Hi,
I just promoted new serv 2022 to current domain as new domain controller, I see that users, coputers, gpo synchronized.
Policydefenitions are auto created in sysvol folder as central store - so everything is good.
But one GPO have settings to apply to all domain computer one certificate from trusted root, but when I do certlm.msc and go to this folder I don't see that this cert was synchronized on the new DC, on the old DC this cert is visible but not on then new DC.
I have no errors in sync:
PS C:\Users\Administrator.domain> Repadmin /replsummary
Replication Summary Start Time: 2023-03-07 08:42:17
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
UKS0001 17m:51s 0 / 5 0
UKS01 07m:23s 0 / 5 0
Destination DSA largest delta fails/total %% error
UKS0001 07m:23s 0 / 5 0
UKS01 17m:51s 0 / 5 0
@Tutek
What do you see in gpo report provided by this command gpresult /H c:\temp\gporeport.html ?
Can you share the report with us ?
I see only five GPO that are binded to domain controllers OU (where new DC is already) - none have any errors.
But GPO with certificates is not binded to Domain Controllers OU, but to computers OU.
Here is GPO with two certificates, only this first one ending with ...13 was synchronized on the new DC:
@Tutek
Did you try to reboot the new DC ?
Did your try to reimport the certificate in the GPO ?
Please don't forget to mark helpful answer as accepted
I did a reboot now, this not helped.
Is there any event viewer ID because only one certificate was synced inside gpo there must be any evidence or warning about this.
Yes for sure I can manually install this cert on new DC, but rather I would to know what is going on, maybe there is a synchronization error that affects other gpo's as well, so far I have only noticed this one problem but there may be more.
Can you run the command below and share the result :
dcdiag
From the new DC (error about DHCP is know because was not yet autorized)
@Tutek
You have error on Sysvol replication as mentioned here :
Sysvol replication can impact the application of GPO settings. You should fix it to be sure that all domain controllers have the same GPOs and last modifications. You can launch non-authoritative synchronization restore to fix this replication issue:
How to force authoritative and non-authoritative synchronization for DFSR-replicated sysvol replication
Please don't forget to mark helpful answer as accepted
When I look at event viewer for DFS, I have:
3.Warnings 4614, 6804, 6016 - these are from time when I promoted DC as new domain controller - did not appear no more later.
1.Error 6104 - appear one hour ago.
If the sysvol replication is fine and the GPO settings is well applied on target DC, the problem should be on the certificate. Can your import it again to the GPO and check if you still have the same issue after running GPupdate /force ?
I have manually imported missing cert into trusted root, after gpudate /force is still there.
If I look on the new DC at sysvol: c:\Windows\SYSVOL\sysvol\ad.domain.pl\scripts\
I have all my custom folders here, scripts, msi files etc are there.
But on old DC I have multiple events ID 5014 with error: Error: 1723 (The RPC server is too busy to complete this operation.)
Maybe any firewall ports should be open on the new DC?
@Tutek
There is another way to publish root certificate in active directory and it will imported automatically to root certificate store on each member machine :
certutil -dspublish -f root_CA_Path RootCA
I prefer to use this method instead of GPO, because GPO depend on SYSVOL replication health.
Please don't forget to close the thread if your issue is resolved by accepting helpful answer
Sign in to comment
Activity