Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


TWO AD 2003 whose sysvol Policies do not replicated correctly

Posted on 2014-01-14
Medium Priority
Last Modified: 2014-04-28
I have 2 AD 2003 and the sysvol policies do not all replicate well.
One thing I have figured out was that I was missing one {CC2C2824-9480-4530-B4B3-45D5F505F450} on one of them but I guess if other policies are missing or incomplete that would explain why some users get a change password every 90 days and some don't!
How can I fix those replication problem.
Question by:philjans
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 42

Expert Comment

by:Adam Brown
ID: 39780526
Check your error logs on each Domain controller for errors. There are a lot of things that can break FRS, which handles replication. has a guide on troubleshooting if you are getting errors. has some stuff you can try to fix the problem.
LVL 19

Expert Comment

ID: 39780572
check these commands:
repadmin /showrepl
dcdiag /test:replications

check results or if they generate some error logs

Accepted Solution

alicain earned 750 total points
ID: 39780750
Hello philjans,

SYSVOL recoveries like this can take a considerable amount of effort to resolve and investing some time to first find the root cause of why they are not replicating before trying to fix it is time well spent.

Start by checking the event logs for NTFRS related errors and look to get them resolved.  Running Repadmin, DCDIAG and FRSUTIL on the DCs will also help identify issues.

Before making any configuration changes, it is prudent to take a backup of the policies and scripts folders on each DC before you start so you can go back and look where things where if needed.  Be very careful to take the copy at the policies/scripts level so that you DO NOT copy the junction points.

There were numerous hotfixes for NTFRS in the 2003 days, so ensuring they are at least at Service Pack 2 is wise.

Once the cause of the replication failures has been identified and resolved, you are going to need to identified which of the two domain controllers has the best SYSVOL, which will then be used to recover and reinitialise from.  Full details of the process can be found here :  Using the BurFlags registry key to reinitialize File Replication Service replica sets.  If you go down this route and you have DFS-R in your environment, be sure to use the SYSVOL "replica set specific" key.

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

LVL 26

Expert Comment

by:Leon Fester
ID: 39782001
sysvol policies do not all replicate well
Replication is one of the basic functions of AD so you should be more concerned about your overall AD health than just the sysvol not replicating.

Do a health check on your AD but running
dcdiag /e /v /f:dcdiag.txt and search the results for failures.

It could just be as simple as a missing DNS record or worse case scenario you could have some AD corruption.

You do have the option to force replication by performing setting the burflags for a non-authoritative  restore. Just make sure that you correctly identify which server has the most up to date information.

Author Comment

ID: 39782497
It will take a couple of hours (or days) to go through all your recommendations but I am always fascinated about something, I have been using AD 2003 for more then 10 years and I gee AD is fragile and always have bugs it it and replication problems: we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard. I will migrate 2003 to the latest one and I hope that since the decade and more AD have been out, they created something less maintenance intensive and more robust.
Thanks for all your inputs, I will proceed them.

Expert Comment

ID: 39782538
Hi Philhans,

You are probably correct, but I think it is fair to say that the AD Directory (NTDS) replication is very robust and tends to see considerable less issues than NTFRS, which still has its roots back in the early Windows NT days, much of it is now based on very old code.  Patched up-to-date it fails far less than it used to in Windows 2000/2003 with no service packs.  Its replacement with DFS-R in Windows 2008 is, as they say, a paradigm shift.

The other util that I should have mentioned it GPOTool, which you can run against each DC to help you determine which SYSVOL is in the best state as the basis of the recovery.

LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 750 total points
ID: 39784606
we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard.
Replication is not that's just very dependant on DNS working correctly.
While the average techie will look for servers based on A host and PTR records (A host and PTR records), Active Directory domain controllers uses SRV records to find the other DC's.

Most replication issues occur because of DNS issues.

DCDIAG is your primary tool for AD health checks and you can easily do this on a daily basis by scheduling the task to report errors on a daily basis.

DCDIAG /e /q /I /f:<logfile.txt>
/e - Tests all the servers in the enterprise.
/q - Quiet. Prints only error messages.
/i - Ignores superfluous error messages
/f - Redirects all output to a log file

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question