none
GPO SYSVOL not accessible

    Question

  • Hi all,

    Hi all, 

    several 2012 domain controllers on multiple sites. 

    2012 domain functional level. 

    One of my domain controllers has an inaccessible SYSVOL folder its also carrying all FSMO roles. When I looked at the status window (in group policy management) it shows the baseline controller has moved to another DC and the DC I would expect to be the baseline holder is showing as Inaccessible. 

    DCDIAG REPLadmin shows no replication errors at all. 

    Ive noticed that the issue isnt with replication. I can create new policies and they get replicated. But ive noticed that If i delete a GPO from the GUI the corresponding folder in the sysvol isnt being deleted.


    matt barnes

    Monday, September 14, 2015 9:03 AM

All replies

  • Hi,

    Any errors/warnings in DFS replication event log? What does it tell if you run a diagnostic report health report from DFS management mmc console from the Domain System Volume RP?

    post a dcdiag /v output from the PDC.

    Regards,

    Calin

    Monday, September 14, 2015 10:40 AM

  • Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       * Verifying that the local machine winDC01, is a Directory Server. 
       Home Server = winDC01

       * Connecting to directory service on server winDC01.

       * Identified AD Forest. 
       Collecting AD specific global data 
       * Collecting site info.

       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
       The previous call succeeded 
       Iterating through the sites 
       Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=VPNUsers,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Neuss,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Pachesham,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Colo,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=RealIPColo,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Cumbernauld,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Roosendaal,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Paris,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=DRSite,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Turin,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Munich,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=TURINO,CN=Sites,CN=Configuration,DC=domain,DC=local
       Getting ISTG and options for the site
       * Identifying all servers.

       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
       The previous call succeeded....
       The previous call succeeded
       Iterating through the list of servers 
       Getting information for the server CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=WINDC02,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=DEDC02,CN=Servers,CN=Munich,CN=Sites,CN=Configuration,DC=domain,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=ROOSENDAALDC01,CN=Servers,CN=Roosendaal,CN=Sites,CN=Configuration,DC=domain,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=FRDC01,CN=Servers,CN=Paris,CN=Sites,CN=Configuration,DC=domain,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=COLODC01,CN=Servers,CN=Colo,CN=Sites,CN=Configuration,DC=domain,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=MITDC01,CN=Servers,CN=TURINO,CN=Sites,CN=Configuration,DC=domain,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=CNDC01,CN=Servers,CN=Cumbernauld,CN=Sites,CN=Configuration,DC=domain,DC=local 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       * Identifying all NC cross-refs.

       * Found 8 DC(s). Testing 1 of them.

       Done gathering initial info.


    Doing initial required tests

       
       Testing server: Winnersh\WINDC01

          Starting test: Connectivity

             * Active Directory LDAP Services Check
             Determining IP4 connectivity 
             * Active Directory RPC Services Check
             ......................... WINDC01 passed test Connectivity



    Doing primary tests

       
       Testing server: Winnersh\WINDC01

          Starting test: Advertising

             The DC WINDC01 is advertising itself as a DC and having a DS.
             The DC WINDC01 is advertising as an LDAP server
             The DC WINDC01 is advertising as having a writeable directory
             The DC WINDC01 is advertising as a Key Distribution Center
             The DC WINDC01 is advertising as a time server
             ......................... WINDC01 passed test Advertising

          Test omitted by user request: CheckSecurityError

          Test omitted by user request: CutoffServers

          Starting test: FrsEvent

             * The File Replication Service Event log test 
             ......................... WINDC01 passed test FrsEvent

          Starting test: DFSREvent

             The DFS Replication Event Log. 
             Skip the test because the server is running FRS.

