This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 3%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
after moving FISMO roles to 2016 AD i can edit the GPs only from there and all other DCs have that dimmed
i have 2 sites - each one has 2016X1 and 2019X1 DC - total 4 DCs physical sites are separated by MPLS
i moved all FISMO to the site hosting my exchange servers thinking this is a better approach - all good except that when i try to edit any group policy on any DC that is dimmed - disabled - the only server i can edit from is the FSMO owner, ran Dcdiag and it seems i have time issue NTDS - i have configured public time servers on the FSMO and left the others to default - expecting they should take form that guy
any idea why i am not able to edit the GPOs from any DC except the FSMO holder?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Maher Ramadan ,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Hello @Maher Ramadan ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
tried this for now on defected DC. should i wait for some time and check
is there anyway to check and confirm - AD replcation reporting shows no errors so far
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-authoritative-recovery-sysvol
it seams to be a major issue, something related to the domain admins group perhaps ! and domain admin member now is getting restrictions performing various tasks
for example now i am creating a new ADFS farm and i get permissions issue even though the only requirements is domain admin group and i have tried the default admin account and my admin account with no luck! the question is, is there a way to check default domain admin accounts group settings and revert to that,
did anyone face this before? could it be a group policy issue and how to confirm on that