This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 74%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hi,
I just promoted new serv 2022 to current domain as new domain controller, I see that users, coputers, gpo synchronized.
Policydefenitions are auto created in sysvol folder as central store - so everything is good.
But one GPO have settings to apply to all domain computer one certificate from trusted root, but when I do certlm.msc and go to this folder I don't see that this cert was synchronized on the new DC, on the old DC this cert is visible but not on then new DC.
I have no errors in sync:
PS C:\Users\Administrator.domain> Repadmin /replsummary
Replication Summary Start Time: 2023-03-07 08:42:17
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
UKS0001 17m:51s 0 / 5 0
UKS01 07m:23s 0 / 5 0
Destination DSA largest delta fails/total %% error
UKS0001 07m:23s 0 / 5 0
UKS01 17m:51s 0 / 5 0
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @Tutek
Try to force the GPO by running the following command :
gpupdate /force
Then you can check if the GPO setting for root certificate is well configured in gpo report by running the following command:
gpresult /H c:\temp\gporeport.html
Please don't forget to mark helpful answer as accepted
C:\Users\Administrator.domain>gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
GPO is configured correctly, because on old domain this gpo is working all of domain computers have this certificate installed.
This GPO have two certificates to distribute to all domain computers, one of this cert was synchronized and is visible on the new DC, but as I said this is inside one GPO that is, if this setting didn't work then this one certificate wouldn't have been synchronized
What do you see in gpo report provided by this command gpresult /H c:\temp\gporeport.html ?
Can you share the report with us ?
I see only five GPO that are binded to domain controllers OU (where new DC is already) - none have any errors.
But GPO with certificates is not binded to Domain Controllers OU, but to computers OU.
Here is GPO with two certificates, only this first one ending with ...13 was synchronized on the new DC:
Did you try to reboot the new DC ?
Did your try to reimport the certificate in the GPO ?
Please don't forget to mark helpful answer as accepted
I did a reboot now, this not helped.
Is there any event viewer ID because only one certificate was synced inside gpo there must be any evidence or warning about this.
Yes for sure I can manually install this cert on new DC, but rather I would to know what is going on, maybe there is a synchronization error that affects other gpo's as well, so far I have only noticed this one problem but there may be more.
Can you run the command below and share the result :
dcdiag
From the new DC (error about DHCP is know because was not yet autorized)
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\Administrator.domain> dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = uks01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\UKS01
Starting test: Connectivity
......................... UKS01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\UKS01
Starting test: Advertising
......................... UKS01 passed test Advertising
Starting test: FrsEvent
......................... UKS01 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... UKS01 failed test DFSREvent
Starting test: SysVolCheck
......................... UKS01 passed test SysVolCheck
Starting test: KccEvent
......................... UKS01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... UKS01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... UKS01 passed test MachineAccount
Starting test: NCSecDesc
......................... UKS01 passed test NCSecDesc
Starting test: NetLogons
......................... UKS01 passed test NetLogons
Starting test: ObjectsReplicated
......................... UKS01 passed test ObjectsReplicated
Starting test: Replications
......................... UKS01 passed test Replications
Starting test: RidManager
......................... UKS01 passed test RidManager
Starting test: Services
......................... UKS01 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x80040020
Time Generated: 03/07/2023 10:45:04
Event String:
Sterownik wykrył włączony bufor zapisu urządzenia \Device\Harddisk0\DR0. Może wystąpić uszkodzenie danych.
A warning event occurred. EventID: 0x80040020
Time Generated: 03/07/2023 10:45:04
Event String:
Sterownik wykrył włączony bufor zapisu urządzenia \Device\Harddisk0\DR0. Może wystąpić uszkodzenie danych.
A warning event occurred. EventID: 0x80040020
Time Generated: 03/07/2023 10:45:04
Event String:
Sterownik wykrył włączony bufor zapisu urządzenia \Device\Harddisk0\DR0. Może wystąpić uszkodzenie danych.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/07/2023 10:45:09
Event String:
Upłynął limit czasu rozpoznawania nazwy _ldap._tcp.dc._msdcs.ad.domain.pl. po tym, jak żaden ze skonfigurowanych serwerów DNS nie odpowiedział.
A warning event occurred. EventID: 0x00002724
Time Generated: 03/07/2023 10:45:38
Event String:
Ten komputer ma co najmniej jeden przypisany dynamicznie adres IPv6. Aby zapewnić niezawodne działanie serwera DHCPv6, należy używać tylko statycznych adresów IPv6.
An error event occurred. EventID: 0x00000416
Time Generated: 03/07/2023 10:45:38
Event String:
Usługa DHCP/BINL, zainstalowana na lokalnym komputerze, należącym do domeny administracyjnej Windows ad.domain.pl, ustaliła, że nie jest autoryzowana do uruchomienia. Usługa przestała obsługiwać klientów. Oto kilka możliwych powodów:
An error event occurred. EventID: 0xC0001B5E
Time Generated: 03/07/2023 10:45:45
Event String: Wywołanie ScRegSetValueExW dla Description nie powiodło się i wystąpił następujący błąd:
A warning event occurred. EventID: 0x00002720
Time Generated: 03/07/2023 10:47:56
Event String:
Zgodnie z ustawieniami uprawnienia właściwe dla aplikacji nie jest udzielane uprawnienie Lokalny Uruchom do aplikacji serwera COM z identyfikatorem klasy CLSID
......................... UKS01 failed test SystemLog
Starting test: VerifyReferences
......................... UKS01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ad
Starting test: CheckSDRefDom
......................... ad passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ad passed test CrossRefValidation
Running enterprise tests on : ad.domain.pl
Starting test: LocatorCheck
......................... ad.domain.pl passed test LocatorCheck
Starting test: Intersite
......................... ad.domain.pl passed test Intersite
PS C:\Users\Administrator.domain>
You have error on Sysvol replication as mentioned here :
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
Sysvol replication can impact the application of GPO settings. You should fix it to be sure that all domain controllers have the same GPOs and last modifications. You can launch non-authoritative synchronization restore to fix this replication issue:
Please don't forget to mark helpful answer as accepted
When I look at event viewer for DFS, I have:
3.Warnings 4614, 6804, 6016 - these are from time when I promoted DC as new domain controller - did not appear no more later.
1.Error 6104 - appear one hour ago.
If the sysvol replication is fine and the GPO settings is well applied on target DC, the problem should be on the certificate. Can your import it again to the GPO and check if you still have the same issue after running GPupdate /force ?
I have manually imported missing cert into trusted root, after gpudate /force is still there.
If I look on the new DC at sysvol: c:\Windows\SYSVOL\sysvol\ad.domain.pl\scripts\
I have all my custom folders here, scripts, msi files etc are there.
But on old DC I have multiple events ID 5014 with error: Error: 1723 (The RPC server is too busy to complete this operation.)
Maybe any firewall ports should be open on the new DC?
There is another way to publish root certificate in active directory and it will imported automatically to root certificate store on each member machine : certutil -dspublish -f root_CA_Path RootCA
I prefer to use this method instead of GPO, because GPO depend on SYSVOL replication health.
Please don't forget to close the thread if your issue is resolved by accepting helpful answer