none
Group Policy Replication Server 2008 R2

    Question

  • Hi All,

    I am reviewing and recreating the group policies which we currently use. I have just noticed that they are not being replicated in between the domain controllers. I did some troubleshooting and thought that it might be useful to ask you guys.

    We have two domain controllers on site, which run Server 2008 R2 Standard. Let's name them DC1 and DC2.

    All group policy changes have been carried out on DC1 and I am now at the testing phase. I have multiple machines for testing and they will switch in between  two DC's on every single restart which seems to be normal. What I found was that when user authenticates against DC1, policies are applied successfully. When user authenticates against DC2, policies will fail to apply, at least most of them. It will also fail when I issue gpupdate /force.

    I have logged on to DC2 and I can see that my policy objects have replicated, however when I click on any of the new policies which I have just created I get an error pop up message saying 'The system cannot find the file specified' and then computer configuration and user configuration says 'No settings defined' although there is a lot on DC1.

    When I force manual replication in Active Directory Sites and Services, noting happens. No changes.

    When I look into Active Directory Sites and Services default-first-site-name NTDS Site Settings configuration (2 DC's are in this one) it says that Server is DC2 under Inter-Site Topology Generator. Should it not be DC1?

    I checked replication configuration for each server and it seems to be correct, one per hour, dc1 from dc2, dc from dc1.

    Does anybody know on how to fix this issue?

    All the best!

    Friday, November 6, 2015 12:35 PM

Answers

  • This was resolved by following:


    http://arnavsharma.net/1/post/2014/03/authoritative-sysvol-restorefrs.html

    • Marked as answer by JG112015 Tuesday, November 10, 2015 12:02 PM
    Tuesday, November 10, 2015 12:02 PM

All replies

  • As an update to this topic, machines affected by the group policies (new GPOs) get the following errors while trying to update the policies.

    Error 1058 in event log; GroupPolicy (Microsoft-Windows-GroupPolicy)

    The processing of Group Policy failed. Windows attempted to read the file \\domain.com\SysVol\domain.com\Policies\{6549341B-8997-4CC7-B2E3-28C71F734437}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.

    The processing of Group Policy failed. Windows attempted to read the file \\domain.com\SysVol\domain.com\Policies\{BB899FDF-D387-4F89-BFEA-2A11E9F5F390}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

    Friday, November 6, 2015 2:15 PM
  • Could you please compare the polices folder on both DC's.

    \\DC1\sysvol\DomainName\Policies

    \\DC2\sysvol\DomainName\Policies

    Should be identical if not there are replication issues.

    Friday, November 6, 2015 2:54 PM
  • Hi,

    Can you restart DFS-R service in DC2 and see if it helps?

    -Umesh.S.K

    Friday, November 6, 2015 2:54 PM
  • Hello Muhammad,

    That is a good starting point. I have checked both folders and unfortunately they show different content.

    DC1 (where all the policies have been implemented shows all of them - 22), however DC2 shows only 9 and none of the ones which have been recently created.

    I have also restarted DFS-R service on DC2 and forced manual replication in Sites & Services however this did not resolve the problem. I have also rebooted DC2 and this did not bring any changes.

    Friday, November 6, 2015 3:16 PM
  • I have also restarted DFS-R service on DC2 and forced manual replication in Sites & Services however this did not resolve the problem. I have also rebooted DC2 and this did not bring any changes.
    Friday, November 6, 2015 3:16 PM
  • Could you please check time on both DC's are same.

    Which DC holds all of the FSMO roles?

    Friday, November 6, 2015 3:19 PM
  • Could you please run these commands and share the result here.

    TO CHECK REPLICATION STATUS B/W DC’s
    CMD
    REPADMIN /SHOWREPL


    TO FORCE SYNC MANUALLY
    REPADMIN /SYNCALL


    TO CHECK GENERAL HEALTH 
    DCDIAG

    Friday, November 6, 2015 3:24 PM
  • 1. Time is matching on both workstations.

    2. Fismo roles, checked via NetDOM /query FSMO


    Schema master               dc1.ad.domain.com
    Domain naming master        dc1.ad.domain.com
    PDC                         dc1.ad.domain.com
    RID pool manager            dc1.ad.domain.com
    Infrastructure master       dc1.ad.domain.com
    The command completed successfully.


