none
GPo status test reports SYSVOL as inaccessible

    Question

  • One GPo reports this.

    I deleted the GPo and recreated it manually again. But the "orphaned" GPo still resides in SYSVOL

    Wanted to delete it manually from SYSVOL, but I do not have access to the GUID folder (as Ent. Admin) and I can't take ownership ower it.

    Gpo no longer in gpedit or ADSI edit

    Even tried delete it from command promt, no success

    How to force it to go away?

    Regards, Lars.

    Tuesday, September 6, 2016 8:48 PM

All replies

  • Hi,

    Thanks for your post.

    Under normal conditions, you can just delete the orphaned gpt as a normal file  if the following bellow recommendations are met:

    1. Make 100% sure that there are no corresponding GPO objects in AD, of course.

    2. There might be the situation of different ACLs between SYSVOL and AD just prevent the GPOs being displayed via GPMC.

    3. Use an account with highest permissions to verify that and maybe even have a look at GPOs in AD via ADSIEdit.msc (search for the GUID)

    4. In addition you could use auditing methods to see if really no client tries to access these folders.

    If finally you are sure the GPO folders on SYSVOL (=GPTs) are orphaned delete them manually. Backup before, just in case.

    Regarding the issue, please make sure it’s not the default domain or domain controllers GPO.

    You cannot delete those:

    http://technet.microsoft.com/en-us/library/cc770893.aspx

    Also check your replication and make sure your DC's are healthy. Run DCdiag and let us know if you find any errors.

    http://technet.microsoft.com/en-us/library/cc776854%28v=ws.10%29.aspx

    Besides, check the DeleteGPO.wsf:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa814151(v=vs.85).aspx#_win32_deleting_a_gpo

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 7, 2016 6:49 AM
    Moderator
  • Hi, and thank you for your reply.

    The folder under SYSVOL that I could not access was gone this morning. So far so good.

    But I still get the SYSVOL being inaccessible under the domain in the gpedit application. Also it tells me 1 domain controller with replication in progress.

    DCDIAG gives me:

          Starting test: DFSREvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.

    Maybe because I have restarted the replication a couple of times manually.

    DFR health report gives me:

    Affected replicated folders: All replicated folders on this server.
      Description: The DFS Replication service has restarted 5 times in the past 7 days. This problem can affect the replication of all replicated folders to and from this server. Event ID: 1004
      Last occurred: 7. september 2016 at 07:16:58 (GMT1:00)
      Suggested action: If you restarted the service manually, you can safely ignore this message. For information about troubleshooting frequent service restart issues, see The Microsoft Web Site

    Apparently there are some replication errors on the SYSVOL... I just don't know exactly how to locate them?

    Regards, Lars.

    Wednesday, September 7, 2016 9:21 AM
  • Hi,

    Maybe your SYSVOL has not completed the initialization phase. Please give it some more time.

    Besides, you could go through this article for troubleshooting missing sysvol/netlogon:

    Troubleshooting missing SYSVOL and NETLOGON shares on Windows domain controllers

    http://support.microsoft.com/kb/257338

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 9, 2016 3:12 AM
    Moderator
  • Hi!

    But for how long would the initialization phase take? The domain has been running for months.

    Following that link gives me only the following:

    $6:
    Run a "DIR \\<computername>\admin$\ntfrs\jet" against each domain controller in the domain to confirm the presence of the NTfrs.jdb file. The date and size of the jet database may be incorrect while the NTFRS service is running (by design).

    The folder ntfrs is not present on any DC

    $7:
    Run "NTFRSUTL DS [COMPUTERNAME]" on all replica set members. Confirm that all domain controllers in the domain show up under the "SET: DOMAIN SYSTEMVOLUME (SYSVOL SHARE)" portion of the NTFRSUTL output. The SYSVOL Replica set and its members can also be displayed under cn="domain system volume",cn=file replication service,cn=system,dc=<FQDN> in the User and Computers (Dsa.msc) snap-in when "Advanced Features" is enabled under the View menu.

    C:\Windows>NTFRSUTL DS dc01
    ERROR - Cannot bind w/authentication to computer, dc01; 000006d9 (1753)
    ERROR - Cannot bind w/o authentication to computer, dc01; 000006d9 (1753)
    ERROR - Cannot RPC to computer, dc01; 000006d9 (1753)

    C:\Windows>NTFRSUTL DS dc02
    ERROR - Cannot bind w/authentication to computer, dc02; 000006d9 (1753)
    ERROR - Cannot bind w/o authentication to computer, dc02; 000006d9 (1753)
    ERROR - Cannot RPC to computer, dc02; 000006d9 (1753)

    How to solve this?

    Regards, Lars.

    Friday, September 9, 2016 7:15 AM
  • That article you linked to is listed to be valid for Windows 2000. Is it also valid for Windows 2012R2?

    Regards, Lars.


    Saturday, September 10, 2016 11:30 AM
  • Hi,

    Below article applied to Windows Server 2012 R2:

    DFS Replication: How to troubleshoot missing SYSVOL and Netlogon shares

    https://support.microsoft.com/en-us/kb/2958414

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 12, 2016 9:32 AM
    Moderator