             ......................... WINDC01 passed test DFSREvent

          Starting test: SysVolCheck

             * The File Replication Service SYSVOL ready test 
             File Replication Service's SYSVOL is ready 
             ......................... WINDC01 passed test SysVolCheck

          Starting test: KccEvent

             * The KCC Event log test
             Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
             ......................... WINDC01 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             Role Schema Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local
             Role Domain Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local
             Role PDC Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local
             Role Rid Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local
             ......................... WINDC01 passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             Checking machine account for DC WINDC01 on DC WINDC01.
             * SPN found :LDAP/winDC01.domain.local/domain.local
             * SPN found :LDAP/winDC01.domain.local
             * SPN found :LDAP/WINDC01
             * SPN found :LDAP/winDC01.domain.local/domain
             * SPN found :LDAP/9c56f573-b228-480e-9d61-86610c38b184._msdcs.domain.local
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9c56f573-b228-480e-9d61-86610c38b184/domain.local
             * SPN found :HOST/winDC01.domain.local/domain.local
             * SPN found :HOST/winDC01.domain.local
             * SPN found :HOST/WINDC01
             * SPN found :HOST/winDC01.domain.local/domain
             * SPN found :GC/winDC01.domain.local/domain.local
             ......................... WINDC01 passed test MachineAccount

          Starting test: NCSecDesc

             * Security Permissions check for all NC's on DC WINDC01.
             * Security Permissions Check for

               DC=DomainDnsZones,DC=domain,DC=local
                (NDNC,Version 3)
             * Security Permissions Check for

               DC=ForestDnsZones,DC=domain,DC=local
                (NDNC,Version 3)
             * Security Permissions Check for

               CN=Schema,CN=Configuration,DC=domain,DC=local
                (Schema,Version 3)
             * Security Permissions Check for

               CN=Configuration,DC=domain,DC=local
                (Configuration,Version 3)
             * Security Permissions Check for

               DC=domain,DC=local
                (Domain,Version 3)
             ......................... WINDC01 passed test NCSecDesc

          Starting test: NetLogons

             * Network Logons Privileges Check
             Verified share \\WINDC01\netlogon
             Verified share \\WINDC01\sysvol
             ......................... WINDC01 passed test NetLogons

          Starting test: ObjectsReplicated

             WINDC01 is in domain DC=domain,DC=local
             Checking for CN=WINDC01,OU=Domain Controllers,DC=domain,DC=local in domain DC=domain,DC=local on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local in domain CN=Configuration,DC=domain,DC=local on 1 servers
                Object is up-to-date on all servers.
             ......................... WINDC01 passed test ObjectsReplicated

          Test omitted by user request: OutboundSecureChannels

          Starting test: Replications

             * Replications Check
             * Replication Latency Check
                DC=DomainDnsZones,DC=domain,DC=local
                   Latency information for 21 entries in the vector were ignored.
                      21 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
                DC=ForestDnsZones,DC=domain,DC=local
                   Latency information for 21 entries in the vector were ignored.
                      21 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
                CN=Schema,CN=Configuration,DC=domain,DC=local
                   Latency information for 21 entries in the vector were ignored.
                      21 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
                CN=Configuration,DC=domain,DC=local
                   Latency information for 22 entries in the vector were ignored.
                      22 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
                DC=domain,DC=local
                   Latency information for 21 entries in the vector were ignored.
                      21 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
             ......................... WINDC01 passed test Replications

          Starting test: RidManager

             * Available RID Pool for the Domain is 20600 to 1073741823
             * winDC01.domain.local is the RID Master
             * DsBind with RID Master was successful
             * rIDAllocationPool is 20100 to 20599
             * rIDPreviousAllocationPool is 15600 to 16099
             * rIDNextRID: 15894
             ......................... WINDC01 passed test RidManager

          Starting test: Services

             * Checking Service: EventSystem
             * Checking Service: RpcSs
             * Checking Service: NTDS
             * Checking Service: DnsCache
             * Checking Service: NtFrs
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: w32time
             * Checking Service: NETLOGON
             ......................... WINDC01 passed test Services

          Starting test: SystemLog

             * The System Event log test
             Found no errors in "System" Event log in the last 60 minutes.
             ......................... WINDC01 passed test SystemLog

          Test omitted by user request: Topology

          Test omitted by user request: VerifyEnterpriseReferences

          Starting test: VerifyReferences

             The system object reference (serverReference)

             CN=WINDC01,OU=Domain Controllers,DC=domain,DC=local and backlink on

             CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local

              are correct. 
             The system object reference (serverReferenceBL)

             CN=WINDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local

             and backlink on

             CN=NTDS Settings,CN=WINDC01,CN=Servers,CN=Winnersh,CN=Sites,CN=Configuration,DC=domain,DC=local

             are correct. 
             The system object reference (frsComputerReferenceBL)