    3. REPADMIN /SHOWREPL

    Repadmin: running command /SHOWREPL against full DC localhost
    Default-First-Site-Name\DC1
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: b82a0bab-aa2d-4d9d-b80d-78ece0e52306
    DSA invocationID: 94821561-1f2a-453e-b5b7-b8cc5606c401

    ==== INBOUND NEIGHBORS ======================================

    DC=ad,DC=domain,DC=com
        Default-First-Site-Name\DC2 via RPC
            DSA object GUID: e12bcdb2-d4ce-4d03-81fc-46a7db7449f8
            Last attempt @ 2015-11-06 16:02:15 was successful.

    CN=Configuration,DC=ad,DC=domain,DC=com
        Default-First-Site-Name\DC2 via RPC
            DSA object GUID: e12bcdb2-d4ce-4d03-81fc-46a7db7449f8
            Last attempt @ 2015-11-06 15:57:54 was successful.

    CN=Schema,CN=Configuration,DC=ad,DC=domain,DC=com
        Default-First-Site-Name\DC2 via RPC
            DSA object GUID: e12bcdb2-d4ce-4d03-81fc-46a7db7449f8
            Last attempt @ 2015-11-06 15:57:54 was successful.

    DC=DomainDnsZones,DC=ad,DC=domain,DC=com
        Default-First-Site-Name\DC2 via RPC
            DSA object GUID: e12bcdb2-d4ce-4d03-81fc-46a7db7449f8
            Last attempt @ 2015-11-06 15:57:54 was successful.

    DC=ForestDnsZones,DC=ad,DC=domain,DC=com
        Default-First-Site-Name\DC2 via RPC
            DSA object GUID: e12bcdb2-d4ce-4d03-81fc-46a7db7449f8
            Last attempt @ 2015-11-06 15:57:54 was successful.



    4. repadmin /syncall

    CALLBACK MESSAGE: The following replication is in progress:
        From: e12bcdb2-d4ce-4d03-81fc-46a7db7449f8._msdcs.ad.domain.com
        To  : b82a0bab-aa2d-4d9d-b80d-78ece0e52306._msdcs.ad.domain.com
    CALLBACK MESSAGE: The following replication completed successfully:
        From: e12bcdb2-d4ce-4d03-81fc-46a7db7449f8._msdcs.ad.domain.com
        To  : b82a0bab-aa2d-4d9d-b80d-78ece0e52306._msdcs.ad.domain.com
    CALLBACK MESSAGE: SyncAll Finished.
    SyncAll terminated with no errors.


    5. DCDIAG

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = dc1
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\dc1
          Starting test: Connectivity
             ......................... dc1 passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\dc1
          Starting test: Advertising
             ......................... dc1 passed test Advertising
          Starting test: FrsEvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... dc1 passed test FrsEvent
          Starting test: DFSREvent
             ......................... dc1 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... dc1 passed test SysVolCheck
          Starting test: KccEvent
             ......................... dc1 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... dc1 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... dc1 passed test MachineAccount
          Starting test: NCSecDesc
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=ForestDnsZones,DC=ad,DC=domain,DC=com
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=DomainDnsZones,DC=ad,DC=domain,DC=com
             ......................... dc1 failed test NCSecDesc
          Starting test: comLogons
             ......................... dc1 passed test comLogons
          Starting test: ObjectsReplicated
             ......................... dc1 passed test ObjectsReplicated
          Starting test: Replications
             ......................... dc1 passed test Replications
          Starting test: RidManager
             ......................... dc1 passed test RidManager
          Starting test: Services
             ......................... dc1 passed test Services
          Starting test: SystemLog

                The Key Distribution Center (KDC) cannot find a suitable certificate
     to use for smart card logons, or the KDC certificate could not be verified. Sma
    rt card logon may not function correctly if this problem is not resolved. To cor
    rect this problem, either verify the existing KDC certificate using certutil.exe
     or enroll for a new KDC certificate.
             A warning event occurred.  EventID: 0x000003F6
                Time Generated: 11/06/2015   16:51:09
                Event String:
                Name resolution for the name 108.223.83.in-addr.arpa timed out after
     none of the configured DNS servers responded.
             A warning event occurred.  EventID: 0x000727AA
                Time Generated: 11/06/2015   16:53:15
                Event String:
                The WinRM service failed to create the following SPNs: WSMAN/dc1
    .ad.domain.com; WSMAN/dc1.

