This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 3%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
after moving FISMO roles to 2016 AD i can edit the GPs only from there and all other DCs have that dimmed
i have 2 sites - each one has 2016X1 and 2019X1 DC - total 4 DCs physical sites are separated by MPLS
i moved all FISMO to the site hosting my exchange servers thinking this is a better approach - all good except that when i try to edit any group policy on any DC that is dimmed - disabled - the only server i can edit from is the FSMO owner, ran Dcdiag and it seems i have time issue NTDS - i have configured public time servers on the FSMO and left the others to default - expecting they should take form that guy
any idea why i am not able to edit the GPOs from any DC except the FSMO holder?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Maher Ramadan ,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Hello @Maher Ramadan ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 97%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Are you able to edit your GPs using RSAT from a workstation? What is the specific error code in dcdiag and any time related errors in the event log? Do you have synchronization? cmd: repadmin /replsum
Are you able to edit your GPs using RSAT from a workstation? *sorry i don't have RAST**
this is what i am getting on the server
see the edit is disabled
What is the specific error code in dcdiag and any time related errors in the event log?
this is the current error on the DC diag
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
.............DC (FSMO holder) failed test DFSREvent
Do you have synchronization? cmd: repadmin /replsum
yes no errors
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi
It seems a sysvol replication issue.
Try to launch a authoritative restore for sysvol replication, you can follow the link below to perform it:
ad-forest-recovery-authoritative-recovery-sysvol
force-authoritative-non-authoritative-synchronization
Please don't forget to mark this reply as answer if it help you to fix your issue
Hello @Maher Ramadan ,
Thank you for posting here.
Based on the description, do you mean there is no such issue before we transfer the FSMO roles?
If so, we can check:
1.Check whether we logon the other 3 DCs with domain Administrator instead of normal domain user account.
2.Maybe there is issue related to SYSVOL replication between the four DCs. We can try to check if SYSVOL replication works on all DCs.
Check SYSVOL replication method: create a new file or folder under \domain.com \SYSVOL\ domain.com\Policies folder on any one domain controller manually, then check to view if new created file or folder can be replicated to the same path of other domain controllers. If the new file or folder we created on any one DC can be replicated to other domain controllers, then SYSVOL replication works fine. Otherwise, SYSVOL replication does not work.
If SYSVOL replication does not work, before troubleshoot the issue about SYSVOL replication, we should check and ensure AD replication is working fine.
Check AD replication method: on the PDC, open CMD (run as Administrator) and run repadmin /replsum and repadmin /showrepl * /csv >C:\showrepl.csv, if there is no any error message, then AD replication works fine.
3.Based on the error message "There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.”, it seems there is SYSVOL replication issue, we can check if there is any event ID related to DFS Replication through Event Viewer on other 3 DCs (applications and services logs).
If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
should i apply this on the FSMO holder or the other defected DC?