Problem was discovered recently as I were adding more GPO, and they did not work as expected. So the problem is that sysvol DFSR share is not in sync between DCs.
All DC are server 2008 R2
The strange part is that sysvol replicates to all DC in all sites, but if GPO is created on PDC (DC_PDC) role holder it does not replicate to any members. IF GPO is created on member DC (that is not PDC) then DC_PDC recieve new policy right away. So basically, all DCs does not pull changes from DC_PDC or DC_PDC does not give changes to member DCs.
More strange thing, yesterday at one point it did replicate, while system state backup job was started on PDC. But today again, nothing.
In Events only error logs are:
On member server:
The DFS Replication service is stopping communication with partner DC_PDC for replication group Domain System Volume due to an error. The service will retry the connection periodically.
Paused for backup or restore
The DFS Replication service failed to communicate with partner DC_PDC for replication group Domain System Volume. The partner did not recognize the connection or the replication group configuration.
The connection is invalid
and in few minutes:
The DFS Replication service successfully established an inbound connection with partner DC_PDC for replication group Domain System Volume.
Also these logs are on DC_PDC, but always there are EventID 5004 (established connection)
DFRS service is working fine, as other folders are replicated as expected
dcdiag /test:advertising passes DC_PDC, passes member DC
dcdiag /test:dns passes DC_PDC, passes member DC
dcdiag /test:DFSREvent passes DC_PDC, passes member DC
DFSDIAG /TestReferral /DFSPath:\\domain.local\SYSVOL does not give any errors
DFSDIAG /testdcs also no errors
also checked Kaspersky for servers, it has exclude on sysvol dir.
Maybe someone have any ideas on what direction to search, I'm already out of ideas. Thanks