Group Policy Replication Issue

Posted on 2014-07-27
Last Modified: 2014-07-30
We are currently running 2 domain controllers for our domain (only 1 domain exists).  Both DC's are 2008 R2.  Let's call the DC's DC1 and DC2 and the domain "test.local".  We'll also call the GPO in question {012345ABCD} with the GUID shortened for sake of ease

DC1 is the pdc and is set as a gc dc.  It also runs the only instance of DNS.
DC2 is a dc and is just the secondary dc.

Originally I was seeing some sporadic issues with replication between DC's.  In troubleshooting it, I found that the default domain controllers policy was not linked to the domain controllers OU.  Easy fix, and after linking them saw that things replicated correctly from the pdc to the secondary dc.

After that I made a dumb mistake.  While on the secondary dc, I accidentally manually deleted a certain GPO related to IE settings {012345ABCD} from the following location:

However it still exisits on the PDC in:

Servers using DC1 as the logonserver still have the GPO applied with no problem, but naturally ones using DC2 as the logonserver cannot apply the gpo.

I have tried to force replication as well as run the dcdiag.exe /fix command, but still the GPO does not replicate to DC2.

How can I fix this issue and get the GPO back on DC2?  Is there an easy way to do so without affecting replication of the other GPO's, and without affecting future replication for the GPO in question?  I haven't manually copied the GPO from DC1 to DC2, as I wasn't sure if that would be a good idea.

Both DC's are in the same subnet.

Please advise.

I was able to resolve this issue by performing a backup of the GPO from DC1, then hopping onto DC2 and restoring the backup (pointing to the location of the saved backup on DC1).  After doing so, I can see the original guide in the sysvol/policies folder via DC1, DC2, and test.local paths.

My question now shifts.  In this specific instance, is this the correct way to go about fixing the original problem?  I want to make sure I don't open myself up to future issues with replication or with this GPO.
Question by:spadmin1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40223270
I came across see if that gives you any idea.
LVL 24

Accepted Solution

Sandeshdubey earned 500 total points
ID: 40223423
I will recommend to first check the health of DCs by dcdiag /q and repadmin /replsum to verify the replication. If AD replication is good you can perform authorative and non authorative restore of sysvol.

On healthy DC(healthy sysvol) you need to run d4  and on other DC d2.Refer below link:

If the sysvol is configured as DFSR and not using FRS then refer below link.

DFSR sysvol restore

Take the backup of policies and script folder from 2008DCs and copy the same to alternate location before you proceed.

Hope this helps.

Author Comment

ID: 40229649
Thanks guys.  I forgot to mention sysvol is configured for DFSR, and not FRS.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question