Solved

Group Policy Replication Issue

Posted on 2014-07-27
3
550 Views
Last Modified: 2014-07-30
We are currently running 2 domain controllers for our domain (only 1 domain exists).  Both DC's are 2008 R2.  Let's call the DC's DC1 and DC2 and the domain "test.local".  We'll also call the GPO in question {012345ABCD} with the GUID shortened for sake of ease

DC1 is the pdc and is set as a gc dc.  It also runs the only instance of DNS.
DC2 is a dc and is just the secondary dc.

Originally I was seeing some sporadic issues with replication between DC's.  In troubleshooting it, I found that the default domain controllers policy was not linked to the domain controllers OU.  Easy fix, and after linking them saw that things replicated correctly from the pdc to the secondary dc.

After that I made a dumb mistake.  While on the secondary dc, I accidentally manually deleted a certain GPO related to IE settings {012345ABCD} from the following location:

\\DC2\sysvol\test.local\policies\{012345ABCD}
However it still exisits on the PDC in:
\\DC1\sysvol\test.local\policies\{012345ABCD}

Servers using DC1 as the logonserver still have the GPO applied with no problem, but naturally ones using DC2 as the logonserver cannot apply the gpo.

I have tried to force replication as well as run the dcdiag.exe /fix command, but still the GPO does not replicate to DC2.

How can I fix this issue and get the GPO back on DC2?  Is there an easy way to do so without affecting replication of the other GPO's, and without affecting future replication for the GPO in question?  I haven't manually copied the GPO from DC1 to DC2, as I wasn't sure if that would be a good idea.

Both DC's are in the same subnet.

Please advise.


**Update**
I was able to resolve this issue by performing a backup of the GPO from DC1, then hopping onto DC2 and restoring the backup (pointing to the location of the saved backup on DC1).  After doing so, I can see the original guide in the sysvol/policies folder via DC1, DC2, and test.local paths.

My question now shifts.  In this specific instance, is this the correct way to go about fixing the original problem?  I want to make sure I don't open myself up to future issues with replication or with this GPO.
0
Comment
Question by:spadmin1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40223270
I came across http://kpytko.pl/2013/12/06/non-authoritative-sysvol-restore-frs/ see if that gives you any idea.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 40223423
I will recommend to first check the health of DCs by dcdiag /q and repadmin /replsum to verify the replication. If AD replication is good you can perform authorative and non authorative restore of sysvol.

On healthy DC(healthy sysvol) you need to run d4  and on other DC d2.Refer below link:http://support.microsoft.com/kb/290762

If the sysvol is configured as DFSR and not using FRS then refer below link.

DFSR sysvol restore
http://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-3/

Take the backup of policies and script folder from 2008DCs and copy the same to alternate location before you proceed.

Hope this helps.
0
 

Author Comment

by:spadmin1
ID: 40229649
Thanks guys.  I forgot to mention sysvol is configured for DFSR, and not FRS.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Distinguished username as email address 4 41
NTP Servers 4 43
Active Directory Design - Best Practice 9 49
DC with error SChannel ID 36888 3 40
An article on effective troubleshooting
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question