         ......................... dc1 failed test SystemLog
          Starting test: VerifyReferences

          ......................... dc1 passed test VerifyReferences
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation

       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : ad
          Starting test: CheckSDRefDom
             ......................... ad passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ad passed test CrossRefValidation

       Running enterprise tests on : ad.domain.com
          Starting test: LocatorCheck
             ......................... ad.domain.com passed test LocatorCheck
          Starting test: Intersite
             ......................... ad.domain.com passed test Intersite

    @edit

    Here is an output for dcdiag on DC2. All other commands give the same output.

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = DC2
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\DC2
          Starting test: Connectivity
             ......................... DC2 passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\DC2
          Starting test: Advertising
             ......................... DC2 passed test Advertising
          Starting test: FrsEvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... DC2 failed test FrsEvent
          Starting test: DFSREvent
             ......................... DC2 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... DC2 passed test SysVolCheck
          Starting test: KccEvent
             ......................... DC2 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... DC2 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... DC2 passed test MachineAccount
          Starting test: NCSecDesc
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=ForestDnsZones,DC=ad,DC=domain,DC=com
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=DomainDnsZones,DC=ad,DC=domain,DC=com
             ......................... DC2 failed test NCSecDesc
          Starting test: comLogons
             ......................... DC2 passed test comLogons
          Starting test: ObjectsReplicated
             ......................... DC2 passed test ObjectsReplicated
          Starting test: Replications
             ......................... DC2 passed test Replications
          Starting test: RidManager
             ......................... DC2 passed test RidManager
          Starting test: Services
             ......................... DC2 passed test Services
          Starting test: SystemLog
             ......................... DC2 passed test SystemLog
          Starting test: VerifyReferences
             ......................... DC2 passed test VerifyReferences


       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation

       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : ad
          Starting test: CheckSDRefDom
             ......................... ad passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ad passed test CrossRefValidation

       Running enterprise tests on : ad.domain.com
          Starting test: LocatorCheck
             ......................... ad.domain.com passed test LocatorCheck
          Starting test: Intersite
             ......................... ad.domain.com passed test Intersite




    • Edited by JG112015 Friday, November 6, 2015 5:15 PM update
    Friday, November 6, 2015 4:16 PM
  • Anybody? :)
    Saturday, November 7, 2015 8:56 PM
  • At a glance, it seems like the AD is replicating ok but SYSVOL is not replicating ok. SYSVOL replication can be implemented in two ways; old-school-FRS or new-school-DFS.

    For WS2008, DFS is not necessarily in use, it depends upon the history of the domain (eg if it was upgraded from an older OS, it could still be using FRS).

    If DFS diagnostics show health, then look to FRS. Or, check to see which replication engine is being used for SYSVOL.

    http://blogs.technet.com/b/askds/archive/2008/05/22/verifying-file-replication-during-the-windows-server-2008-dfsr-sysvol-migration-down-and-dirty-style.aspx

    Troubleshooting FRS:
    https://msdn.microsoft.com/en-us/library/bb727056.aspx


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Saturday, November 7, 2015 9:20 PM
    Saturday, November 7, 2015 9:19 PM
  • So I followed https://msdn.microsoft.com/en-us/library/windows/desktop/cc507518%28v=vs.85%29.aspx to determine which service domain controllers are running, whether it's DFSR or FRS. I checked

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey which exists however its value is it 0 which means it uses FRS.

    I have restarted FRS service, there are a lot of warnings in FRS event log on DC1. Mostly event ID 13508.

    The File Replication Service is having trouble enabling replication from DC2 to DC1 for c:\windows\sysvol\domain using the DNS name DC2.domain.com. FRS will keep retrying.
     Following are some of the reasons you would see this warning.

     [1] FRS can not correctly resolve the DNS name DC2.domain.com from this computer.
     [2] FRS is not running on DC2.domain.com.
     [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

    This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.




