TWO AD 2003 whose sysvol Policies do not replicated correctly

I have 2 AD 2003 and the sysvol policies do not all replicate well.
One thing I have figured out was that I was missing one {CC2C2824-9480-4530-B4B3-45D5F505F450} on one of them but I guess if other policies are missing or incomplete that would explain why some users get a change password every 90 days and some don't!
How can I fix those replication problem.
Who is Participating?
alicainConnect With a Mentor Commented:
Hello philjans,

SYSVOL recoveries like this can take a considerable amount of effort to resolve and investing some time to first find the root cause of why they are not replicating before trying to fix it is time well spent.

Start by checking the event logs for NTFRS related errors and look to get them resolved.  Running Repadmin, DCDIAG and FRSUTIL on the DCs will also help identify issues.

Before making any configuration changes, it is prudent to take a backup of the policies and scripts folders on each DC before you start so you can go back and look where things where if needed.  Be very careful to take the copy at the policies/scripts level so that you DO NOT copy the junction points.

There were numerous hotfixes for NTFRS in the 2003 days, so ensuring they are at least at Service Pack 2 is wise.

Once the cause of the replication failures has been identified and resolved, you are going to need to identified which of the two domain controllers has the best SYSVOL, which will then be used to recover and reinitialise from.  Full details of the process can be found here :  Using the BurFlags registry key to reinitialize File Replication Service replica sets.  If you go down this route and you have DFS-R in your environment, be sure to use the SYSVOL "replica set specific" key.

Adam BrownSr Solutions ArchitectCommented:
Check your error logs on each Domain controller for errors. There are a lot of things that can break FRS, which handles replication. has a guide on troubleshooting if you are getting errors. has some stuff you can try to fix the problem.
helpfinderIT ConsultantCommented:
check these commands:
repadmin /showrepl
dcdiag /test:replications

check results or if they generate some error logs
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Leon FesterSenior Solutions ArchitectCommented:
sysvol policies do not all replicate well
Replication is one of the basic functions of AD so you should be more concerned about your overall AD health than just the sysvol not replicating.

Do a health check on your AD but running
dcdiag /e /v /f:dcdiag.txt and search the results for failures.

It could just be as simple as a missing DNS record or worse case scenario you could have some AD corruption.

You do have the option to force replication by performing setting the burflags for a non-authoritative  restore. Just make sure that you correctly identify which server has the most up to date information.
philjansAuthor Commented:
It will take a couple of hours (or days) to go through all your recommendations but I am always fascinated about something, I have been using AD 2003 for more then 10 years and I gee AD is fragile and always have bugs it it and replication problems: we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard. I will migrate 2003 to the latest one and I hope that since the decade and more AD have been out, they created something less maintenance intensive and more robust.
Thanks for all your inputs, I will proceed them.
Hi Philhans,

You are probably correct, but I think it is fair to say that the AD Directory (NTDS) replication is very robust and tends to see considerable less issues than NTFRS, which still has its roots back in the early Windows NT days, much of it is now based on very old code.  Patched up-to-date it fails far less than it used to in Windows 2000/2003 with no service packs.  Its replacement with DFS-R in Windows 2008 is, as they say, a paradigm shift.

The other util that I should have mentioned it GPOTool, which you can run against each DC to help you determine which SYSVOL is in the best state as the basis of the recovery.

Leon FesterConnect With a Mentor Senior Solutions ArchitectCommented:
we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard.
Replication is not that's just very dependant on DNS working correctly.
While the average techie will look for servers based on A host and PTR records (A host and PTR records), Active Directory domain controllers uses SRV records to find the other DC's.

Most replication issues occur because of DNS issues.

DCDIAG is your primary tool for AD health checks and you can easily do this on a daily basis by scheduling the task to report errors on a daily basis.

DCDIAG /e /q /I /f:<logfile.txt>
/e - Tests all the servers in the enterprise.
/q - Quiet. Prints only error messages.
/i - Ignores superfluous error messages
/f - Redirects all output to a log file
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.