cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Active Directory DFSR headache

JWW-CSISD
Brass Contributor

‎Jul 31 2021 05:59 PM

‎Jul 31 2021 05:59 PM

Active Directory DFSR headache

We have 23 DC's, all but one of which are 2012R2. The one-off, I upgraded a couple weeks ago directly from 2012R2 to 2019.

 

For the past year or two we've had 2 DC's that weren't doing SYSVOL replication. I thought I had fixed that before I started with the process of getting them upgraded to 2019, but now that I've done one server, it looks like I was incorrect.

 

So here's what's driving me nuts. Using the "status" tab of the Group Policy Management MMC, things are either horribly FUBAR, or humming along perfectly, depending (apparently) on the OS of the computer I'm running the MMC from. If I run it from a Windows 10 workstation or the Server 2019 DC, things look bad. I show 15 servers with replication "in progress", of which 13 show a status under the SYSVOL column of "Inaccessible", and 2 show a "Contents" issue with a single GPO. If I run the MMC from the 2012R2 DCs or from a Win 8.1 VM I spun up on a hunch, I show all 22 DCs in perfect sync (both AD and SYSVOL) with the baseline DC.

 

When I use a file/folder comparison tool on the contents of the SYSVOL folder for each DC, not one of them matches the contents on the PDC. Although there are no "orphaned" files or folders, the date modified doesn't match on a varying number of files and/or folders for each DC (sometimes off by years). The closest is actually the 2019 DC, which only shows mismatches on the contents of 3 GPOs.

 

The DFSR event logs don't show any regularly occurring errors other than losing replication for a bit between DCs when one goes down for system state backup.

 

I ran a dcdiag /a /c, and didn't see any errors in there aside from the DFS test failing due to the above-mentioned errors caused by backups, some system event log errors due to a deleted computer account, and one DC had a typo in the secondary DNS entry on its network adapter settings.

 

There are also no errors when I run repadmin /showrepl.

 

I've tried running both non-authoritative and authoritative replications using the instructions here, and neither made any difference at all.

 

Any suggestions?

 

994 Views
1 Like
3 Replies
Reply
3 Replies
best response confirmed by JWW-CSISD (Brass Contributor)
JWW-CSISD

‎Aug 04 2021 08:05 PM

‎Aug 04 2021 08:05 PM

Solution

Re: Active Directory DFSR headache

So it's fixed. Finally. I had to check replication for each GPO individually in the GPMC to find the two that were causing problems. All 467 policies.
I still have no idea what was wrong with those 2 policies. The ACL's were fine. Using icacls to remove/re-add the domain admins permission didn't help. Eventually I gave up and recreated those two policies from scratch, then deleted the old ones, and suddenly everything is hunky dory!
0 Likes
Reply
kazaki82

‎Nov 10 2021 10:40 AM

‎Nov 10 2021 10:40 AM

Re: Active Directory DFSR headache

How u discover them
0 Likes
Reply
JWW-CSISD

‎Nov 12 2021 08:44 AM

‎Nov 12 2021 08:44 AM

Re: Active Directory DFSR headache

I had to click each GPO listed under "Group Policy Objects" in GPMC, then click the "Status" tab, then "Detect Now" to check the SYSVOL replication status of that GPO on each domain controller. The two problematic GPOs were the only ones that showed "Inaccessible" or other errors on one or more DC's under the SYSVOL column.

Once I deleted and recreated those two GPOs from scratch, everything was happy.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by JWW-CSISD (Brass Contributor)
JWW-CSISD

‎Aug 04 2021 08:05 PM

‎Aug 04 2021 08:05 PM

Solution

Re: Active Directory DFSR headache

So it's fixed. Finally. I had to check replication for each GPO individually in the GPMC to find the two that were causing problems. All 467 policies.
I still have no idea what was wrong with those 2 policies. The ACL's were fine. Using icacls to remove/re-add the domain admins permission didn't help. Eventually I gave up and recreated those two policies from scratch, then deleted the old ones, and suddenly everything is hunky dory!

View solution in original post

0 Likes
Reply