question

DavidPratamaBudiSetiawan-8811 avatar image
0 Votes"
DavidPratamaBudiSetiawan-8811 asked pavlica answered

The sysvol permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the baseline domain

Hi we have a problem,
we have 8 DC (all DC is windows server 2016 , we change permission one of GPO in my primary dc, but in gpmc we see error in acl permission , this is my screenshoot 37082-image.png



when we click detect now 8 DC just in progress, anyone can help? maybe anyone know to solve this problem?

Thanks

windows-active-directorywindows-server-2016
image.png (22.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
 
Best Regards,

0 Votes 0 ·

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

0 Votes 0 ·
Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered PaulDeLasaux-3278 published

Hi,

If the new ACLs are not replicated on all domain controllers, you can perform a non-authoritative restore for sysvol replication.

force-authoritative-non-authoritative-synchronization



Please don't forget to mark this reply as answer if it help your to fix your issue

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi themeaur,

u mean in PDC we can perform a non-authoritative restore for sysvol replication right?

we read in this link : https://social.technet.microsoft.com/Forums/office/en-US/1a5db5cb-f194-40b5-8545-37ccbac300e1/windows-server-2012-gpos-wont-sync?forum=winserverGP

we read just renaming this GPO the problem is solve, if we just renaming GPO is another solution?

Thanks,

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT DavidPratamaBudiSetiawan-8811 ·

Hi,
A non-authoritative restore for sysvol replication can be performed on the problematic DC.
Not sure renaming the GPO can solve the issue, but can be done as a test.
Before any changes , remember to backup the good DCs.
Best Regards,

0 Votes 0 ·

These are all non-answers to the question.

0 Votes 0 ·
pavlica avatar image
0 Votes"
pavlica answered

Hi,

this issue has happened to me as well, the problem disappeared after the domain controllers were restarted due to maintenance. Or at least you can try to restart DFS and DFSR services as the issue relates to GPO ACLs not replicating to other domain controllers.

Another reason of ACLs not in sync can be a bug where Domain Admins ACEs are duplicated on GPOs. If the GPOs were created earlier before this was fixed by Microsoft, their duplicate ACEs are unchanged.

In case you see duplicite ACE "Domain Admins":(OI)(CI)(F)" in your GPO using icacls command, you can fix it be removing ACE and granting it again:

icacls "{GPO UID}" /remove:g "<localdomain>\Domain Admins"
icacls "{GPO UID}" /grant "<localdomain>\Domain Admins":(OI)(CI)(F)

More information on this: https://social.technet.microsoft.com/Forums/ie/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.