question

pma-spd avatar image
0 Votes"
pma-spd asked CameronOlson-3606 edited

Problems with SYSVOL replication, GPOs out of sync?

Have recently undertaken upgrading all our AD DCs to Windows 2019 as we had a mix of 2012 & 2016.

I started this since we replaced our old file servers (running Server 2008R2!) with Windows 2019 file servers and since doing so the replication between them seemed to not be quite right.

Main issue I have discovered is that in the GPO Console all our DCS are locked into the state "replication in progress".

There are so many articles out there describing how to troubleshoot this that I really have no idea where to start.

Any help that can be offered is most appreciated.

windows-active-directorywindows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

pma-spd avatar image pma-spd ·

@rr-4098 Sorry did you see the things I posted here as answers?

Still learning to properly use this forum

0 Votes 0 ·

4 Answers

rr-4098 avatar image
0 Votes"
rr-4098 answered pma-spd commented

Can you please post the results of the following commands: dcdiag /v /e & repadmin /showrepl

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

pma-spd avatar image pma-spd ·

Here's the REPADMIN output.201394-repadmin.txt


0 Votes 0 ·
repadmin.txt (2.8 KiB)
pma-spd avatar image pma-spd pma-spd ·

And here's the DCDIAG output 201340-dcdiagve-120522.txt


0 Votes 0 ·
dcdiagve-120522.txt (78.9 KiB)
pma-spd avatar image
0 Votes"
pma-spd answered pma-spd published

And below is the output from the repadmin /showrepl command:

Repadmin: running command /showrepl against full DC localhost
XYZADSite1\PDC-SRV
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 55fd8035-dd0c-4d90-a193-3857b99cde76
DSA invocationID: e37f6943-daa3-4eb2-9b0f-2b1f4ead41b9

==== INBOUND NEIGHBORS ======================================

DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 10:25:40 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 10:30:39 was successful.

CN=Configuration,DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 09:59:11 was successful.
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 10:27:27 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.

CN=Schema,CN=Configuration,DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 09:59:11 was successful.
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 09:59:12 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.

DC=DomainDnsZones,DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 09:59:44 was successful.
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 09:59:47 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.

DC=ForestDnsZones,DC=DOMAIN,DC=XYZ,DC=CO,DC=UK
XYZADSite1\DC01-SRV via RPC
DSA object GUID: 451b6403-1dad-4c40-86e5-3007eb4f7329
Last attempt @ 2022-05-12 09:59:12 was successful.
XYZADSite1\DC02-SRV via RPC
DSA object GUID: 0b55054b-4dd0-4960-bd33-a52e0c7c8f79
Last attempt @ 2022-05-12 09:59:12 was successful.
XYZADSite2\DC03-SRV via RPC
DSA object GUID: 468379ff-8883-498d-aa4e-84b8ca5dde70
Last attempt @ 2022-05-12 10:29:09 was successful.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered CameronOlson-3606 edited

Hi @pma-spd

You can use the test below to confirm the extent of the issues with sysvol\GPO replication.

https://nettools.net/how-to-test-gpos-as-gpotool-is-no-longer-available/

You can then check the status of the sysvol share with the following article:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-missing-sysvol-and-netlogon-shares

Sorry I didn't see you attachments, DC03-SRV is having issues talking to PDC-SRV and DC02-SRV, I would check if the other DCs are having the same issue, to confirm if the connectivity issues is just limited to DC03-SRV or other DCs are having problem. If all the DCs are all having the issue, I would try restarting the DFS services on DC02-SRV and PDC-SRV to see if this fixes it.

Gary.

· 13
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

pma-spd avatar image pma-spd ·

Hi @GaryReynolds , thanks for taking the time to reply.

I did just try the simple test to see if the NETLOGON and SYSVOL shares were there and available on each individual DC and they were?

Checked status of the SYSVOL share using the MS troubleshooting article there and all DCs replication state is at 4 (Normal).

0 Votes 0 ·
GaryReynolds avatar image GaryReynolds pma-spd ·

Hi

A simple test is to create a new text file in the sysvol share and confirm that it is replicated on all the DCs.
Also run the dcdiag /v /e command on the other DCs and check DFSREvent section of the output to see if the other DCs have DFS errors.

Gary.

0 Votes 0 ·
pma-spd avatar image pma-spd ·

@GaryReynolds thanks for the suggestion here and apologies for the delay in replying!

I did as you suggested and created a TXT file in the SYSVOL folder on our PDC and this replicated immediately to the SYSVOL share on every other DC in our organization. Can I assume that this would indicate our DFSR SYSVOL replication is in fact healthy?

There's still errors when looking at the Group Policy Admin console, so I am wondering whether this is actually a problem with GPO ACLs not being synced as per this article here: https://social.technet.microsoft.com/Forums/ie/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016

A number of these DCs were originally 2008/2012 machines which were recently upgraded so that leads me to think this might be partly our solution. although not all DCs seem to be affected; two of them list ACLs as an issue and all 4 list the SysVol as inaccessible.
204683-screenshot-2022-05-23-130837.png


0 Votes 0 ·
screenshot-2022-05-23-130837.png (26.5 KiB)
GaryReynolds avatar image GaryReynolds pma-spd ·

I would suggest changing the permissions on the GPO to check that they are replicated to the sysvol. In the GPMC on the delegation tab for the GPO with error shown above, using the advanced button add a user with read permissions, in the example below I added greynolds. Then check if this is replicated to the sysvol permissions, I think this should reset the other permissions as well. Then run the GPMC test again, to see if you get the same error.

Gary.

204760-image.png


1 Vote 1 ·
image.png (27.6 KiB)
pma-spd avatar image pma-spd GaryReynolds ·

Hi @GaryReynolds, so that would appear to cover restoring the ACLs for the GPOs which are out of sync - is that correct?

What about the fact that the second column there reports that the SYSVOL is inaccessible on all the domain controllers?

0 Votes 0 ·
Show more comments
rr-4098 avatar image
0 Votes"
rr-4098 answered

Can you post the results of the Dcdiag.. Also are you seeing any errors in the event logs. Please see the following article as well on manually checking the health of GPO's... https://www.windowstechno.com/group-policy-health-check-on-specific-domain-controller/

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.