Few weeks ago, one of my clients had a problem with processing GPO on client computers. Different computers applied different setting from same GPO, but from different domain controllers. All tests related to replication was successful, all GPOs are applied, but replication between domain controllers was is problem, and because that clients had a different GPO configuration.

After deep investigation, we found that is problem with DFS replication of SYSVOL folder. Few months ago, client moved replication from FRS to DFSR successfully, but demoting old domain controller made confusion in their environment.

To solve this problem, we had to manually preform an authoritative synchronization between the domain controllers. DFSR no longer uses the same steps as FSR to do an authoritative sync. Fortunately, we found the official Microsoft tutorial here.

Steps for this process are bellow.

 

  1. Stop the DFS Replication service on primary domain controller;
  2. Open up ADSI Edit in the Default naming context, navigate to the CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name to replicate from>,OU=Domain Controllers,DC=<domain>, and change following attributes:
    • msDFSR-Enabled=FALSE
    • msDFSR-options=1
  3. On the ALL other DCs, change the msDFSR-Enabled attribute to False;
  4. Force AD replication
    • repadmin /syncall primary_dc_name /APed;
  5. Start the DFS Replication back up on the primary domain controller;
  6. Open up event viewer and navigate to Applications and Services Logs -> DFS Replication.  Verify you see Event ID 4114;
  7. Navigate back to the following in ADSI CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name to replicate from>,OU=Domain Controllers,DC=<domain>, and change following attributes:
    • msDFSR-Enabled=TRUE
  8. Execute the following via an elevated command prompt DFSRDIAG POLLAD;
  9. Force AD replication
    • repadmin /syncall primary_dc_name /APed
  10. Wait a few minutes and you should see Event ID 2002 and 4602
  11. On ALL other domain controllers change attribute
    • msDFSR-Enabled=TRUE
  12. Execute the following via an elevated command prompt DFSRDIAG POLLAD;
  13. Verify you see Event ID 2002 and 4602 on all other domain controllers.

 

After this action, all problems with GPO processing and SYSVOL replication disappear.

Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *