Solved

Mismatched SYSVOL, Group Policy

Posted on 2012-03-31
2
2,621 Views
Last Modified: 2012-04-17
Hi Everyone,

We recently took on a new customer and have discovered that they have certain issues in their environment.  They have 2 AD sites that have 3 DCs in one and 2 DCS in the other.  The 2 DCs SYSVOL contents are out of sync with their neighbours in the other site.  On deeper inspection of their environment, it has also been discovered that their primary DNS zone is set to allow unsecure and secure updates - its a AD primary zone.  They previously upgraded their server estate from Windows 2000 Server.  I was wondering if this could be a key contributing factor any the SYSVOL issue?  They are now going to upgrade their esate to Windows Server 2008 and we are trying weight up if it would be a better idea to start with a clean forest and leave the legacy issues behind, or continue with the current env.  Thanks for your help in advance
0
Comment
Question by:cmatchett
2 Comments
 
LVL 26

Accepted Solution

by:
Leon Fester earned 250 total points
ID: 37791988
SYSVOL should replicated to all DC's.
If it's not the same, then you may be having some replication problems.

A DCDIAG /V should show you any errors in your AD.

Check out these to links which explain how to fix SYSVOL replication
http://www.techtalkz.com/windows-server-2003/446082-contents-sysvol-policies-folder-different-2-dcs.html
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24323148.html

Once you're AD is clean and replicating properly, then I could see why not to migrate your existing domain.

Setting DNS to secure update mode just a matter of change settings on the zone.
Enable scavenging an you'll soon have a clean DNS as well.

The only reason for setting DNS to unsecure update mode is if they have many non-windows devices or many guests/bring-your-own devices on the network. OR the other major reason...they had some DNS problems and some "bright spark" suggested this fix.

Either way, the option to migrate/replace remains yours.
0
 
LVL 10

Assisted Solution

by:Prashant Girennavar
Prashant Girennavar earned 250 total points
ID: 37795473
Make sure replication between the DC are working fine.

I also would suggest you to run Dcdiag test and check for any error message.

Regarding the sysvol Mismatch you will have to see what event ID is getting generated on Domain controllers.

For Eg - If On one of the DC sysvol is not replicated properly then you can perform non- authorative resotre.

Follow below article which explains how to troublshoot sysvol error messages.

http://social.technet.microsoft.com/wiki/contents/articles/8548.sysvol-and-netlogon-share-importance-in-active-directory.aspx

If none of the solution works then Run dcdiag /v and post the results here.

Regards,

_Prashant_
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Installing 3rd Party SSL for enabling LDAP over SSL 13 31
Enable ad recycle bin 1 14
need assistance with this powershell script 4 40
EXCHANGE, ACTIVE DIRECTORY 1 30
Resolve DNS query failed errors for Exchange
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question