Link to home
Create AccountLog in
Avatar of crp0499
crp0499Flag for United States of America

asked on

GPs are reading as inaccessible

Environment is two 2012 DCs at 2008 R2 Forest and domain functional level.

All of my group policies are showing inaccessible.  Even new ones I create and scoped to OUs and users.  

The two DCs replicate fine.  Permissions on the sysvol have not changed.  I checked permissions and they are as they should be.  

The network has been static for some time now.  No new software, new hardware, nothing.

I'm checking even logs now but was hoping for some ideas on where to look.

Thanks

Cliff

PS: name of the policy is showing as GUID, not policy name.  I have found numerous posts around the net but none of those fixes worked.
Avatar of Darrell Porter
Darrell Porter
Flag of United States of America image

What, if any, errors do you receive when you perform a gpupdate /force from a workstation or server?
Avatar of crp0499

ASKER

It reports a successful update.

I am seeing in the log, two things.  One is that the network path is inaccessible

and I see network sharing is not turned on and when I turn it on, it goes right back off.
Sounds like you have a Journal wrap error.
Check the File Replication Service log on your domain controller(s) and you may need to follow the steps below to restore replication for your group policy objects which are stored on the netlogon volume:

https://support.microsoft.com/en-nz/kb/290762
ASKER CERTIFIED SOLUTION
Avatar of Sushil Sonawane
Sushil Sonawane
Flag of India image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
It's been how many days you have restarted your domain controllers.

Kindly check for error events in event-viewer- File replication services.  

Also run Dcdiag /test:dns & let us know the result.
Avatar of crp0499

ASKER

That was it.  Somehow, the authenticated users group no longer had read permissions on the GPs.
Check the Status of the SYSVOL and Netlogon Shares

1. On the Start menu, point to Administrative Tools, and then click Services.

2. Verify that the DFS Replication service and the Netlogon service have a status of Started. If a service is stopped, click Restart.

3. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue.

4.To verify that the SYSVOL tree includes the sysvol and scripts shared folders, at the command prompt, type the following command, and then press ENTER:
net share

5. Check the list to be sure that it includes %systemroot%\SYSVOL\sysvol\ (the SYSVOL share) and %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS (the NETLOGON share), where <Domain Name> is the domain of the new domain controller.

Note:
If neither %systemroot%\SYSVOL\sysvol\ nor %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS are present, see Verify Active Directory Replication.

6. Verify that the proper permissions are set for SYSVOL replication. At the command prompt, type the following command, and then press ENTER:
dcdiag /test:netlogons