Link to home
Create AccountLog in
Avatar of J.R. Sitman
J.R. SitmanFlag for United States of America

asked on

DC can't access a default GPO

For some reason this week one of our DC's can't access the "Default Domain Policy".  What would cause this?  More importantly, how do I fix it.
Avatar of PlaceboC6
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of J.R. Sitman


Thanks, I'll go through it today and get back to you
Sounds good.  The problem you are having can be caused by DNS issues, network issues, permissions issues, user right issues, smb signing issues, dfs client issues.  So many things.

This article addresses many of them.
Yikes.  Sounds like a lot of searching.  I better get started.
Well hopefully the article helps you.
Don't know how many DC's you have,  but....

From the DC you are having trouble with.

Click on sysvol share
Then policies
Then you should see two policies (they always start with these letters and numbers:

6AC.......    (Default Domain Controller policy)
31B2.....   (Default Domain Policy)

Make sure they aren't missing

They are both there, however, the sysvol is not a "shared" folder.  Should it be?
Yep.  It is supposed to be shared when the FRS service comes online.

c:\windows\sysvol\SYSVOL should be shared.

The second sysvol folder,  not the one directly under the windows folder.

Don't manually share it,  if it isn't might have errors in your File Replication Service log.

How many DC's do you have?
We have 3
You can type


On each of the three.
See which ones have sysvol
Which ones don't.

If this server is the only one that doesn't.
Make sure that it is pointing only to a DC/DNS server for dns resolution and not a third party dns server.

I'd check and see if you have any red errors in your FRS log on the problem DC.
Sorry it is shared.  When I looked at it using the it didn't show shared.  But viewing the full path it does.  Shres are Administrator Full, authenticated users full and everyone read.
I found warnings on the DC that is having the problem that it can't replicate to the other DC due to name resolution. .  Attached are errors from the DC it is trying to reach.  Please take a look
Ahh this should be easy to fix.

This DC has a journal wrap error.

Go to the following key in registry on the problem server.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID

You should see a guid for your sysvol replica set
Under it you should see a key called burflags

Set it to    D2
This is a hex value
Restart the File Replication Service on this machine
Wait a minute and then type

NET SHARE at command prompt and see if sysvol is shared.
It's seemd like it might be a performance issue with the DC that has the errors.  I checked the logs and the problem resolves itself, however later it returns.
What items would you recommend to add to a Performance "counter log" to track the usage?

The only performance problem that could cause a journal wrap error would be the disks that SYSVOL resides on being slammed incredibly hard.

However....once you are in journal stay that way until you do the fix procedure I outlined above.

If sysvol isn't shared,  you're still in journal wrap.
OK, I made the registry change.  I'll check back with you later today.

Thanks for the help.  I love Experts-Exchange.
After you make the registry change,  you need to retart the file replication service for it to take effect.

Net stop ntfrs
net start ntfrs

Or you can open services.msc and restart it from there.
I used services
Clarification.  You said to change the setting to D2.  I couldn't enter the D so I just did the 2.  Or did you mean to change it from Hex to Decimal?
It needs to be a hex value of     D2
got it this time
I got the error below.  How do I access this folder?

Description: Alert Set: The NETLOGON folder on server SPCALA01 is not currently shared. File Replication Service (FRS) will not function correctly.

So far it looks like you solved the FRS problem, but the Access Denied to the GPO is still there.  I have read the article yet.
Might need to check file permissions on the sysvol folder tree and make sure that SYSTEM and Administrators have full control and domain users have read.
Permissions look good.  The error came before you had me edit the registry.  Could the registry change have fixed it?
Open a command prompt and do this:


See if you see Sysvol listed as a share.  If you do,   then that error is old.

sysvol\sysvol\domain\scripts and sysvov\sysvol are shared
That is a good thing.  Now this thing should be working as a DC.

Now you should be able to go to administrative tools on the DC and select the default domain controller policy and the default domain policy.
So is this all working now jrsitman?
I was going to wait till Monday to reply, but it seems the article solved the problem.  It turns out the domain users had to be added.

Thanks for all the help.
You're welcome!