Mismatched SYSVOL, Group Policy

Posted on 2012-03-31
Medium Priority
Last Modified: 2012-04-17
Hi Everyone,

We recently took on a new customer and have discovered that they have certain issues in their environment.  They have 2 AD sites that have 3 DCs in one and 2 DCS in the other.  The 2 DCs SYSVOL contents are out of sync with their neighbours in the other site.  On deeper inspection of their environment, it has also been discovered that their primary DNS zone is set to allow unsecure and secure updates - its a AD primary zone.  They previously upgraded their server estate from Windows 2000 Server.  I was wondering if this could be a key contributing factor any the SYSVOL issue?  They are now going to upgrade their esate to Windows Server 2008 and we are trying weight up if it would be a better idea to start with a clean forest and leave the legacy issues behind, or continue with the current env.  Thanks for your help in advance
Question by:cmatchett
LVL 26

Accepted Solution

Leon Fester earned 750 total points
ID: 37791988
SYSVOL should replicated to all DC's.
If it's not the same, then you may be having some replication problems.

A DCDIAG /V should show you any errors in your AD.

Check out these to links which explain how to fix SYSVOL replication

Once you're AD is clean and replicating properly, then I could see why not to migrate your existing domain.

Setting DNS to secure update mode just a matter of change settings on the zone.
Enable scavenging an you'll soon have a clean DNS as well.

The only reason for setting DNS to unsecure update mode is if they have many non-windows devices or many guests/bring-your-own devices on the network. OR the other major reason...they had some DNS problems and some "bright spark" suggested this fix.

Either way, the option to migrate/replace remains yours.
LVL 10

Assisted Solution

by:Prashant Girennavar
Prashant Girennavar earned 750 total points
ID: 37795473
Make sure replication between the DC are working fine.

I also would suggest you to run Dcdiag test and check for any error message.

Regarding the sysvol Mismatch you will have to see what event ID is getting generated on Domain controllers.

For Eg - If On one of the DC sysvol is not replicated properly then you can perform non- authorative resotre.

Follow below article which explains how to troublshoot sysvol error messages.


If none of the solution works then Run dcdiag /v and post the results here.



Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question