group policies not copying from DC1 to DC2

gopher_49
gopher_49 used Ask the Experts™
on
Whenever I create a new GPO via the GPMC the group policy is stored on domain controller 1 in the \policies folder, however, it never gets replicated to domain controller 2 unless I manually copy it.

What could be causing this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I highly recommend against manually updating the Sysvol folder. From Microsoft:
"Copying SYSVOL files is recommended only for recreating a nonfunctioning SYSVOL, which requires several preliminary procedures. Copying SYSVOL files from one domain controller to another without following these procedures causes invalid data to be replicated and causes the system volumes on other domain controllers to become inconsistent."

 Was one of the DCs off for an extended period of time? It could be tombstoned. More details here:
http://technet.microsoft.com/en-us/library/cc786630%28WS.10%29.aspx

If not, double check the replication frequency settings in "Active Directory Sites and Services".
http://technet.microsoft.com/en-us/library/cc730954%28WS.10%29.aspx

Microsoft also provides a tool for monitoring and troubleshooting the File Replication Service:
http://www.microsoft.com/downloads/details.aspx?FamilyID=61acb9b9-c354-4f98-a823-24cc0da73b50&DisplayLang=en

As a last resort, you could try rebuilding the entire SYSVOL tree:
http://support.microsoft.com/kb/315457



Author

Commented:
To my knowledge the DC's has always been online and not dropped for long at all..  I'm ran the repadmin command in advisory mode but I don't know where it saves the file to?!
Repadmin should display results onscreen immediately after you run the command, and does not log to a file (that I know of). If you were wanting to save those results to a file, you would have to run something like "repadmin [options] >logfile.txt".

Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
If it only displays the objects then I'm good.. There are no objects lingering..  The process stated it ran successfully and no objects where listed.  The replication interval is 180 minutes and I waited over night to see my new GPO replicate.  I'm trying to install Ultrasound and can't get it to connect to my 2000 Standard SQL server or my 2005 Standard SQL server.  I tried servername\MSSQLSERVER and I also tried servername by it self.. Not sure to what Im doing wrong...  

Author

Commented:
ok.  I got Ultrasound to install.  It's running on a member server under the domain admin account...  I added the sysvol volume to be monitored.  what do a I do now?

Author

Commented:
ok..  I found an error in the log.. See below.

Failed Ultrasound server updates - FRS Replica set in state journal wrap

See the "Troubleshooting FRS / USN Journal Wrap" topic in the Ultrasound documentation.

Author

Commented:
also, under the advanced log I see:

ErrorID = 24

Commented:
You must be getting events in the event viewer. Look under File REplication log: you may find 13568, 13508 etc. Please revert back with the error message.
You should also check any Directory Services events.

Please paste the events and we can try to help you here...

Regards,

Arun.

Commented:
OOPs.. I think both of us were writing at the same time... Journal Wrap? You must be getting 13568 in the event viewer...

If there are no Directory Services errors please follow this article :  http://support.microsoft.com/kb/315457

in short, you have to stop FRS on both DCs. Then go to the registry location : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID of the "Domain System VOlume" On right you will find Burflag.

(GUID is the GUID of the domain system volume replica set that is shown in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID)

Now,
change the value of Burflag on to D4 on the DC which is most update in terms of group policies and scripts. and change the same key (burflag) to D2 on the other DC.

Now starte FRS on the D4 DC first and then on D2 DC...

Regards,

Arun.

Author

Commented:
I'll try this in a few hours.  I verified that I have a good backup of both dc's system volumes, ntds folders, and system state.  Also, I don't see this event id error anywhere except in the Ultrasound application.  My GFI Events Manager did send something about this the last time I rebooted them.  It's been going on for awhile now...  Which sever do I do this on?  

Author

Commented:
Ignore my question about which one to run it on... I'll let you know how it turns out.

Author

Commented:
ARK-DS,

I think everything is working now.  I see a successful event in the log system of the UIltrasound.. The event type is Provider deployment status - Successful deployments and it shows successful for both servers.  I'll check it again in the morning and update.