             CN=WINDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local

             and backlink on CN=WINDC01,OU=Domain Controllers,DC=domain,DC=local

             are correct. 
             ......................... WINDC01 passed test VerifyReferences

          Test omitted by user request: VerifyReplicas

       
          Test omitted by user request: DNS

          Test omitted by user request: DNS

       
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       
       Running partition tests on : domain

          Starting test: CheckSDRefDom

             ......................... domain passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... domain passed test CrossRefValidation

       
       Running enterprise tests on : domain.local

          Test omitted by user request: DNS

          Test omitted by user request: DNS

          Starting test: LocatorCheck

             GC Name: \\winDC02.domain.local

             Locator Flags: 0xe000f3fc
             PDC Name: \\winDC01.domain.local
             Locator Flags: 0xe000f3f9
             Time Server Name: \\winDC01.domain.local
             Locator Flags: 0xe000f3f9
             Preferred Time Server Name: \\winDC01.domain.local
             Locator Flags: 0xe000f3f9
             KDC Name: \\winDC01.domain.local
             Locator Flags: 0xe000f3f9
             ......................... domain.local passed test LocatorCheck

          Starting test: Intersite

             Skipping site Default-First-Site-Name, this site is outside the scope

             provided by the command line arguments provided. 
             Skipping site VPNUsers, this site is outside the scope provided by the

             command line arguments provided. 
             Skipping site Neuss, this site is outside the scope provided by the

             command line arguments provided. 
             Skipping site Pachesham, this site is outside the scope provided by

             the command line arguments provided. 
             Skipping site Colo, this site is outside the scope provided by the

             command line arguments provided. 
             Skipping site Winnersh, this site is outside the scope provided by the

             command line arguments provided. 
             Skipping site RealIPColo, this site is outside the scope provided by

             the command line arguments provided. 
             Skipping site Cumbernauld, this site is outside the scope provided by

             the command line arguments provided. 
             Skipping site Roosendaal, this site is outside the scope provided by

             the command line arguments provided. 
             Skipping site Paris, this site is outside the scope provided by the

             command line arguments provided. 
             Skipping site DRSite, this site is outside the scope provided by the

             command line arguments provided. 
             Skipping site Turin, this site is outside the scope provided by the

             command line arguments provided. 
             Skipping site Munich, this site is outside the scope provided by the

             command line arguments provided. 
             Skipping site TURINO, this site is outside the scope provided by the

             command line arguments provided. 
             ......................... domain.local passed test Intersite

    matt barnes

    Monday, September 14, 2015 11:01 AM
  • Hi,

    Any errors/warnings in DFS replication event log? What does it tell if you run a diagnostic report health report from DFS management mmc console from the Domain System Volume RP?

    post a dcdiag /v output from the PDC.

    Regards,

    Calin

    Anyone help with this?

    matt barnes

    Tuesday, September 15, 2015 1:42 PM
  • Hi matt barnes,

    Thanks for your post.

    According to your description, the GPO seems to become orphaned. If the GPO was deleted by someone that had permissions to do so in AD, but not in SYSVOL. In this case, the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind. Then it may be orphaned.

    What's the account when you do the operation?

    Could you please log on with administrator to have a test?

    Besides, you may refer the thread discussed before to delete Orphaned GPOs

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/ee54b86a-72c5-4547-ad63-a017a37f05ba/delete-orphaned-gpos

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 16, 2015 9:25 AM
    Moderator
  • Hi

    The GPO's were created by me using my admin account which is a domain admin. I have tested create a new GPO and deleting. Each time the corresponding folder in the sysvol/polices folder is only partly deleted. 

    Windc01 has all FSMO roles. There is no issue with replication. However, when checking the status of group policy from any other DC they all show as WINDC01 SYSVOL being inaccessible. Even though the SYSVOL folder is replicating and syncing. 


    matt barnes

    Wednesday, September 16, 2015 9:39 AM
  • I checked ADSIEDIT the polices do not exist in under system-policies after they have been deleted. 

    It appears they just aren't being removed from the SYSVOL

    matt barnes

    Wednesday, September 16, 2015 10:57 AM