SOLVED

Domain controller, 2 sites 4 servers - network configuration issues - GPO not replicating

Copper Contributor

I have an issue with our 4 DC's which have an legacy network config that I can't resolve to get GPO replication correctly.

AD and DNS all show as replicating OK, but GPO is out of sync most of the time and I can't seems to see what the root cause is, but I'm sure it's network config related.

Am looking for advice on best way forward for a 2 sited 4 DC configuration?

I can find not MS document or best practice that explain the best network configuration to keep all 4 servers in sync via DNS and alternative IP's.

 

 

 

 

10 Replies
Please give us some more details, server version and Domain and Forest level. DFSR or FRS for sysvol? What is your replication interval between sites?
Could you give us some more information?
Apologies for the late reply.
I have a FRS environment - the issue is a IP configuration mis-understanding on my side, from a legacy config not documented by others.
2 x 2012R2 DC's (a= FSMO & b= Azure connector) on one site A
2 x 2016 local DC's (c & d ) on 2nd site B (accept mixed OS's is not good!)
All access/users connect via the 2 site B DC's
AD is replicating - dcdiag show no issue and each object get replicated to all 4 server.
GPO is the real issue here - It does not seem to replicate ALL GPO to all 4 servers, so users don't get all the policies - but I can't figure out why the GPO's don't evenly replication.
You can always test replication using dcdiag /test:replications or by just putting a test file (test.txt for example) in the SYSVOL\Scripts folder. Browse to each DC's sysvol individually (\\dc\sysvol\..\scripts) and see which DCs receive the test.txt file to check which do receive file. Reverse it by deleting it on another DC and check all 4 SYSOL\script folders again.

You could switch to DFSR, but perhaps not a good idea if you have issues now which need to be fixed (https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sys...)

@Harm_Veenstra 

Thanks Harm,

Interesting? site B replicated instantly - site A 15 min's later - reversed process with a new file with same result, then deleted files, it all followed through ok - so replication is working as expected.

It sort of indicates it's a problem with old existing GPO's and permissions and not an IP routing issue.

I have some work to do to go through each and check ACL's or maybe re-write and deploy.

Thank you

best response confirmed by clivesidwellucem1020 (Copper Contributor)
Solution
Always good to check things out like that, 15 minutes is the inter-site replication between the sites and the lowest value you can configure in Sites and Services. So, that seems good and now the ACL's on the Group Policy folders like the sceenshot you posted. I have seen this before in the past, it listed a double Domain Admins group on it giving the ACL error.

icacls.exe \\dc02\sysvol\xxxxx.nl\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /remove:g "yyyyy\Domain Admins"
icacls.exe \\dc02\sysvol\xxxxx\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /grant "yyyyy\Domain Admins":(OI)(CI)(F)

( Got that from https://social.microsoft.com/Forums/security/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permi... )
If my answer helped, please mark it as solution to mark it as solved
You could also backup the settings from the effected Group Policy's, Create a new one and just restore the settings from the backup (Don't forget to link the new GPO and check the permissions (Apply Group policy on..)
1 best response

Accepted Solutions
best response confirmed by clivesidwellucem1020 (Copper Contributor)
Solution
Always good to check things out like that, 15 minutes is the inter-site replication between the sites and the lowest value you can configure in Sites and Services. So, that seems good and now the ACL's on the Group Policy folders like the sceenshot you posted. I have seen this before in the past, it listed a double Domain Admins group on it giving the ACL error.

icacls.exe \\dc02\sysvol\xxxxx.nl\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /remove:g "yyyyy\Domain Admins"
icacls.exe \\dc02\sysvol\xxxxx\Policies\{69085595-7CB7-43E8-B0B9-088DA92A8AE4} /grant "yyyyy\Domain Admins":(OI)(CI)(F)

( Got that from https://social.microsoft.com/Forums/security/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permi... )

View solution in original post