We help IT Professionals succeed at work.

Sysvol Permission Issue on single Domain controller

I am having an issue on one of my domain controllers. When I access the Group Policy Management Console to modify any of my login scripts I am getting an error message that I don't have permission to access the file location in the sysvol directory. The account that I am using has domain admin rights. I have attached the error message. We have three domain controllers and this one in question is a brand new DC. Some recent domain changes in recent weeks have been the removal of my last 2003 DC and the raising of the functional level of the domain and forest.
Screen Capture of the error message
Comment
Watch Question

I've seen a similar problem before where the Sysvol folder either doesn't exist or the permissions are wrong.  The fact that this is not a single Domain Controller makes it much easier to fix.

Does the Sysvol folder exist?  If so, it should be very similar to that folder on the other Domain Controllers.

You could look at the differences and repair them manually.  This link will show you how to recreate it from one of the working DCs:
https://support.microsoft.com/en-us/kb/315457

Author

Commented:
Here are a couple more details that I neglected to mention.

1. This happened to a different 2008 DC about two days after I removed the last 2003 server. I removed that DC as well which is why I have added this new DC now the new is experiencing the same issue after working for about a week flawlessly.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Is your replication work as expected? Try running the following replication commands.

repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDiag /v

Also

netdom query fsmo

If you have completely removed the DC and re-added this DC you should not have any issues with permissions on Sysvol. There seems to be a more systemic issue.

Will.

Author

Commented:
Will, I have run the commands and the fail I received was the NCSecDesc test and I know that one is ok if you don't plan on using RODCs in your domain.

Although a side note to whomever reads this make sure you run from an elevated command prompt of you will see a bunch of failures.
Have you run dcdiag /v /e >c:\dcdiag.txt

Any error in the event logs on the DC's?
Commented:
I ended up having to call microsoft on the issue.

Author

Commented:
Microsoft support ended up assisting me with the issue.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Cna you please provide what the fix was?

Will.

Author

Commented:
From what I can tell he set the permissions on the top level of the policy folder and then forced the folder inheritance.