GPO processing fails

nikitamobile855 

Okay, thanks for that.

I'm not actually sure what to make of those results as I'm not familiar with only having a single domain controller in an environment.

It looks like it has actually skipped performing any actual tests, but maybe dfsdiag does that in single domain controller environments - I don't know. If I get time, I'll try spinning up a single domain controller forest and check (for my own benefit, too.)

What it should have looked like is the following, where you can see the test results showing up as the cyan lines. But of course, this is from my own business where I have two domain controllers, hence my uncertainty.

Sample dfsdiag output.

Since your screenshot has no lines in cyan, I'm guessing it didn't run any tests.

What I'm trying to figure out is whether or not you have any references to old domain controllers within your SYSVOL DFS namespace configuration.

There's multiple ways of cross-referencing that, but the first one (dfsdiag) suggests there aren't any.

Can you have a look within Event Viewer again - under the same "GroupPolicy" node as your original screenshot from your original post - and see if there's an information event with an ID of 5308 around the same time as your original screenshot?

Event 5308 should be there and it will tell you the DNS name of the domain controller it attempted to process group policy from. It will have almost the same timestamp as your error from above.

It will look something like this.

GroupPolicy Event 5308.

If the reference is to your single remaining domain controller then this is getting interesting. It may be that the client does not have READ permissions but the Event Viewer error reads more like a connectivity issue, which is what I'm still focusing on for the time being.

If it's a reference to a long-gone domain controller, then this explains your original error, and what happens afterwards is that you need to remove any remaining references to it (in areas such as DNS, for example.)

Cheers,

Lain