TWO AD 2003 whose sysvol Policies do not replicated correctly

Posted on 2014-01-14
Last Modified: 2014-04-28
I have 2 AD 2003 and the sysvol policies do not all replicate well.
One thing I have figured out was that I was missing one {CC2C2824-9480-4530-B4B3-45D5F505F450} on one of them but I guess if other policies are missing or incomplete that would explain why some users get a change password every 90 days and some don't!
How can I fix those replication problem.
Question by:philjans
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 41

Expert Comment

by:Adam Brown
ID: 39780526
Check your error logs on each Domain controller for errors. There are a lot of things that can break FRS, which handles replication. has a guide on troubleshooting if you are getting errors. has some stuff you can try to fix the problem.
LVL 19

Expert Comment

ID: 39780572
check these commands:
repadmin /showrepl
dcdiag /test:replications

check results or if they generate some error logs

Accepted Solution

alicain earned 250 total points
ID: 39780750
Hello philjans,

SYSVOL recoveries like this can take a considerable amount of effort to resolve and investing some time to first find the root cause of why they are not replicating before trying to fix it is time well spent.

Start by checking the event logs for NTFRS related errors and look to get them resolved.  Running Repadmin, DCDIAG and FRSUTIL on the DCs will also help identify issues.

Before making any configuration changes, it is prudent to take a backup of the policies and scripts folders on each DC before you start so you can go back and look where things where if needed.  Be very careful to take the copy at the policies/scripts level so that you DO NOT copy the junction points.

There were numerous hotfixes for NTFRS in the 2003 days, so ensuring they are at least at Service Pack 2 is wise.

Once the cause of the replication failures has been identified and resolved, you are going to need to identified which of the two domain controllers has the best SYSVOL, which will then be used to recover and reinitialise from.  Full details of the process can be found here :  Using the BurFlags registry key to reinitialize File Replication Service replica sets.  If you go down this route and you have DFS-R in your environment, be sure to use the SYSVOL "replica set specific" key.

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

LVL 26

Expert Comment

by:Leon Fester
ID: 39782001
sysvol policies do not all replicate well
Replication is one of the basic functions of AD so you should be more concerned about your overall AD health than just the sysvol not replicating.

Do a health check on your AD but running
dcdiag /e /v /f:dcdiag.txt and search the results for failures.

It could just be as simple as a missing DNS record or worse case scenario you could have some AD corruption.

You do have the option to force replication by performing setting the burflags for a non-authoritative  restore. Just make sure that you correctly identify which server has the most up to date information.

Author Comment

ID: 39782497
It will take a couple of hours (or days) to go through all your recommendations but I am always fascinated about something, I have been using AD 2003 for more then 10 years and I gee AD is fragile and always have bugs it it and replication problems: we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard. I will migrate 2003 to the latest one and I hope that since the decade and more AD have been out, they created something less maintenance intensive and more robust.
Thanks for all your inputs, I will proceed them.

Expert Comment

ID: 39782538
Hi Philhans,

You are probably correct, but I think it is fair to say that the AD Directory (NTDS) replication is very robust and tends to see considerable less issues than NTFRS, which still has its roots back in the early Windows NT days, much of it is now based on very old code.  Patched up-to-date it fails far less than it used to in Windows 2000/2003 with no service packs.  Its replacement with DFS-R in Windows 2008 is, as they say, a paradigm shift.

The other util that I should have mentioned it GPOTool, which you can run against each DC to help you determine which SYSVOL is in the best state as the basis of the recovery.

LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 250 total points
ID: 39784606
we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard.
Replication is not that's just very dependant on DNS working correctly.
While the average techie will look for servers based on A host and PTR records (A host and PTR records), Active Directory domain controllers uses SRV records to find the other DC's.

Most replication issues occur because of DNS issues.

DCDIAG is your primary tool for AD health checks and you can easily do this on a daily basis by scheduling the task to report errors on a daily basis.

DCDIAG /e /q /I /f:<logfile.txt>
/e - Tests all the servers in the enterprise.
/q - Quiet. Prints only error messages.
/i - Ignores superfluous error messages
/f - Redirects all output to a log file

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question