Solved

Group Policy Replication Issue

Posted on 2014-07-27
3
560 Views
Last Modified: 2014-07-30
We are currently running 2 domain controllers for our domain (only 1 domain exists).  Both DC's are 2008 R2.  Let's call the DC's DC1 and DC2 and the domain "test.local".  We'll also call the GPO in question {012345ABCD} with the GUID shortened for sake of ease

DC1 is the pdc and is set as a gc dc.  It also runs the only instance of DNS.
DC2 is a dc and is just the secondary dc.

Originally I was seeing some sporadic issues with replication between DC's.  In troubleshooting it, I found that the default domain controllers policy was not linked to the domain controllers OU.  Easy fix, and after linking them saw that things replicated correctly from the pdc to the secondary dc.

After that I made a dumb mistake.  While on the secondary dc, I accidentally manually deleted a certain GPO related to IE settings {012345ABCD} from the following location:

\\DC2\sysvol\test.local\policies\{012345ABCD}
However it still exisits on the PDC in:
\\DC1\sysvol\test.local\policies\{012345ABCD}

Servers using DC1 as the logonserver still have the GPO applied with no problem, but naturally ones using DC2 as the logonserver cannot apply the gpo.

I have tried to force replication as well as run the dcdiag.exe /fix command, but still the GPO does not replicate to DC2.

How can I fix this issue and get the GPO back on DC2?  Is there an easy way to do so without affecting replication of the other GPO's, and without affecting future replication for the GPO in question?  I haven't manually copied the GPO from DC1 to DC2, as I wasn't sure if that would be a good idea.

Both DC's are in the same subnet.

Please advise.


**Update**
I was able to resolve this issue by performing a backup of the GPO from DC1, then hopping onto DC2 and restoring the backup (pointing to the location of the saved backup on DC1).  After doing so, I can see the original guide in the sysvol/policies folder via DC1, DC2, and test.local paths.

My question now shifts.  In this specific instance, is this the correct way to go about fixing the original problem?  I want to make sure I don't open myself up to future issues with replication or with this GPO.
0
Comment
Question by:spadmin1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40223270
I came across http://kpytko.pl/2013/12/06/non-authoritative-sysvol-restore-frs/ see if that gives you any idea.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 40223423
I will recommend to first check the health of DCs by dcdiag /q and repadmin /replsum to verify the replication. If AD replication is good you can perform authorative and non authorative restore of sysvol.

On healthy DC(healthy sysvol) you need to run d4  and on other DC d2.Refer below link:http://support.microsoft.com/kb/290762

If the sysvol is configured as DFSR and not using FRS then refer below link.

DFSR sysvol restore
http://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-3/

Take the backup of policies and script folder from 2008DCs and copy the same to alternate location before you proceed.

Hope this helps.
0
 

Author Comment

by:spadmin1
ID: 40229649
Thanks guys.  I forgot to mention sysvol is configured for DFSR, and not FRS.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question