When adding a user to a security group it takes up to 12 hours to replicate in citrix with powerfuse

Please read over this link. One of the fixes is below.

Enumerating Active Directory users could take a long time which should be fixed in your verison. Are you fully updated?

http://www.resug.com/res-powerfuse-2008-sr7-is-out

Tnx dariusg,
I am gonna ckeck this out! But we also found out that there are sync problems between our domain cont. and the 3 sub domain controllers ... But i will place that as a new question.

@darius,

Yes we are fully updated to version 2008R7. Still seems to have the problems. Any more ideas?

If you are having issues with your domain then this problem is most likley related.

Do you have any option we could check for fixing this issue?

Only thing me try what doesnt always work in this matter, is a GPUPDATE /FORCE. That command only seems to be for updating your changed policies.

What problems are you seeing on your domain? Run dcdiag the post results for a DC>

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: DC\Server
      Starting test: Connectivity
         ......................... Server passed test Connectivity

Doing primary tests

   Testing server: DC\Server
      Starting test: Replications
         ......................... **INFRASERVER** passed test Replications
      Starting test: NCSecDesc
         ......................... **INFRASERVER** passed test NCSecDesc
      Starting test: NetLogons
         ......................... **INFRASERVER** passed test NetLogons
      Starting test: Advertising
         ......................... **INFRASERVER** passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... **INFRASERVER** passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... **INFRASERVER** passed test RidManager
      Starting test: MachineAccount
         ......................... **INFRASERVER** passed test MachineAccount
      Starting test: Services
         ......................... **INFRASERVER** passed test Services
      Starting test: ObjectsReplicated
         ......................... **INFRASERVER** passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... **INFRASERVER** passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... **INFRASERVER** failed test frsevent
      Starting test: kccevent
         ......................... **INFRASERVER** passed test kccevent
      Starting test: systemlog
         ......................... **INFRASERVER** passed test systemlog
      Starting test: VerifyReferences
         ......................... **INFRASERVER** passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : DOMAIN
      Starting test: CrossRefValidation
         ......................... DOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DOMAIN passed test CheckSDRefDom

   Running enterprise tests on : DOMAIN.NL
      Starting test: Intersite
         ......................... DOMAIN.NL passed test Intersite
      Starting test: FsmoCheck
         ......................... DOMAIN.NL passed test FsmoCheck

So, you are failing SYSVOL replication. Please post ipconfig /all.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Server
   Primary Dns Suffix  . . . . . . . : DOMAIN.NL
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : DOMAIN.NL

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
   Physical Address. . . . . . . . . : 00-50-56-86-2B-D8
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.32.17.162
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.32.17.1
   DNS Servers . . . . . . . . . . . : 10.32.17.162
                                       10.32.17.163
                                       10.32.17.161
   Primary WINS Server . . . . . . . : 10.32.17.163
   Secondary WINS Server . . . . . . : 10.32.17.162
                                       10.32.17.161

What Events do you have under FRS in the Event Viewer?

#1:

DNS name server03.DOMAIN.NL. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name server03.DOMAIN.NL from this computer.
 [2] FRS is not running on server03.DOMAIN.NL.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


#2

The File Replication Service has enabled replication from SERVER03 to SERVER02 for c:\windows\sysvol\domain after repeated retries.

I also saw something strange at our Directory Service Event Viewer:

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
 
Directory partition:
CN=Configuration,DC=DOMAIN,DC=NL
 
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
 
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
 
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

Can you ping server03? Do you have the msdcs folder delegated? If it is you will see the folder grayed out under the domain.com zone and you will have a msdcs.domain.com zone.

Yep i can ping our server03. And our _msdcs zone is not delegated. Should this be delegated?

No, if you have all your DNS servers with the msdcs folder listed under domain.com and it is not grayed out then you are good but make sure you have records listed.

Anything else we could check since you said we are ok?

The problem is also ittermittent, its not here all the time. We have "good days" & "bad days". Where we have more bad then good.