you can configure in Sites and Services. So, that seems good and now the ACL's on the Group Policy folders like the sceenshot you posted. I have seen this before in the past, it listed a double Domain Admins group on it giving the ACL error.
icacls.exe \\dc02\sysvol\xxxxx.nl\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /remove:g "yyyyy\Domain Admins"
icacls.exe \\dc02\sysvol\xxxxx\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /grant "yyyyy\Domain Admins":(OI)(CI)(F)
( Got that from https://social.microsoft.com/Forums/security/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016 )
Thanks Harm,
Interesting? site B replicated instantly - site A 15 min's later - reversed process with a new file with same result, then deleted files, it all followed through ok - so replication is working as expected.
It sort of indicates it's a problem with old existing GPO's and permissions and not an IP routing issue.
I have some work to do to go through each and check ACL's or maybe re-write and deploy.
Thank you
Always good to check things out like that, 15 minutes is the inter-site replication between the sites and the lowest value you can configure in Sites and Services. So, that seems good and now the ACL's on the Group Policy folders like the sceenshot you posted. I have seen this before in the past, it listed a double Domain Admins group on it giving the ACL error.
icacls.exe \\dc02\sysvol\xxxxx.nl\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /remove:g "yyyyy\Domain Admins"
icacls.exe \\dc02\sysvol\xxxxx\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /grant "yyyyy\Domain Admins":(OI)(CI)(F)
( Got that from https://social.microsoft.com/Forums/security/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016 )
icacls.exe \\dc02\sysvol\xxxxx.nl\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /remove:g "yyyyy\Domain Admins"
icacls.exe \\dc02\sysvol\xxxxx\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /grant "yyyyy\Domain Admins":(OI)(CI)(F)
( Got that from https://social.microsoft.com/Forums/security/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016 )