Forum Discussion
Solved
Domain controller, 2 sites 4 servers - network configuration issues - GPO not replicating
I have an issue with our 4 DC's which have an legacy network config that I can't resolve to get GPO replication correctly.
AD and DNS all show as replicating OK, but GPO is out of sync most of the time and I can't seems to see what the root cause is, but I'm sure it's network config related.
Am looking for advice on best way forward for a 2 sited 4 DC configuration?
I can find not MS document or best practice that explain the best network configuration to keep all 4 servers in sync via DNS and alternative IP's.
- Always good to check things out like that, 15 minutes is the inter-site replication between the sites and the lowest value you can configure in Sites and Services. So, that seems good and now the ACL's on the Group Policy folders like the sceenshot you posted. I have seen this before in the past, it listed a double Domain Admins group on it giving the ACL error.
icacls.exe \\dc02\sysvol\xxxxx.nl\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /remove:g "yyyyy\Domain Admins"
icacls.exe \\dc02\sysvol\xxxxx\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /grant "yyyyy\Domain Admins":(OI)(CI)(F)
( Got that from https://social.microsoft.com/Forums/security/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016 )
10 Replies
- Could you give us some more information?
- Please give us some more details, server version and Domain and Forest level. DFSR or FRS for sysvol? What is your replication interval between sites?
- Apologies for the late reply.
I have a FRS environment - the issue is a IP configuration mis-understanding on my side, from a legacy config not documented by others.
2 x 2012R2 DC's (a= FSMO & b= Azure connector) on one site A
2 x 2016 local DC's (c & d ) on 2nd site B (accept mixed OS's is not good!)
All access/users connect via the 2 site B DC's
AD is replicating - dcdiag show no issue and each object get replicated to all 4 server.
GPO is the real issue here - It does not seem to replicate ALL GPO to all 4 servers, so users don't get all the policies - but I can't figure out why the GPO's don't evenly replication.- You can always test replication using dcdiag /test:replications or by just putting a test file (test.txt for example) in the SYSVOL\Scripts folder. Browse to each DC's sysvol individually (\\dc\sysvol\..\scripts) and see which DCs receive the test.txt file to check which do receive file. Reverse it by deleting it on another DC and check all 4 SYSOL\script folders again.
You could switch to DFSR, but perhaps not a good idea if you have issues now which need to be fixed (https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405)
