Contents of Sysvol Policies folder different on 2 DCs

Discussion in 'Active Directory' started by Guest, Mar 6, 2008.

  1. Guest

    Guest Guest

    I have two Win2k3 DCs running SP2 in the same domain and subnet that are
    successfully replicating (no NTFRS errors). However, there are 26 elements
    in one of the DCs Policies folder and 23 in the other. A recently created
    GPO, for example, did not replicate. I ended up having to back it up from
    one and restore it to the other as a workaround.

    I've run a bunch of tests (netdiag, dcdiag, repadmin) and there's nothing
    obviously wrong. Repadmin shows successful replication. DCDiag tests pass
    as do Netdiag tests. It's very strange.

    Is there anything I can do to bring the policies folder on the 2 DCs back in
    sync?

    Thanks.

    Kevin
     
    Guest, Mar 6, 2008
    #1
    1. Advertisements

  2. Guest

    steve Guest

    I suffered from the same problem. I was advised to carry out a forced
    GPUpdate from the command prompt if you want this to happen straight away.

    From the command prompt on the server where you have made changes to the
    GPO's type in GPUpdate /force.

    Hope this solves your problem.
     
    steve, Mar 6, 2008
    #2
    1. Advertisements

  3. Hello Kevin,

    Thank you for posting in newsgroup.

    From your description, the issue is that the SVSVOL folder doesn't get
    synchronized when you create a new group policy.

    First, it is not accurate to check the replication through the amount of
    elements in the SYSVOL folder. When a file is modified or created, it is
    copied to the staging area first and wait to be replicated to its partner.
    This will result to a different amount of elements in SYSVOL folder between
    DCs.

    To check Group Policy objects (GPOs) for consistency on each domain
    controller, I'd like to introduce you 'GPOtool.exe'.

    - GPOtool.exe

    The tool can be used to check the health of the Group Policy objects on
    domain controllers. It determines whether the policies are valid and
    displays detailed information about replicated GPOs.

    It ships with the Microsoft Windows 2003 Server Resource Kit and is
    available as a free download at the link below:

    Windows Server 2003 Resource Kit Tools
    http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-
    96ee-b18c4790cffd&displaylang=en

    Hope this helps.


    Miles Li
    Microsoft Online Partner Support
     
    Miles Li [MSFT], Mar 7, 2008
    #3
  4. Guest

    Guest Guest

    Miles,

    Thank you for your reply. My bad, however, because I did not mention that I
    had run the GPOTool as well. The tool indicated that the SYSVOL data for a
    given GPO on SRV1 is missing (data exists in AD but not in SYSVOL folder).

    I am unclear on how to recover from this problem.

    Kevin
     
    Guest, Mar 12, 2008
    #4
  5. Hi Kevin,

    Yes, this means there is non-consistency between Group Policy Container
    (GPC) and Group Policy Template (GPT). A manual FRS replication for SYSVOL
    should be useful for this issue.

    You can also perform the following steps to re-synchronize the SYSVOL
    folder manually:

    1. From your description, it seems the SYSVOL folder on SRV1 didn't get
    replicated form another domain controller. So the another domain
    controller have a up-to-date SYSVOL folder.

    2. On both controllers, stop the FRS, and then set the service startup
    type value for the FRS to Disabled.


    3. On the domain controller that holds the up-to-date SYSVOL folder,
    configure the SYSVOL replica set to be authoritative. This reference
    domain controller will contain the authoritative copy of the SYSVOL tree
    for all other members of the replica set. Other domain controllers in the
    domain will directly or transitively replicate from this reference domain
    controller.

    To configure the SYSVOL replica set to be authoritative, follow these
    steps:

    - Click Start, click Run, type regedit, and then click OK.

    - Locate and then click the BurFlags entry under the following registry
    subkey:


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumula
    tive Replica Sets\GUID
    GUID is the GUID of the domain system volume replica set that is shown in
    the following registry subkey:


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replic
    a Sets\GUID

    - Right-click BurFlags, and then click Modify.

    - Type D4 in the Value Data field (HexaDecimal), and then click OK.


    4. On the domain controllers except the reference (in your issue it should
    be SRV1on that a GPT is missing), configure the FRS to be non-
    authoritative.

    To do this, follow these steps:

    - Click Start, click Run, type
    regedit, and then click OK.

    - Locate and then click the BurFlags entry under the following registry
    subkey:


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumula
    tive Replica Sets\GUID
    GUID is the GUID of the domain system volume replica
    set that is shown in the following registry subkey:


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replic
    a Sets\GUID

    - On the Edit menu, point to New, and then click
    DWORD Value

    - Type D2 for the name of the DWORD,
    and then press ENTER.



    5. On both domain controllers, restart FRS, and then verify that SYSVOL
    has been synchronized. The service startup type for the FRS should be set
    to Automatic again.

    For more information you can refer to:

    How to rebuild the SYSVOL tree and its content in a domain
    http://support.microsoft.com/kb/315457/

    Hope it helps.


    Sincerely,
    Miles Li

    Microsoft Online Partner Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Miles Li [MSFT], Mar 14, 2008
    #5
  6. Hi Kevin,

    How are things going? I've not heard back from you in a few days and wanted
    to check on the status of the issue. Please let me know how the
    troubleshooting steps turned out.

    Sincerely,
    Miles Li

    Microsoft Online Partner Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Miles Li [MSFT], Apr 7, 2008
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.