locked
Group Policy Error After Primary AD Crash RRS feed

  • Question

  • Dear Microsoft Server Expert,

    Good Day

    We have 2 on Premise 2012 AD, AD1 and AD2. AD1 is primary and AD2 is secondary. AD1 has crashed and we are not able to recover, hence we do re-setup of brand new AD called "AD3". We promoted AD2 as the primary AD and AD3 remain as secondary to replace the crashed AD1.

    All replications seem to work normal such as Active Directory and DNS Server. However, what i found is the GPO seem to have issue. I think because the GPO files are stored in the crashed AD1, hence now the domain controller is not able to find the path to where the GPO being stored, which should be under SYSVOL folder. Below are some screenshot:

    I think all the GPO has corrupted as DC is not able to find the reference GUID path. Is there anyway to resolve this? if can't they i think the only way is to redo all the GPO objects again. However:

    1. What should i do with those old entries? I don't think it is still running and applied to the clients right?

    2. How to remove these entries then? otherwise when i created a new GPO entries, it will show as duplicate.

    Please help to advise on this.

    many Thanks

    H

    Saturday, December 21, 2019 2:52 PM

All replies

  • Hi Henry,

    start by removing all no longer valid references to the failed DC from your AD.

    For the list of steps, refer to 

    https://social.technet.microsoft.com/Forums/en-US/9a2c65b2-5c0c-40f3-b435-e7f181152428/how-to-delete-a-crashed-dc-from-ad?forum=winserverDS

    Next, verify whether the path referenced in the error message above actually exists. If not, you might need to perform an authoritative SYSVOL restore - as described in http://www.rebeladmin.com/2017/08/non-authoritative-authoritative-sysvol-restore-dfs-replication/

    If this does not work out, you might try https://gist.github.com/RavuAlHemio/00e51d3ea64731be9d43b01eda18734f

    Before you start, make sure you have a valid backup of at least one of your DCs (including SYSVOL)

    hth
    Marcin

    Saturday, December 21, 2019 5:57 PM
  • Hi Marcin,

    Good Day

    Thanks for the advise above, however it seems confusing to me because what i would like to do is to fix the GPO issue.

    As the crashed primary AD has crashed and can't recover, we can't recover anything from that server. That's why we choose to just setup a new AD for redundancy purpose as this will be much faster to setup and DCPROMO a server to AD. Currently, the new AD has tested up and running.

    I can't find a way just to delete the the GPO entries and recreate a new policy, though i found it may be tedious because we have quite some GPO pushed down to clients. I could remove the link but not able to remove the GPO itself. I have checked that the reference path of the error message was actually not exist in the current AD2 (Promoted to Primary AD) SYSVOL folder. The current SYSVOL folder on AD2 only contain few entries. So, you mentioned about restoring the SYSVOL, i think is not applicable here.

    is there any way for me to delete these entries still? if i don't deleted them and just delete the link and then recreate a new one with new name, will that be okay?

    Thanks

    H

    Sunday, December 22, 2019 2:26 AM
  • Hi Henry2050,

    Thank you for posting in our forum.

    I very much agree with Marcin Policht's method. According to your situation, I suggest that you first clear the metadata. After cleaning, check which GPOs are more and which are less


    Hope this information can help you
    Best wishes
    Vicky


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, December 23, 2019 9:00 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Vicky


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 25, 2019 1:16 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Vicky

       

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 27, 2019 7:36 AM