Solved

Group Policy Replication Issue

Posted on 2014-07-27
3
541 Views
Last Modified: 2014-07-30
We are currently running 2 domain controllers for our domain (only 1 domain exists).  Both DC's are 2008 R2.  Let's call the DC's DC1 and DC2 and the domain "test.local".  We'll also call the GPO in question {012345ABCD} with the GUID shortened for sake of ease

DC1 is the pdc and is set as a gc dc.  It also runs the only instance of DNS.
DC2 is a dc and is just the secondary dc.

Originally I was seeing some sporadic issues with replication between DC's.  In troubleshooting it, I found that the default domain controllers policy was not linked to the domain controllers OU.  Easy fix, and after linking them saw that things replicated correctly from the pdc to the secondary dc.

After that I made a dumb mistake.  While on the secondary dc, I accidentally manually deleted a certain GPO related to IE settings {012345ABCD} from the following location:

\\DC2\sysvol\test.local\policies\{012345ABCD}
However it still exisits on the PDC in:
\\DC1\sysvol\test.local\policies\{012345ABCD}

Servers using DC1 as the logonserver still have the GPO applied with no problem, but naturally ones using DC2 as the logonserver cannot apply the gpo.

I have tried to force replication as well as run the dcdiag.exe /fix command, but still the GPO does not replicate to DC2.

How can I fix this issue and get the GPO back on DC2?  Is there an easy way to do so without affecting replication of the other GPO's, and without affecting future replication for the GPO in question?  I haven't manually copied the GPO from DC1 to DC2, as I wasn't sure if that would be a good idea.

Both DC's are in the same subnet.

Please advise.


**Update**
I was able to resolve this issue by performing a backup of the GPO from DC1, then hopping onto DC2 and restoring the backup (pointing to the location of the saved backup on DC1).  After doing so, I can see the original guide in the sysvol/policies folder via DC1, DC2, and test.local paths.

My question now shifts.  In this specific instance, is this the correct way to go about fixing the original problem?  I want to make sure I don't open myself up to future issues with replication or with this GPO.
0
Comment
Question by:spadmin1
3 Comments
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40223270
I came across http://kpytko.pl/2013/12/06/non-authoritative-sysvol-restore-frs/ see if that gives you any idea.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 40223423
I will recommend to first check the health of DCs by dcdiag /q and repadmin /replsum to verify the replication. If AD replication is good you can perform authorative and non authorative restore of sysvol.

On healthy DC(healthy sysvol) you need to run d4  and on other DC d2.Refer below link:http://support.microsoft.com/kb/290762

If the sysvol is configured as DFSR and not using FRS then refer below link.

DFSR sysvol restore
http://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-3/

Take the backup of policies and script folder from 2008DCs and copy the same to alternate location before you proceed.

Hope this helps.
0
 

Author Comment

by:spadmin1
ID: 40229649
Thanks guys.  I forgot to mention sysvol is configured for DFSR, and not FRS.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now