Problems with SYSVOL replication, GPOs out of sync?

Question

Problems with SYSVOL replication, GPOs out of sync?

Simon@PMA 1

Have recently undertaken upgrading all our AD DCs to Windows 2019 as we had a mix of 2012 & 2016.

I started this since we replaced our old file servers (running Server 2008R2!) with Windows 2019 file servers and since doing so the replication between them seemed to not be quite right.

Main issue I have discovered is that in the GPO Console all our DCS are locked into the state "replication in progress".

There are so many articles out there describing how to troubleshoot this that I really have no idea where to start.

Any help that can be offered is most appreciated.

Simon@PMA 1 Reputation point

2022-05-12T09:39:54.507+00:00

@rr-4098 Sorry did you see the things I posted here as answers?

Still learning to properly use this forum

4 answers

Your answer

Simon@PMA 1 Reputation point

2022-05-12T09:39:54.507+00:00

@rr-4098 Sorry did you see the things I posted here as answers?

Still learning to properly use this forum

Answer 1

rr-4098 2,051

Can you please post the results of the following commands: dcdiag /v /e & repadmin /showrepl

Simon@PMA 1 Reputation point

2022-05-12T09:56:22.583+00:00

Here's the REPADMIN output.201394-repadmin.txt
Simon@PMA 1 Reputation point

2022-05-12T09:56:48.463+00:00

And here's the DCDIAG output 201340-dcdiagve-120522.txt

Answer 2

And below is the output from the repadmin /showrepl command:

Repadmin: running command /showrepl against full DC localhost
XYZADSite1\PDC-SRV
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 55fd8035-dd0c-4d90-a193-3857b99cde76
DSA invocationID: e37f6943-daa3-4eb2-9b0f-2b1f4ead41b9

==== INBOUND NEIGHBORS ======================================

DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 10:25:40 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 10:30:39 was successful.

CN=Configuration,DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 09:59:11 was successful.
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 10:27:27 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.

CN=Schema,CN=Configuration,DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 09:59:11 was successful.
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 09:59:12 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.

DC=DomainDnsZones,DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 09:59:44 was successful.
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 09:59:47 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.

DC=ForestDnsZones,DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 09:59:12 was successful.
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 09:59:12 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.

Answer 3

Gary Reynolds 9,621

Hi @Simon@PMA

You can use the test below to confirm the extent of the issues with sysvol\GPO replication.

https://nettools.net/how-to-test-gpos-as-gpotool-is-no-longer-available/

You can then check the status of the sysvol share with the following article:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-missing-sysvol-and-netlogon-shares

Sorry I didn't see you attachments, DC03-SRV is having issues talking to PDC-SRV and DC02-SRV, I would check if the other DCs are having the same issue, to confirm if the connectivity issues is just limited to DC03-SRV or other DCs are having problem. If all the DCs are all having the issue, I would try restarting the DFS services on DC02-SRV and PDC-SRV to see if this fixes it.

Gary.

Simon@PMA 1 Reputation point

2022-05-12T11:59:37.817+00:00

Hi @Gary Reynolds , thanks for taking the time to reply.

I did just try the simple test to see if the NETLOGON and SYSVOL shares were there and available on each individual DC and they were?

Checked status of the SYSVOL share using the MS troubleshooting article there and all DCs replication state is at 4 (Normal).
Gary Reynolds 9,621 Reputation points

2022-05-13T10:36:53.607+00:00

Hi

A simple test is to create a new text file in the sysvol share and confirm that it is replicated on all the DCs.
Also run the dcdiag /v /e command on the other DCs and check DFSREvent section of the output to see if the other DCs have DFS errors.

Gary.
Simon@PMA 1 Reputation point

2022-05-23T12:14:46.997+00:00

@Gary Reynolds thanks for the suggestion here and apologies for the delay in replying!

I did as you suggested and created a TXT file in the SYSVOL folder on our PDC and this replicated immediately to the SYSVOL share on every other DC in our organization. Can I assume that this would indicate our DFSR SYSVOL replication is in fact healthy?

There's still errors when looking at the Group Policy Admin console, so I am wondering whether this is actually a problem with GPO ACLs not being synced as per this article here: https://social.technet.microsoft.com/Forums/ie/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016

A number of these DCs were originally 2008/2012 machines which were recently upgraded so that leads me to think this might be partly our solution. although not all DCs seem to be affected; two of them list ACLs as an issue and all 4 list the SysVol as inaccessible.
Gary Reynolds 9,621 Reputation points

2022-05-23T22:02:09.94+00:00

I would suggest changing the permissions on the GPO to check that they are replicated to the sysvol. In the GPMC on the delegation tab for the GPO with error shown above, using the advanced button add a user with read permissions, in the example below I added greynolds. Then check if this is replicated to the sysvol permissions, I think this should reset the other permissions as well. Then run the GPMC test again, to see if you get the same error.

Gary.
Simon@PMA 1 Reputation point

2022-06-07T09:50:59.527+00:00

Hi @Gary Reynolds , so that would appear to cover restoring the ACLs for the GPOs which are out of sync - is that correct?

What about the fact that the second column there reports that the SYSVOL is inaccessible on all the domain controllers?
Gary Reynolds 9,621 Reputation points

2022-06-07T09:58:10.78+00:00

Have you confirmed that sysvol is inaccessible or is it just the report?
Simon@PMA 1 Reputation point

2022-06-07T11:50:36.46+00:00

Hi @Gary Reynolds , so having done as you suggested and added a user in the delegation tab the GPMC test now comes back with different results!

It seems that the ACLs in the Active Directory column have now moved across to the SYSVOL column, after adding that user permission in?
Simon@PMA 1 Reputation point

2022-06-07T11:51:40.75+00:00

@Gary Reynolds it's just the report - I've checked and the DFSR SYSVOL is replicating fine (to the best of my knowledge)?
Simon@PMA 1 Reputation point

2022-06-07T11:52:45.663+00:00

Additionally, the names of the GPOs affected in the SYSVOL column are exactly the same ones that were in the AD column before.
Gary Reynolds 9,621 Reputation points

2022-06-07T13:05:39.913+00:00

If you review the permissions on the Policies object in AD and check which ones are missing from the GPO directory in Sysvol. On one of the GPO directory in sysvol I would try to replicate the permissions from the AD and see if that fixes the sysvol error.

Gary.
Simon@PMA 1 Reputation point

2022-06-07T15:26:59.317+00:00

@Gary Reynolds thanks for the reply, do you mean I should look at one of the failing policies in the GP console and replicate the security settings I find on the "Delegation" tab to the folder permissions for the corresponding linked GPO folder within the SYSVOL directory?
Gary Reynolds 9,621 Reputation points

2022-06-07T22:01:34.137+00:00

Yes.
Cameron Olson 21 Reputation points

2022-07-29T00:11:33.037+00:00

Hello,

Thank you gary for providing this information. We have a 2008R2 and we've domain joined a windows 2019 and are seeing this issue.

By changing the delegation we don't see the ACL replication error for active directory.

We receive ACL replication error for the SYSVOL

Would you have any additional recommendations for us?

Did this final step resolve the original post issue?

Thank you both for your help,
Cameron

Answer 4

rr-4098 2,051

Can you post the results of the Dcdiag.. Also are you seeing any errors in the event logs. Please see the following article as well on manually checking the health of GPO's... https://www.windowstechno.com/group-policy-health-check-on-specific-domain-controller/

Share via

Problems with SYSVOL replication, GPOs out of sync?

4 answers

Your answer