The sysvol permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the baseline domain
Solution 1
Update: I managed to fix this by manually applying the sysvol ACL's for the policies at both servers... for some reason I had to add the domain\administrators group as full control for each policy under sysvol\policies and then it synced fine.... everythings working now and I'll look at migrating to DFRS later when we can upgrade the DFL, Cheers
Anyone else seeing this problem - if you only have one or two policies it might be quicker to back up the settings, delete them all out and then add them back in again which would have the same effect.
Solution 2
This occurs when a GPO has changed on the local computer but a replication event has not completed to the other participating Domain Controllers. You can force replication to the other DCs in the Forest "Get-ADDomainController -Filter * | %{repadmin /syncall /edjQSA $_.hostname}" or simply wait for 15-20 minutes and refresh the GPMC. This is by design and will typically resolve itself on the next replication cycle.
Related videos on Youtube
02 : 26
04 : 55
06 : 11
10 : 40
17 : 58
user181683
Updated on September 18, 2022Comments
-
user181683 almost 2 years
I have recently installed a second domain controller and all replication seems to be working fine except for group policy - In windows 2012r2, through the new Group Policy Management, when I click on "Detect Now", results show ACLs not in sync with the baseline domain...
Environment:
DC1: Windows 2008 R2; DC2: Windows 2012 R2; Forest & Domain Functional levels: Windows 2003; Replication Type: FRS;
I have run dcdiag, looked at event logs, repadmin /showrepl etc and everything seems fine but group policies won't sync… I've checked the sysvol ACL's in both DC's and they seem to have the same permissions… Also the group policy central store has replicated correctly (which is sysvol)…
I found someone else has this problem here http://sysadminconcombre.blogspot.com.au/2014/06/microsoft-dfs-r-problem-sysvol.html and a resolution which involved restarting DFSR … but I have FRS since the DFL is 2003 :(
My question is, is there any way to fix this without migrating to DFSR or should I move to DFSR first? … Everything says that I shouldn't move from FRS to DFSR without replication working 'perfectly' ….
Any suggestions are appreciated :)
-
HopelessN00b about 10 yearsWhy is your FL at 2003? That's the first thing I'd do something about.
-
