Solved

Group Policy Replication Issue

Posted on 2014-07-27
3
539 Views
Last Modified: 2014-07-30
We are currently running 2 domain controllers for our domain (only 1 domain exists).  Both DC's are 2008 R2.  Let's call the DC's DC1 and DC2 and the domain "test.local".  We'll also call the GPO in question {012345ABCD} with the GUID shortened for sake of ease

DC1 is the pdc and is set as a gc dc.  It also runs the only instance of DNS.
DC2 is a dc and is just the secondary dc.

Originally I was seeing some sporadic issues with replication between DC's.  In troubleshooting it, I found that the default domain controllers policy was not linked to the domain controllers OU.  Easy fix, and after linking them saw that things replicated correctly from the pdc to the secondary dc.

After that I made a dumb mistake.  While on the secondary dc, I accidentally manually deleted a certain GPO related to IE settings {012345ABCD} from the following location:

\\DC2\sysvol\test.local\policies\{012345ABCD}
However it still exisits on the PDC in:
\\DC1\sysvol\test.local\policies\{012345ABCD}

Servers using DC1 as the logonserver still have the GPO applied with no problem, but naturally ones using DC2 as the logonserver cannot apply the gpo.

I have tried to force replication as well as run the dcdiag.exe /fix command, but still the GPO does not replicate to DC2.

How can I fix this issue and get the GPO back on DC2?  Is there an easy way to do so without affecting replication of the other GPO's, and without affecting future replication for the GPO in question?  I haven't manually copied the GPO from DC1 to DC2, as I wasn't sure if that would be a good idea.

Both DC's are in the same subnet.

Please advise.


**Update**
I was able to resolve this issue by performing a backup of the GPO from DC1, then hopping onto DC2 and restoring the backup (pointing to the location of the saved backup on DC1).  After doing so, I can see the original guide in the sysvol/policies folder via DC1, DC2, and test.local paths.

My question now shifts.  In this specific instance, is this the correct way to go about fixing the original problem?  I want to make sure I don't open myself up to future issues with replication or with this GPO.
0
Comment
Question by:spadmin1
3 Comments
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40223270
I came across http://kpytko.pl/2013/12/06/non-authoritative-sysvol-restore-frs/ see if that gives you any idea.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 40223423
I will recommend to first check the health of DCs by dcdiag /q and repadmin /replsum to verify the replication. If AD replication is good you can perform authorative and non authorative restore of sysvol.

On healthy DC(healthy sysvol) you need to run d4  and on other DC d2.Refer below link:http://support.microsoft.com/kb/290762

If the sysvol is configured as DFSR and not using FRS then refer below link.

DFSR sysvol restore
http://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-3/

Take the backup of policies and script folder from 2008DCs and copy the same to alternate location before you proceed.

Hope this helps.
0
 

Author Comment

by:spadmin1
ID: 40229649
Thanks guys.  I forgot to mention sysvol is configured for DFSR, and not FRS.
0

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now