question

Kane-4105 avatar image
0 Votes"
Kane-4105 asked FanFan-MSFT commented

Incorrect AutoConfigURL always returned via Default Domain Policy

Hello;

I was using the Default Domain Policy to deploy a registry key for AutoConfigURL setting, since two months ago, I have changed a new URL for AutoConfigURL but apparently; the new URL did not apply properly.

I tried to delete the Registry entry created by Default Domain Policy and using a policy called GPO-Apps for the new Registry key in "User Configuration | Preferences | Windows Settings | Registry", but the old AutoConfigURL always shows when I run gpresult /h report.htm

It said, the Default Domain Policy win the policy

AutoconfigURLhide
Winning GPO Default Domain Policy
Result: Success
Generalhide
Action Replace
Properties
Hive HKEY_CURRENT_USER
Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings
Value name AutoconfigURL
Value type REG_SZ
Value data http://pac.company.com/d49fc30a-ce8a-425d-bf61-3a4cc13c81e8/proxy.pac

Actually, the Value data shown here is old.

I went through the entire GPO but none of the setting is using my old AutoConfigURL setting, I doubt if something not written to Windows properly, so eventhough I saw the setting in GPO user interface is correct, but somewhere is not updated.

Also; I always got the version mismatch issue. I tried to apply the hotfix Windows Server 2012 R2 (KB2919394) but no help.

Default Domain Policy AD / SYSVOL Version Mismatch,Enforced
GPO-Apps AD / SYSVOL Version Mismatch

windows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If you have any issues about the replication , you can create a new thread here!
Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

When you said " delete the Registry entry created by Default Domain Policy" ,how did you to delete the Registry entry ?
Did you clear the Registry entry on the GPO settings or on the clients?

You may try to remove the Registry entry on the Default Domain Policy and then configure the new GPOs for the new URL
Or just reset the url on the Default Domain Policy GPO and try to check the result.

If you had already removed the registry settings from the Default Domain Policy, but the old settings still apply to the users,
you may try to confirm the replication between DCs.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Kane-4105 avatar image
0 Votes"
Kane-4105 answered

thank you for your reply.

Yes, I found the registry key that contain the wrong setting and delete it.

Actualy, now I found the root cause why the old AutoConfigURL keep coming back, it was caused by the \\company.com\SYSVOL not replicated from DC1 to DC2. When I update the GPO through GUI, the new update applies to the \\company.com\SYSVOL on DC1 but not replicated to DC2 which means I got the replication issue which I need to address.

I digged into and compared the registry file of policies on DC1 and DC2, I found that the file in DC2 keep the old GPO.

However; I manually copy all files and folders in \\company.com\SYSVOL\company.com\Policies from DC1 to DC2. I do not see the old AutoConfigURL comes back.

I believed that when I logged on to DC, if the logon requested picked by DC2, DC2 will delivery those GPO from its \\company.com\SYSVOL\company.com\Policies folders that why the incorrect records keeps coming back.

Anyway, the issue of Incorrect AutoConfigURL is fixed by manual.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Glad to hear that the issue was fixed.

As mentioned above, the replication issue caused the gpo refresh issue.
Although copy the file may resolve the issue for this GPO, but the new GPO created in the future will have the same issue too.
I would suggest you to confirm the ad replication and sysvol replication .
To confirm the replication, you can use the following command :
Repadmin /showrepl >C:\repl.txt
Repadmin /showreps *
if the ad replication is good, only the sysvol replication have problems ,you can consider a n-authoritative synchronization (for dfsr replicaiton) or D2(for frs replication) on the problematic DC.
Following link for your reference:
How to force authoritative and non-authoritative synchronization for DFSR-replicated sysvol replication
https://docs.microsoft.com/en-US/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization

Use the BurFlags registry key to reinitialize File Replication Service
https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/use-burflags-to-reinitialize-frs

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.