none
Sysvol sync problem

    Question

  • I have two AD primary and secondary Server 2012 that is having a sysvol sync problem. ADDS, DNS, DHCP, all sync without problem. The only problem, is GPO and logon script syncing.

    DC1 has all fsmo, Schema, Domain naming master, PDC, RID pool manager, Infrastructure master.

    Things that I checked/done:

    -network connectivity doesn't seem to be an issue: both domain controllers can see each other with ping & nslookup with either IP, FQDN, or hostname.

    -set the firewall to open all tcp/udp for domain/private/public to the subnet to eliminate firewall as the limiting factor.

    -Both DC can see each other the \\DC1\sysvol \\DC1\netlogon and \\DC2\sysvol \\DC2\netlogon and can access each other's ADMIN$ and C$. Running net share shows the sysvol and netlogon on all DC's. NTFS and Share permissions are identical on both DCs.

    -I can make AD OU, add user in dsa.msc, etc and these will sync OK throughout the DC's.

    -I can create DNS A record in dnsmgmt.msc in one DC, and it will sync OK to the other DC.

    -MaxOfflineTimeInDays is set to 650 just to be sure dfsr is not stale

    -AD Sites and Services console sees both DC, when NTDS is set to replicate now, no error. 

    -I demoted DC2, rebuilt new VM from scratch, promote it, with same problem.

    -Imported sysvol from DC1 to DC2 in DSRM. After initial sync, it works. Any new changes, will show GPO Version error in GPMC detect now.

    -running repadmin /showrepl in both DC always show successful in last few minutes time, no errors.

    -dfsradmin membership list /rgname:"Domain System Volume" /attr:RfName,MemName,LocalPath

    shows both DC's with matching sysvol path

    -tried dcgpofix reset, didn't work. new changes don't get replicated.

    Last 3 DFSR event log:

    *The DFS Replication service successfully contacted domain controller DC1 to access configuration information.

    *The DFS Replication service successfully set up an RPC listener for incoming replication requests. 

    *The DFS Replication service has detected that at least one connection is configured for replication group Domain System Volume. 

    I'm not sure what else to check with this, it doesn't make any sense where DC1 can see all share and admin share on DC2. GPMC status always show version difference error after making changes to a policy.


    • Edited by perkedel Wednesday, April 19, 2017 5:35 PM added event log
    Wednesday, April 19, 2017 5:26 PM

All replies

  • Hi,
    Based on my understanding, the problem might be not saying your DCs are version mismatched, it's saying that one of your GPOs is.
    You need to track down the offending policy ("Policy {GUID}") and under the sysvol folder on your DCs, navigate to its folder (\DC\sysvol\policies{GUID}) and check the GPT.INI file on each DC. It will have a version number in it, and the version number will be different on the different DCs - this is the version mismatch it's complaining about.
    Correcting it depends on what exactly caused the mismatch, you may be able to correct it by editing the version number in GPT.ini to see if it helps.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 20, 2017 5:37 AM
    Moderator