Author

Commented:
I'm still getting the same error:

Failed Ultrasound server updates - FRS Replica set in state journal wrap

Maybe I did the process wrong last night?  I stopped the DFS services, changed the Burflag to D4 on the up to date DC and D2 on the other DC and then started the services...  there where other steps on the article you sent me.  should I go through all of those?!

Author

Commented:
I went to the most recent KB you sent me..  i'm peforming all of the steps, however, I'm seeing something really odd.  It's asking me to look at the \System\Policies folder in the AD Users and Computers panel.  I don't see any policies listed there.  None at all.  That can't be normal.

Commented:
OK,

I dont know where it asks to go into ADSIEdit. But please tell me if I am correct in understanding your current situation: Follow the article below in case I have understood your situation correctly. If not, please let me know in details what you did and what urned out of that...

I assume once you followed the instructions I gave, it got resolved but now again it is showing that it is in hournal wrap state?????

See, if the system is falling in Journal Wrap state again and again this means that the volume (C drive) is experiencing a lot of transactions.

In this scenario, I suggest to increase the size of the journal.
PLease follow this:

http://support.microsoft.com/kb/292438

Regards,

Arun.

Author

Commented:
it never got resovled.  I saw a 'Provider deployment status - Successful deployments' on the 28th and thought that was a current message.  I'm still getting the 'Failed Ultrasound server updates - FRS Replica set in state journal wrap' errors.  I stopped the ntfrs services, made the reg changes, and then started them again.  That didn't help.  I read instructions that pertained to deleting the policies and scripts folder from the DC that is a replica, I moved those to a temp folder and tried your steps again.  That didn't fix it.  I also read further and it seems that it mentions to move the polices and scripts folders to a temp folder on both DC's and then perform the steps you mentioned, however, I was a little afraid to do that.  I ran all of the 'linkd' commands and everything returned properly, except, on the DC that is having problems there is an odd character after the domain name.  The command linkd "%systemroot%\SYSVOL\staging areas\DNS Domain Name",  resulted in the below return:

Source  C:\WINDOWS\SYSVOL\staging areas\domain.com is linked to
C:\WINDOWS\SYSVOL\staging\domain¶

Notice the paragraph symbol at the end of the path.  My other DC doesn't show this character when running this command.  

I'm about to increase the size of the journal.

Commented:
Yes, I think increasing the journal size would help. But just to let you know, once you increase the journal size, you can not reduce it back...

Another thing. You could have done that test as well (in the article). Look, we have to fix the replication (FRS). Now we coudl have done this with Empty Policies and scripts folders as well. And once when we were sure that the replication was working, we could have put the policies and scripts back... \


Regards,\
Arun.

Author

Commented:
I don't see the below reg entry.

HKLM\System\CCS\Services\NTFRS\Parameters\"Ntfs Journal size in MB" (REG_DWORD).  This reg entry does not exist.  I'm going to add it.  I'll remove it if anything acts up. I also added the auto recovery regentry and it's rebuilding the sysvols now...  I have backups of my policies, scripts, system system, and drive c and the ntds folder if something messes up.

Author

Commented:
I think everything is working now...  After enabling the automatic rebuild and increasing the journal size to 128mb's the replica now has an exact copy of the references policy and scripts folder.  I have 14mins before the heartbeat application updates it's log output.  I'm fairly confident all errors will be gone.  I'll update once I see the new logs.

Commented:
Thats great...

I am happy that I was of help to you...

Do let me know if you need any further help...

Regards,

Arun.

Author

Commented:
I just verified and via Ultrasound's health menu tab (show all is enabled) I see that all aspects are healthy.  Thanks so much for your help.  I get nervous when dealing with asepcts of AD.  Finally my GPO's will replicate properly.  

Thanks!

Author

Commented:
I increased the journal size to 128mb and enabled the auto rebuild via the registry and all is well now.

Commented:
you should NEVER copy stuff manually between DCs for the NETLOGON/SYSVOL shares. Doing so will cause problems.
see:
Using the BurFlags registry key to reinitialize File Replication Service replica sets http://support.microsoft.com/?id=290762

How to rebuild the SYSVOL tree and its content in a domain http://support.microsoft.com/?id=315457

 
 

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial