Active Directory and Sysvol Are Unsynchronized

You configure a logon script with a Group Policy object. In a multiple domain controller environment, this change requires that Active Directory and the Sysvol replicate this change to all the domain controllers. Before both Active Directory and Sysvol are fully replicated, a user logs on to the system and is authenticated by a domain controller that is not fully replicated, and the user experiences unexpected behavior.

Possible Causes:

  • In a multiple domain controller environment, changes to Active Directory have not yet completed replication.

  • In a multiple domain controller environment, changes to the Sysvol have not yet completed replication.

Diagnostic Tests:

Run Netdiag.exe to check client network configuration and that DNS is configured and working correctly.

If the user has a roaming user profile, verify that he or she correctly receives the roaming user profile at logon.

Run Gpresult.exe to see if any Group Policy Settings are applied. If no Group Policy settings are applied, see "No Group Policy Objects Are Applied" later in this chapter.

To check the status of Active Directory and Sysvol replication on each server

  1. Run Gpotool.exe to check the number of unique Group Policy objects available on the network, and the status of each of these Group Policy objects on each domain controller. The status output from Gpotool.exe indicates all necessary information to diagnose if Active Directory and Sysvol are synchronized for each domain controller that you can connect to.

  2. If you find that Sysvol is not synchronized between two domain controllers, place any text file on the Sysvol of one of the domain controllers. Confirm that it is replicated to the other domain controllers. If this fails, check the network connectivity between the domain controllers.

  3. If Active Directory is not synchronized between domain controllers, run Active Directory Replication Monitor (Replmon.exe), which can provide additional information about the state of Active Directory synchronization, and provide assistance in resolving the problem.