GPO Replication SysVol Inaccessible on Windows Server 2003
Solution 1
Group Policy processing is done as the user the relevant portion of the policy applies to. If they cannot read the policy files, they cannot apply the policy. Therefore, the users need to have read permissions to SYSVOL on the DC, and they also need to have SMB access to the DC so they can retrieve SysVol.
Once it finds the right server to use, the client (in this case, the mail server) does a Tree Connect Request Tree to \DC\IPC$ does a get to \domain\SysVol. You can get a list of the DCs that you need SMB to by doing a nltest /dclist:.
As far as I can tell, that is the most probable issue.
Solution 2
I had a problem like this some time ago and it was caused by the FRS service in one DC being in JRNL_WRAP_ERROR. I discovered this after running DCDIAG and checking the eventlog if memory serves. If this were your case you could use the procedure in http://support.microsoft.com/kb/315457 so fix it. Note that all my servers were running Windows Server 2003 SP2. Starting with Windows Server 2008 the replication is done by the DFS service so this could help http://support.microsoft.com/kb/292438 instead. Good luck!
Related videos on Youtube
07 : 32
10 : 40
02 : 35
08 : 09
04 : 18
Christoffer Mansfield
Software Architect and Developer, mainly on the .Net platform. Microsoft Certified Solutions Developer: Web In love with angularjs. @PChrisMansfield, Github profile
Updated on September 18, 2022Comments
-
Christoffer Mansfield almost 2 years
In our current AD setup, we have the following Domain Controllers:
- DC1: Server 2012 R2, Operations Master (All roles)
- DC2: Server 2012 R2
- Mailserver1: Server 2003, Also hosts Exchange 2007
The forest functional level is 2003.
However, no GPO's are beeing replicated to the mailserver. When checking the status of a GPO, it says
SysVol InaccessibleI've searched around on the web for any solution for this, but I cannot find anything. I'm fairly in the dark when it comes to Active Directory, so I have no clue where to go from here.
Anyone recognize this problem, or have some common causes? Any help would be tremendously appreciated.
Update
As requested, the output of NET SHARE on MAILSERVER1
Share name Resource Remark ------------------------------------------------------------------------------- IPC$ Remote IPC C$ C:\ Default share ADMIN$ C:\WINDOWS Remote Admin Resources$ C:\Program Files\Microsoft\Exchange Server\bin\res "Event logging files" Address C:\Program Files\Microsoft\Exchange Server\Mailbox\address "Access to address objects" CertEnroll C:\WINDOWS\system32\CertSrv\CertEnroll Certificate Services share ExchangeOAB C:\Program Files\Microsoft\Exchange Server\ExchangeOAB OAB Distribution share NETLOGON C:\WINDOWS\SYSVOL\sysvol\HQ.tarantech.com\SCRIPTS Logon server share OAB C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB SYSVOL C:\WINDOWS\SYSVOL\sysvol Logon server share-
joeqwerty over 10 yearsWhy would GPO's replicate to your Exchange server? Is the Exchange server also a Domain Controller? What is the Domain and Forest functional level? -
Christoffer Mansfield over 10 years@joeqwerty Yes, unfortunately the mailserver is also a DC. The forest functional level is 2003, I updated the question with it. Thanks for pointing the missing stuff out :)
-
Greg Askew over 10 yearsOn MAILSERVER1, what is the output of the NET SHARE command?
-
Christoffer Mansfield over 10 years@GregAskew Updated the question with the output, thanks!
-
Greg Askew over 10 years@ChristofferMansfield: Where are you seeing "SysVol Inaccessible"? Is that on MAILSERVER1? What are you running when that is displayed?
-
Copy Run Start about 7 yearsCan you edit to mention whether you did this on the PDC or on the affected DC?
