Group policies not replicating to all DC's

Jim 291

3 Domain Controllers:

DC1 Server 2012

DC2 Server 2012

DC3 Server 2022

Create a test Group Policy to install a shortcut on all users desktops. No shortcut shows up.

Looked at all three DC's and only the one (DC3 I created it on is showing it:

User's image

The other two look the same, but nothing on the left, just blank.

Should these not all be synced? I have rebooted one of the blanks, no joy. I'm theorizing that the client I'm using for testing is getting its GP's from one of the 2 that don't have it. Anyway, how do I insure replication of GP's across all DC's?

Jim 291 Reputation points

2024-05-16T16:27:24.14+00:00

Thank you. So the repadmin commands both returned success. I can confirm that If I add a user on DC3 it immediately shows up on 1 and 2, and vice versa.

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\DC3

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 8be999e3-de8e-446d-946f-10f8e1eaeb83

DSA invocationID: 3ca67234-ac58-4c4d-94ca-443fd13a4982

==== INBOUND NEIGHBORS ======================================

DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 09:31:38 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 09:38:15 was successful.

CN=Configuration,DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 08:50:12 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 08:50:12 was successful.

CN=Schema,CN=Configuration,DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 08:50:12 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 08:50:12 was successful.

DC=DomainDnsZones,DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 08:50:12 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 08:50:12 was successful.

DC=ForestDnsZones,DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 08:50:12 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 08:50:12 was successful.

However it looks like I have a SYSVOL issue. Every day there are 4 information entries and 4 error messages:

The opening statement on the 4012 is:

“The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL_DFSR\domain. This server has been disconnected from other partners for 74 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected. “

74 days ago is nothing unique in terms of things I’ve worked on or changed.

I should mention that my ultimate goal is to have DC3 be my “primary” DC with DC2 being my “backup”. Then retire DC1.

What is the impact of “Default-First-Site-Name” . I would thing that should be DC3 im my case. Or does it matter?

Running the DFSRDIAG command produced:

C:\Windows\system32>dfsrdiag backlog /RGName:"Domain System Volume" /RFName:"SYSVOL Share" /smem:DC1 /rmem:DC3

[ERROR] Failed to execute GetOutboundBacklogFileCount method. Err: -2147217406 (0x80041002)

Operation Failed

C:\Windows\system32>dfsrdiag backlog /RGName:"Domain System Volume" /RFName:"SYSVOL Share" /smem:DC3 /rmem:DC1

[ERROR] Failed to execute GetOutboundBacklogFileCount method. Err: -2147217406 (0x80041002)

Operation Failed

2 answers

cthivierge 4,056 Reputation points

2024-05-16T17:33:30.8033333+00:00

Group Policy involves 2 replications type. AD Replication and SYSVOL replication

AD Replication can be verified by using the repadmin command

repadmin /showrepl

repadmin /replsummary

SYSVOL replication can be verified in the EventLogs (Applications and services logs / DFS Replication)

You can also use the dfsrdiag command if there is a backlog
RGName = Replication Group Name --> By default it's "Domain System Volume"

RFName = Replicated Folder Name --> By default it's "SYSVOL Share"

smem = Sending member --> DC1

rmem = Receiving member --> DC2

dfsrdiag backlog /RGName:"Domain System Volume" /RFName:"SYSVOL Share" /smem:DC1 /rmem:DC2

run the same command by changing source / destination

ref:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-verify-replication

hth
Please sign in to rate this answer.
Jim 291 Reputation points

2024-05-19T15:02:58.14+00:00

Thank you. So the repadmin commands both returned success. I can confirm that If I add a user on DC3 it immediately shows up on 1 and 2, and vice versa.

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\DC3

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 8be999e3-de8e-446d-946f-10f8e1eaeb83

DSA invocationID: 3ca67234-ac58-4c4d-94ca-443fd13a4982

==== INBOUND NEIGHBORS ======================================

DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 09:31:38 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 09:38:15 was successful.

CN=Configuration,DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 08:50:12 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 08:50:12 was successful.

CN=Schema,CN=Configuration,DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 08:50:12 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 08:50:12 was successful.

DC=DomainDnsZones,DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 08:50:12 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 08:50:12 was successful.

DC=ForestDnsZones,DC=COMPANY,DC=local

    Default-First-Site-Name\DC2 via RPC

        DSA object GUID: 2cbb4d02-2dd1-4c7d-8949-e8e6669952a8

        Last attempt @ 2024-05-19 08:50:12 was successful.

    Default-First-Site-Name\DC1 via RPC

        DSA object GUID: dd40b6df-b7cf-479b-9dc6-034ae2f37b15

        Last attempt @ 2024-05-19 08:50:12 was successful.

However it looks like I have a SYSVOL issue. Every day there are 4 information entries and 4 error messages

The opening statement on the 4012 is:

“The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL_DFSR\domain. This server has been disconnected from other partners for 74 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected. “

74 days ago is nothing unique in terms of things I’ve worked on or changed.

I should mention that my ultimate goal is to have DC3 be my “primary” DC with DC2 being my “backup”. Then retire DC1.

What is the impact of “Default-First-Site-Name” . I would thing that should be DC3 im my case. Or does it matter?

Running the DFSRDIAG command produced:

C:\Windows\system32>dfsrdiag backlog /RGName:"Domain System Volume" /RFName:"SYSVOL Share" /smem:DC1 /rmem:DC3

[ERROR] Failed to execute GetOutboundBacklogFileCount method. Err: -2147217406 (0x80041002)

Operation Failed

C:\Windows\system32>dfsrdiag backlog /RGName:"Domain System Volume" /RFName:"SYSVOL Share" /smem:DC3 /rmem:DC1

[ERROR] Failed to execute GetOutboundBacklogFileCount method. Err: -2147217406 (0x80041002)

Operation Failed
Sign in to comment
Daisy Zhou 19,586 Reputation points Microsoft Vendor

2024-05-17T09:05:47.89+00:00

Hello Jim,

Thank you for posting in Q&A forum.