    On DC2, I have a lot of errors in event log (ID 13555 and 13552).

    Event ID 13555:


    The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed:

     Recovery Steps:

     [1] The error state may clear itself if you stop and restart the FRS service. This can be done by performing the following in a command window:

        net stop ntfrs
        net start ntfrs

    If this fails to clear up the problem then proceed as follows.

     [2] For Active Directory Domain Services Domain Controllers that DO NOT host any DFS alternates or other replica sets with replication enabled:

    If there is at least one other Domain Controller in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative.

    If there are NO other Domain Controllers in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and choose the Advanced option which marks the sysvols as primary.

    If there are other Domain Controllers in this domain but ALL of them have this event log message then restore one of them as primary (data files from primary will replicate everywhere) and the others as non-authoritative.


     [3] For Active Directory Domain Services Domain Controllers that host DFS alternates or other replica sets with replication enabled:

     (3-a) If the Dfs alternates on this DC do not have any other replication partners then copy the data under that Dfs share to a safe location.
     (3-b) If this server is the only Active Directory Domain Services Domain Controller for this domain then, before going to (3-c),  make sure this server does not have any inbound or outbound connections to other servers that were formerly Domain Controllers for this domain but are now off the net (and will never be coming back online) or have been fresh installed without being demoted. To delete connections use the Sites and Services snapin and look for
    Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS Settings->CONNECTIONS.
     (3-c) Restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative.
     (3-d) Copy the data from step (3-a) above to the original location after the sysvol share is published.


     [4] For other Windows servers:

     (4-a)  If any of the DFS alternates or other replica sets hosted by this server do not have any other replication partners then copy the data under its share or replica tree root to a safe location.
     (4-b)  net stop ntfrs
     (4-c)  rd /s /q  c:\windows\ntfrs\jet
     (4-d)  net start ntfrs
     (4-e)  Copy the data from step (4-a) above to the original location after the service has initialized (5 minutes is a safe waiting time).

    Note: If this error message is in the eventlog of all the members of a particular replica set then perform steps (4-a) and (4-e) above on only one of the members.




    Event ID 13552:


    The File Replication Service is unable to add this computer to the following replica set:
        "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"

    This could be caused by a number of problems such as:
      --  an invalid root path,
      --  a missing directory,
      --  a missing disk volume,
      --  a file system on the volume that does not support NTFS 5.0

    The information below may help to resolve the problem:
    Computer DNS name is "DC2.domain.com"
    Replica set member name is "DC2"
    Replica set root path is "c:\windows\sysvol\domain"
    Replica staging directory path is "c:\windows\sysvol\staging\domain"
    Replica working directory path is "c:\windows\ntfrs\jet"
    Windows error status code is  
    FRS error status code is FrsErrorMismatchedJournalId

    Other event log messages may also help determine the problem.  Correct the problem and the service will attempt to restart replication automatically at a later time.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="NtFrs" />
        <EventID Qualifiers="49152">13552</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2015-11-09T15:14:16.000000000Z" />
        <EventRecordID>442</EventRecordID>
        <Channel>File Replication Service</Channel>
        <Computer>DC2.domain.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data>DOMAIN SYSTEM VOLUME (SYSVOL SHARE)</Data>
        <Data>DC2.domain.com</Data>
        <Data>DC2</Data>
        <Data>c:\windows\sysvol\domain</Data>
        <Data>c:\windows\sysvol\staging\domain</Data>
        <Data>c:\windows\ntfrs\jet</Data>
        <Data>
        </Data>
        <Data>FrsErrorMismatchedJournalId</Data>
      </EventData>
    </Event>

    Can anyone advise?

                      
    • Edited by JG112015 Tuesday, November 10, 2015 9:32 AM more details about DC2
    Tuesday, November 10, 2015 9:26 AM
  • This was resolved by following:


    http://arnavsharma.net/1/post/2014/03/authoritative-sysvol-restorefrs.html

    • Marked as answer by JG112015 Tuesday, November 10, 2015 12:02 PM
    Tuesday, November 10, 2015 12:02 PM
  • Hi,

    Thank you for sharing the solution and update.

    Best regards,


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 14, 2015 6:55 AM
    Moderator