Mismatched SYSVOL, Group Policy

Hi Everyone,

We recently took on a new customer and have discovered that they have certain issues in their environment.  They have 2 AD sites that have 3 DCs in one and 2 DCS in the other.  The 2 DCs SYSVOL contents are out of sync with their neighbours in the other site.  On deeper inspection of their environment, it has also been discovered that their primary DNS zone is set to allow unsecure and secure updates - its a AD primary zone.  They previously upgraded their server estate from Windows 2000 Server.  I was wondering if this could be a key contributing factor any the SYSVOL issue?  They are now going to upgrade their esate to Windows Server 2008 and we are trying weight up if it would be a better idea to start with a clean forest and leave the legacy issues behind, or continue with the current env.  Thanks for your help in advance
cmatchettAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Leon FesterSenior Solutions ArchitectCommented:
SYSVOL should replicated to all DC's.
If it's not the same, then you may be having some replication problems.

A DCDIAG /V should show you any errors in your AD.

Check out these to links which explain how to fix SYSVOL replication
http://www.techtalkz.com/windows-server-2003/446082-contents-sysvol-policies-folder-different-2-dcs.html
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24323148.html

Once you're AD is clean and replicating properly, then I could see why not to migrate your existing domain.

Setting DNS to secure update mode just a matter of change settings on the zone.
Enable scavenging an you'll soon have a clean DNS as well.

The only reason for setting DNS to unsecure update mode is if they have many non-windows devices or many guests/bring-your-own devices on the network. OR the other major reason...they had some DNS problems and some "bright spark" suggested this fix.

Either way, the option to migrate/replace remains yours.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Prashant GirennavarCommented:
Make sure replication between the DC are working fine.

I also would suggest you to run Dcdiag test and check for any error message.

Regarding the sysvol Mismatch you will have to see what event ID is getting generated on Domain controllers.

For Eg - If On one of the DC sysvol is not replicated properly then you can perform non- authorative resotre.

Follow below article which explains how to troublshoot sysvol error messages.

http://social.technet.microsoft.com/wiki/contents/articles/8548.sysvol-and-netlogon-share-importance-in-active-directory.aspx

If none of the solution works then Run dcdiag /v and post the results here.

Regards,

_Prashant_
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.