Please ensure AD replication works fine on all the three DCs.

If AD replication works fine on all the three DCs, you can check if the GUID corresponding to this group policy object is on three DCs or only one DC3.

Please back up three DCs using builtin Windows backup role and back up the SYSVOL folder on all the three DCs, before you perform the action below.

If it is on only DC3, please check if SYSVOL replication is DFSR replication engine.

If so, you can try the steps of "How to perform a non-authoritative synchronization of DFSR-replicated sysvol replication (like D2 for FRS)" in the link below.

If it does not work after you perform the action, please try the steps of "How to perform an authoritative synchronization of DFSR-replicated sysvol replication (like D4 for FRS)" in the link below.

How to force authoritative and non-authoritative synchronization for DFSR-replicated sysvol replication

https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Please sign in to rate this answer.
Jim 291 Reputation points

2024-05-19T19:55:22.75+00:00

Thank you for that. However, no joy. When I got to the end of the process I was not able to find the events 4614 and 4604 in the DFS Replication event log, but no errors to say why. I am completely at a loss now as to why they won't sync.

Jim 291 Reputation points

2024-05-20T15:38:21.8033333+00:00

Ok, after going through the forcing of authoritative and non-authoritative process I seem have gotten them somewhat synced. That is, if I create a new GPO on DC3, in this case putting a shortcut to Notepad on the users desktop, this GPO shows up immediately in the other 2 .

But when I look at the Policies directory under sysvol I see this:

Also, the shortcut does not show up on users desktops. But the GPM screens all match up.

Another question I have, and should probably post separately, is DC priority. That is, is there a way to make, in my example, DC3 the first DC to authenticate to, then DC2, and finally DC1?

Daisy Zhou 19,586 Reputation points Microsoft Vendor

2024-05-24T12:59:06.52+00:00

Hello

Good day!

Another question I have, and should probably post separately, is DC priority. That is, is there a way to make, in my example, DC3 the first DC to authenticate to, then DC2, and finally DC1?
A: By default, clients will randomly find one of all the DCs in one site.

However, you can check and change the Weight and Priority on SRV records below.

For more information about weight and priority on SRV records, please read link below.
https://www.cloudflare.com/learning/dns/dns-records/dns-srv-record/

You should try to fix the SYSVOL replication issue instead of changing the priority.

Note: please test first in lab before you make change in production environment.

Best Regards,
Daisy Zhou

Jim 291 Reputation points

2024-05-29T15:16:05.9+00:00

OK, so I thought I had it all working. Created 2 shortcuts for the desktop and it populated it to all the clients.

Then I tried deploying printers but it didn't happen. So I ran (on a client) gpupdate /force while testing it and I get:

C:\WINDOWS\system32>gpupdate /force

Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \Company\SysVol\Company\Policies{CBA77FC8-5638-493E-8D60-B8BF85BA8BED}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \Company.local\SysVol\Company.local\Policies{A7CD8B82-C6C9-4CB6-8B00-3CA430EBE003}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

That was yesterday. I took a look at it this morning, same thing. So I went through each of the 3 DC's event logs. One of them (DC2) is fill of errors, happening every 5 minutes. Event ID 7016.

XML view:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System> <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" /> <EventID>7016</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>2</Opcode> <Keywords>0x4000000000000000</Keywords> <TimeCreated SystemTime="2024-05-29T14:08:57.707407500Z" /> <EventRecordID>14443998</EventRecordID> <Correlation ActivityID="{3E6DDDC6-6EB8-4898-9B93-5A7798AF9D72}" /> <Execution ProcessID="960" ThreadID="2532" /> <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel> <Computer>DC2.CompanyName.local</Computer> <Security UserID="S-1-5-18" /> </System>

<EventData> <Data Name="CSEElaspedTimeInMilliSeconds">93</Data> <Data Name="ErrorCode">3</Data> <Data Name="CSEExtensionName">Group Policy Shortcuts</Data> <Data Name="CSEExtensionId">{C418DD9D-0D14-4EFB-8FBF-CFE535C8FAC7}</Data> </EventData> </Event>

After a few hours of looking at logs and events I try the GPupdate again and the error is gone.

This is getting really old.

Oh, the other error I get on DC3, again every 5 min, is Event ID 7016.

XML view:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System> <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" /> <EventID>7320</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x4000000000000000</Keywords> <TimeCreated SystemTime="2024-05-29T12:28:33.9025249Z" /> <EventRecordID>2707790</EventRecordID> <Correlation /> <Execution ProcessID="1828" ThreadID="12320" /> <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel> <Computer>DC3.CompanyName.local</Computer> <Security UserID="S-1-5-18" /> </System>

<EventData> <Data Name="ErrorDescription">%%4105</Data> <Data Name="ErrorCode">5</Data> </EventData> </Event>

So it seems I can get some success, then things fail again. As you can imagine this is really hard to debug, even with the excellent pointer provided me.

Would it behove me to take down the 2 2012 servers (DC1 & DC2) and just try to do this with the new, 2022 server (DC3)? TheN bring up each of the other two once I get all successfully running on one? I want to retire DC1 anyway but it currently has all the printers shared through it.

Thanks for all the help.
Sign in to comment

Share via

Group policies not replicating to all DC's

2 answers