problem in >gpupdate

Question

hi. we have single forest and domain and two Active directory.the main AD is working correct with no problem. I have to tell that this AD was raised from 2008 R2 Enterprise to windows server 2016 datacenter.it works well without errors. but when I config the Additional AD and join to the main AD. in first week working well and replication between two Active Directories has successful. after a while, I present error in Event viewer. I saw the below erorr when the command "gpupdate" is run:

"Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \Domain_name\sysvol\Domain-name\Policies{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results."

in additional AD, the sysvol and Netlogon folder was missed that I solved this issue with changed registery key: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"

but only the folder is shown and the policies not found.

what should I do?

Thanks inadvance

mahnaz...

Answer 1

Hello mahnaz_116,

Good day!

If you want to access SYSVOL on any one DC, you can sign in this DC using domain administrator account and open C:\Windows\SYSVOL\sysvol to access.

You can access the SYSVOL by typing \domain.com\SYSVOL(domain.com is your domain name).

Best Regards,
Daisy Zhou

Answer 2

Hello mahnaz_116,

Thank you for posting in Microsoft Community forum.

Based on the description, I understand you have two Domain Controllers in the single forest with one domain.

Please check the AD replication on two DCs now. Please run Commands below on PDC.

repadmin /showrepl >C:\rep1.txt
repadmin /replsum >C:\rep2.txt

repadmin /showrepl * /csv >c:\repsum.csv

If the result of all commands are OK, it seems the AD replication in the forest works fine.

Then please try the following steps to fix the problem.

1.Back up all Domain Controllers in the forest using Windows built-in Backup role.

2.Back up the SYSVOL folder on all the domain controllers.

3.Please check if your SYSVOL replication engine is DFSR. Check method:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used. If the subkey does not exist, or if it has a different value, FRS is being used.

4.If it is DFSR, on the problematic machine (machine with no policies), try the steps in the part of "How to perform a non-authoritative synchronization of DFSR-replicated sysvol replication (like D2 for FRS)" in the following link.

Force synchronization for Distributed File System Replication (DFSR) replicated sysvol replication - Windows Server | Microsoft Learn

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

Answer 3

why when I want open sysvol folder main active directory from additional AD with command: \ip-AD\sysvol throgh Run, asked me a credential?

main AD ip: 192.168.1.1

adtional AD: 192.168.1.2

I want to open sysvol's 192.168.1.1 from AD with ip 192.168.1.2, but I have to type a credential. what shoould I do?

thanks inadvance

mahnaz