Why some of my Windows Server gets GPO applied but some does not ?

Hi People,

I’m having some issues with Windows WSUS GPO not being applied in some of my servers in the single AD domain.

I’ve got multiple different subnets for each different site offices spread out geographically, when I set the GPO through HQDC01, I have successfully configure the Windows Update policy for 80% of the servers in all of the AD sites, but somehow there are some server that is not getting the WSUS GPO applied ?

For the Windows server that has been updated successfully:
GPResult /R shows that the WSUS GPO comes from the domain controllers HQDC01

For the Windows server that has NOT been working:
GPResult /R shows that there is no WSUS GPO applied and the domain controllers points to PRODDC03-VM

AD settings is single forest AD domain.com

Head Office AD Site:
HQDC01 - Windows Server 2012 R2 Domain Controllers FSMO role holder (PDC, RID & Infrastructure master)

Data Center AD Site:
PRODDC01-VM Windows Server 2008 R2 Domain Controllers (Schema master)
PRODDC03-VM Windows Server 2008 R2 Domain Controllers (Domain naming master)

WSUS 4.0

Any help would be greatly appreciated.
LVL 11
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Does the Group Policy must always comes from the PDC emulator role DC ?

how to force it to pull the WSUS Group policy that has been created few months ago to those servers who cannot get the GPO ?

I've tried GPUpdate /Force but still it points to the PRODDC03-VM
Senior IT System EngineerIT ProfessionalAuthor Commented:
Running GPresult /R shows that the Group Policy that is should be applied is Denied with the reason Inaccessible ?
Sounds like you have a sysvol replication problem. Run dcdiag and look for errors. Look for FRS and DFS-R errors in your event logs. My guess is that group policy changes are not replicating to all of your domain controllers.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Ok so if that's the case is there any way to manually copy paste the NETLOGON folder from one good domain controller to another safely ?
Will SzymkowskiSenior Solution ArchitectCommented:
Ok so if that's the case is there any way to manually copy paste the NETLOGON folder from one good domain controller to another safely ?

Simply copying the items from one DC sysvol folder to another will not correct the issue, if there is one. Did you run DCDiag /v?

Troubleshooting Group Policy it pretty straightforward. The key things you need to check...
- Are all of the servers in the correct OU's where the policy is being applied
- Check your Security Filtering on the GPO (default is Authenticated Users, whch also applies to computers).
- Check the Delegation Tab on the GPO and makre sure that none of the computers are being denied
- Logon to the server that is not receiving the policy and run rsop.msc
- Check if there are any warning or errors
- Check the event viewer Application Log to see if there is any detailed info on GPO's failing on this DC.

Also you need to check replication as well. use the following commands..

Repadmin /replsum
Repadmin /showrepl
Repadmin /bridgeheads

This is typical GPO replication / corrupted GPO issue

If you are running FRS Sysvol, download frsdiag gui tool from MS and run propogate file tracer test

You will come to know if there are any issues

If you r running DFSR sysvol, check DFSR propagation test to verify replication is working fine
Check step by step
If DFSR sysvol share having any issues, you can do non authoritative restore on problem server - check below EE article
I guess you are still on FRS sysvol, as a fact its likely to have sysvol replication issues
There might be journal wrap issues with FRS sysvol on problem server, check for event ID 13568
In that case you need to work with burgflag - https://support.microsoft.com/en-us/kb/290762

Also check if you are having any orphaned GPOs in AD, so remove tem with script on below blog post

Also you should consider FRS to DFSR sysvol migration if its not already done

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks guys,

From my quick replication test:

Repadmin /replsum

Shows no issue at all in the entire domain controllers.
Above command will not show any issues present with sysvol

It will get status for Ad replication

AD replication and sysvol replication both are different

Check earlier comment to test sysvol
Also run Net Share from cmd on all DCs to check if sysvol and netlogon folders are shared..
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi All,

is it possible or make sense if the USER settings and the COMPUTER settings GPO is applied from two different Domain Controllers ?
This is not possible
Because GPO is replicated to all Domain controllers
Yet the technology is not arrived where GPO is available on specific Domain Controller only

If you are talking about WSUS GPO, it is available under computer config only

Because of sysvol issues, servers are unable to find GPO on specific DC
Senior IT System EngineerIT ProfessionalAuthor Commented:
What event ID or error log should I look for this replication issue on sysvol ?
Check file replication services event logs on DC (Check event ID 13568 (Journal wrap) - or check error events
If you are running DFSR sysvol, check DFSR logs on DC, check error logs
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Mahesh,

Somehow after checking the event ID 13508, 13568, there are some which was dated back on 2nd June 2015 which was long time ago (Warning 13508), it refers to the decommisioned Win 2003 box.

So I guess it is not relevant.
That's right

have you downloaded FRSdiag utility and checked sysvol health
Senior IT System EngineerIT ProfessionalAuthor Commented:
Eventhough I do not have DFS set, is that test still applicable ?
is there any outage or risk installing or performing the test during the business hours ?
You have FRS sysvol

DFS is not coming in picture here

FRSDIAG is simple FRS diagnostics utility and there won't be any impact in executing tool
Senior IT System EngineerIT ProfessionalAuthor Commented:

do I have to install this tool in all of my Domain Controller or can I just execute it from my workstation ?
Run it from PDC directly
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.