Hello,
Recently, I encountered a Distributed File System Replication problem in our Active Directory.
Notice : pay attention that the AD replication and Sysvol replication are two very different things. Indeed, the replication of Sysvol is done wit DFS mechanism which replaced FRS since 2008.
In windows 2012r2, through the new Group Policy Management, when I click on "Detect Now", results show ACLs not in sync with the baseline domain...
The sysvol permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the baseline domain
First thing, the level of the domain and forest functionnal level is 2008r2.
I check first the DFS Replication with tools provided by Microsoft in the DFS Management Console on the baseline DC (Health Report, Propagation test et Propagation report). The result was ok...
You can use dfsrdiag to check DFS-R operations.
dfsrdiag.exe syncnow /rgname:“domain system volume” /partner:yourBaselineDC /time:1 /verbose
Steps to solve the problem :
1. DNS check on all DCs (the first DNS server must be the DC itself)
2. Resume replication on volume c:\ on the baseline DC
Get the volumeGuid
GWMI -namespace root\cimv2 -class win32_volume | FL -property DriveLetter, DeviceID
Resume replication on volume
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where 'volumeGuid="ce3fb9d1-6ecf-447e-b99c-6e451cab8012"' call ResumeReplication
3. Force the authoritative synchronisation for the DFSR-replicated SYSVOL (was the "D4" when we used FRS in the past) from the PDC Emulator (http://support.microsoft.com/kb/2218556)
a)
Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=YourPDCEmulation,OU=Domain Controllers,DC=domain,DC=com" -properties *
b)
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=YourPDCEmulation,OU=Domain Controllers,DC=domain,DC=com" -Replace @{"msDFSR-Enabled"="FALSE";"msDFSR-Options"=1}
c) On all other DCs
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DCx,OU=Domain Controllers,domain,DC=com" -Replace @{"msDFSR-Enabled"="FALSE"}
d) repadmin /syncall /AdeP
e) Start of the DFSR service on the PDC Emulator.
f) On the PDC Emulator :
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=YourPDCEmulation,OU=Domain Controllers,DC=domain,DC=com" -Replace @{"msDFSR-Enabled"="TRUE"}
g) repadmin /syncall /AdeP
h) From the PDC Emulator in an elevated command prompt : DFSRDIAG POLLAD
i) Start of the DFSR service on all other DCs
j) On all other DCs :
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DCx,OU=Domain Controllers,domain,DC=com" -Replace @{"msDFSR-Enabled"="TRUE"}
k) On all other non-authoritative DCs in an elevated command prompt : DFSRDIAG POLLAD
4) Then reset permissions of all listed GPOs
In Group Policy Management Console, click on a GPO>delegation tab>Advanced>Advanced>Restore Defaults (or make a script to restore defaults permissions and to keep custom permissions.
Note :
In Group Policy Management Console, click on a GPO>delegation tab>Advanced>Advanced>Restore Defaults (or make a script to restore defaults permissions and to keep custom permissions.
Note :
Remember that it's recommended to edit your GPOs from the PDC Emulator. The PDC
Emulator is the prefered admistration entry point for services like GPOs and DFS.
When using Remote Server Administration Tools, you can choose the domain controlter to use.
In Administrative Users and Computers console>right click on your domain>change domain controller
Then choose the DC to use.
I have this exact same problem with group policy ACL's differing from the baseline controller , with 2012 R2 server + 2008 R2 server and 2003 forest level and FRS replication .... is there any way to fix it without migrating FRS to DFSR ?? I tried resetting the permissions on the GPO's but no go ... all other replication seems to be working fine including the group policy central store
RépondreSupprimerI posted a follow up question here http://serverfault.com/questions/607174/the-sysvol-permissions-for-one-or-more-gpos-on-this-domain-controller-are-not-in
RépondreSupprimerHi Pierre,
RépondreSupprimerI do it as you say but it gives an error
Can you help ?
PS C:\Users\Administrator> dfsrdiag.exe SyncNow /rgname:"Domain System Volume" /partner:asg.akturkgroup.local /time:1 /verbose
[INFO] Duration in Minutes: 1, 1
[INFO] Computer Name: asg
[INFO] Computer DNS: asg.akturkgroup.local
[INFO] Domain DNS: akturkgroup.local
[INFO] Site Name: Default-First-Site-Name
[INFO] Computer Name: ASG
[INFO] Computer DNS: ASG.akturkgroup.local
[INFO] Domain DNS: akturkgroup.local
[INFO] Site Name: Default-First-Site-Name
[INFO] Connected to WMI services on computer: ASG.akturkgroup.local
[INFO] Issuing query: SELECT * FROM DfsrConnectionInfo WHERE ReplicationGroupName="domain system volume" AND PartnerName
="asg" AND Inbound="true"
[ERROR] Cannot find inbound DfsrConnectionInfo object to the given partner. Possible reasons:
+ The member has no configured inbound connection with the partner
+ Access is denied to connection monitoring information
[INFO] Execution Time: 0 seconds
Operation Failed