Unable to edit Default Domain Policy : Failed to open group policy object. The might not have the appropriate rights. Details: The network name cannot be found.

Question

Unable to edit Default Domain Policy : Failed to open group policy object. The might not have the appropriate rights. Details: The network name cannot be found.

hendri yu 66

Dear Microsoft Expert,

Good Day

We have 2 local domain controllers, DC3 and DC2. Both of these are running Windows Server 2012 Data Centre. The SYSVOL folder is actually available on DC2 only, hence I know that the GPO is residing in DC2. Recently, we have setup new AD running Windows Server 2019 Standard, DC1 and we actually demoted DC3.

After we setup DCPROMO DC1 and make it up as the new DC, then we are actually transferring FSMO roles to new DC1. Currently, the FSMO roles is with DC1. Below is the screenshot:

However, after that i am not able to edit the Default Domain Policy anymore from any of the DC. Once i click to edit on any DC, it will show the error message as below:

I have double checked that the SYSVOL folder is still available in DC2 and i am able to access via the network path and i am still able to find the unique ID in that folders. it means that I have the necessary access right since i am the domain admins. The folder and the files inside are still available and intact.

Here is the folder location of the policy in DC2:

2: /api/attachments/45717-dc1-gpo-error1.png?platform=QnA
Do you guys has any advise on how to resolve the issue?

Many Thanks for help

Best Regards,

H

Anonymous

2020-12-21T05:48:06.453+00:00

Hi,

Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

3 answers

Your answer

Anonymous

2020-12-21T05:48:06.453+00:00

Hi,

Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

Answer 1

Anonymous

Hi,
1,As you promoted a new DC recently, i would suggest you firstly check if the new DC can working well :
Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl >C:\repl.txt
Repadmin /showreps *
Repadmin /syncall /APeD
Ipconfig /all on both the DCs.
2,Before promote the new DC, did you make sure DFSR is used for the AD sysvol replication?
3, If the sysvol synced between DC1 and DC2
access the sysvol folder on DC1, if the files were synced from DC2,
If the permission was correctly
Best Regards,

Anonymous

2020-12-11T03:10:20.327+00:00

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.

Best Regards,
hendri yu 66 Reputation points

2020-12-17T12:30:39.9+00:00
Dear Fan Fan,

By following your steps above, below are the results that i run from DC1 (new DC)

Below are the answers: a)Dcdiag /v -> since the result is long, how to actually check whether from the result from dcdiag is working well?
b) Repadmin / showrepl -> All result is successful

c) Repadmin /syncall /APeD -> All Syncall result terminated with no errors.

d) ipconfig /all

DC1 (New DC) -> First DNS is DC2 IP, second DNS is 127.0.0.1
DC2 -> First DNS is DC1, Second DNS is DC2 itself

How do we check if we use DFSR or not?

As mentioned above, the SYSVOL folder is only available in DC2. There is no SYSVOL folder in DC1 (New DC) at all. But from DC1, i am able to access SYSVOL folder on DC2 via network path.

Appreciate your advise.
Thanks
hendri yu 66 Reputation points

2020-12-17T12:39:55.173+00:00

Dear Fan Fan,

To add on, currently active directory users and computers are syncing without any issue. I did test such as creating new users or add new computer objects, all are sync without issue across DC1 (New DC) and DC2 (Existing DC).

Since Active Directory Users and Computers are syncing well, does it mean that our newly setup DC should be setup correctly? however, why the GPO is suddenly unable to access and the strange thing is SYSVOL folder is only available in DC2 (existing DC).

Currently, the domain functional level for both DC1 and DC2 is the same as below:

Please help to advise what should i do next to resolve my GPO issue as it is quite critical. Currently none of the Default Domain Policy is being pushed down to all of our clients computers.

Appreciate your professional advise on this.

Thank you very much
H
Anonymous

2020-12-18T02:33:52.797+00:00

Hi,
Since the SYSVOL folder is only available in DC2 (existing DC).
Please check if the sysvol folder is created successfully on the new DC.
If created , a non-authoritative synchronization can be done on the new DC.This option will force the sysvol on the new DC to sync from the DC2.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization
Note, before any change ,please back up the sysvol folder for the DCs.
Best Regards,
hendri yu 66 Reputation points

2020-12-18T10:13:25.367+00:00

Hi,

I check the availability of SYSVOL folder on new DC (DC1) by using network path "\dc1.int". But I cant find any SYSVOL shared folder. if I do the same thing on DC2 by using "\dc2.int" network path, I could see the SYSVOL shared folder, which is I always thinking that SYSVOL folder is only available on DC2.

Now, i go to new DC (DC1) and go under C:\windows\Sysvol\ and there i could find the sysvol foder. Now I just realize why I can't see anything via the network path "dc1.int" because the sysvol folder in new DC (DC1) is not SHARED at all. Please see below location of SYSVOL folder in new DC (DC1).

I goto the sub folder in c:\windows\sysvol\sysvol\domain, i could not see the "Policies" and "Scripts" sub folder just like DC2. It means that these 2 folders are not sync from DC2.

Please help to advise what to do next.
Thanks

Thanks
hendri yu 66 Reputation points

2020-12-18T10:19:44.703+00:00

Here is additional picture that under Sysvol folder on new DC (DC1), there are nothing inside:

In DC2, there are 2 sub folders under SYSVOL shared folder. see picture below:

Please help to advise what should i do next? another thing, how to actually backup SYSVOL folder?

Many Thanks

H
hendri yu 66 Reputation points

2020-12-30T04:30:56.183+00:00
Dear Fan Fan,

Good day

On the new DC1 (New DC), there is a SYSVOL folder created, but it is not being shared just like the current DC2. Hence, i have manually shared it by following the same user permission as DC2.

Beside that, SYSVOL folder on DC1 (New DC) is also empty. There is no "Policies" or "Scripts" folder just like DC2.

You mentioned that i need to do non-authoritative sync on new DC:

is this risky or causing any issue with users and objects replication?

Backing up SYSVOL folder means just copy the whole folder and keep it somewhere?

Please help to advise. Appreciate.

H
hendri yu 66 Reputation points

2020-12-30T09:33:34.563+00:00

Dear Fan Fan,

about your question of asking whether the SYSVOL folder is successfully created on DC1 (New DC). Since the SYSVOL folder is there under c:\windows\sysvol\sysvol, but it is not shared at all, does it mean that the SYSVOL folder is successfully created?

Then, one thing to note that currently all of the FSMO roles are all under DC1 (New DC), which has already transferred from Current DC (DC2) since the day we promoted DC1 as new DC. But, the complete SYSVOL folder is actually on DC2. Does it mean that it is necessary to transfer the FSMO Roles back to DC2 first then only do the non-authoritative restore or how?

I read the article that share from Microsoft about Non-Authoritative restore steps, but it is pretty unclear.

Steps 1: run ADSIEDIT, is this apps to be run on the DC1 (New DC)? then when want to change msDFSR-Enabled=FALSE, is this to be peformed on DC1 as well?
Steps 2: Force Active Directory replication throughout the domain. how to do this?

Thanks
hendri yu 66 Reputation points

2021-01-22T02:44:57.503+00:00

Dear Fan Fan,

Good Day

Do you have further advise on my issues above? will recreating a new "Default domain policy" easier and able to work rather than doing the non-authoritative restore? If creating new "Default Domain Policy", should i performed it in DC1 (New DC) or DC2 (Existing DC)?

Thanks
H

Answer 2

Thameur-BOURBITA 36,261 Moderator

Hi,

Try to launch a non-authoritative restore to initiate the sysvol replication. it you still have same issue you can launch a authortaive restore from healthy domain controller. It can fix some corrupted files in sysvol folder.

force-authoritative-non-authoritative-synchronization

Please Don't forget to mark this reply as answer if it help you to fix your issue

hendri yu 66 Reputation points

2020-12-30T04:38:39.407+00:00
Dear Thameur,

Good Day

Thanks for the advise.

is performing non-authoritative restore or authoritative action risky? Will the action cause any issue with users and computers object replication between AD and also logon authentication issue or maybe cause AD to down? Currently there is no replication issue for both users and computers objects between new DC1 and Current DC2 and users are able to logon and authenticate to the domain. We can't afford that if user has authentication problem later on as the business is running everyday and user require to logon to the system via AD.

What are the tools required to do Non-Authoritative restore? where to download the tool from?

Appreciate your advise

Wish You Happy New Year 2021

H

Answer 3

JoseLuisTorresCisneros-3701 0

tengo el mismo problema y situacion con DC1 y DC2 nuestra intension es dejar en produccion DC1 pero no hemos podido quitar DC2 por el tema de las politicas de grupo, alguien ha solucionado este error?

Share via

Unable to edit Default Domain Policy : Failed to open group policy object. The might not have the appropriate rights. Details: The network name cannot be found.

3 answers

Your answer