So the other day at my test lab I noticed many of my GPOs were giving errors. Ran gpupdate /force
and it gave the following message:
User policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\rakhesh.local\SysVol\rakhesh.local\Policies\{F28486EC-7C9D-40D6-A243-F1F733979D5C}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer Policy update has completed successfully.To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Looked like a temporary thing so I didn’t give it much thought first. But when policies were still not being read after half an hour or so I figured something is broken.
Running gpresult /h
didn’t have much to add. I noticed the there were errors similar to the one above. I also noticed that another policy had a version mismatch to the one on the server (this wasn’t highlighted anywhere, I just happened to notice).
I went to the path in the error message on each of my DCs (replace rakhesh.local
with your DC name) to find out which DC had a missing file. As the message indicated, it was a replication issue. I had updated the GPO on one of the DCs but looks like it didn’t replicate to some of the other DCs; and my clients were trying to find the policy files on this DC where it didn’t replicate to, thus throwing errors.
Event Logs on the clients didn’t have much to add except for error messages similar to the above.
Event Logs on the DCs were more useful. “Applications and Services Logs” > “DFS Replication” is the place to look here. Interestingly, the DC where I couldn’t find the GPO above reported no errors. It had an entry like this:
The DFS Replication service successfully established an inbound connection with partner WIN-DC01 for replication group Domain System Volume.
Additional Information:
Connection Address Used: WIN-DC01.rakhesh.local
Connection ID: 11C8A7A0-F8A5-4867-B277-78DDC66E3ED3
Replication Group ID: 7C0BF99B-677B-4EDA-9B47-944D532DF7CB
This gives you the impression that all is fine. The other DC though had many errors. One of them was event ID 4012:
The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 118 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group.
Additional Information:
Error: 9061 (The replicated folder has been offline for too long.)
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 0546D0D8-E779-4384-87CA-3D4ABCF1FA56
Replication Group Name: Domain System Volume
Replication Group ID: 7C0BF99B-677B-4EDA-9B47-944D532DF7CB
Member ID: 93D960C2-DE50-443F-B8A1-20B04C714E16
Good! So that explains it. Being a test lab, all my DCs aren’t usually online. In this case, WIN-DC01 is what I always have online but WIN-DC02 is only powered on when I want to test anything specific. Since the two weren’t in touch for more than 60 days, WIN-DC01 had stopped replicating with WIN-DC02. Makes sense – you wouldn’t want stale data from WIN-DC02 to overwrite fresh data on WIN-DC01 after all.
The steps in the Event Log entry didn’t work though. Being a SYSVOL folder there’s no option to remove a server from the replication group in DFS Management.
I searched online for any suggestions related to event ID 4012 and SYSVOL, adn found a Microsoft KB article. This article suggested running two commands which I’d like to post here as a reminder to myself as they are generally useful to quickly pinpoint the source of an error. Being a test lab I have just 2-3 DCs so I can go through them manually; but if I had many DCs it is useful to know how to find the faulty ones fast.
First command simply checks whether the SYSVOL folder is shared on each DC:
1 2 3 4 5 6 7 |
C:\> For /f %i IN ('dsquery server -o rdn') do @echo %i && @(net view \\%i | find "SYSVOL") & echo WIN-DC01 SYSVOL Disk Logon server share ECHO is on. WIN-DC02 SYSVOL Disk Logon server share ECHO is on. |
Next command uses WMIC to get the replication state of this folder on each DC.
1 2 3 4 5 6 7 8 |
C:\>For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state WIN-DC01 ReplicatedFolderName ReplicationGroupName State SYSVOL Share Domain System Volume 5 WIN-DC02 ERROR: Description = Access denied |
A state of 5 indicates the group is in error. Interestingly, the “Access denied” message is one I had noticed earlier too when running dcdiag
on the faulty DC.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
Doing primary tests Testing server: Default-First-Site-Name\WIN-DC02 Starting test: Advertising ......................... WIN-DC02 passed test Advertising Starting test: FrsEvent ......................... WIN-DC02 passed test FrsEvent Starting test: DFSREvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. ......................... WIN-DC02 passed test DFSREvent Starting test: SysVolCheck ......................... WIN-DC02 passed test SysVolCheck Starting test: KccEvent ......................... WIN-DC02 passed test KccEvent Starting test: KnowsOfRoleHolders ......................... WIN-DC02 passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... WIN-DC02 passed test MachineAccount Starting test: NCSecDesc ......................... WIN-DC02 passed test NCSecDesc Starting test: NetLogons [WIN-DC02] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain. ......................... WIN-DC02 failed test NetLogons Starting test: ObjectsReplicated ......................... WIN-DC02 passed test ObjectsReplicated Starting test: Replications [Replications Check,WIN-DC02] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105 "Replication access was denied." ......................... WIN-DC02 failed test Replications |
I didn’t think much of it that time as there were no errors when running dcdiag
from the working DC and also because I ran this command while I thought the error was a temporary thing. I still don’t think this is a permissions issue. My guess is that it is to do with the content freshness error I found in the Event Logs earlier. Possibly due to that the second DC is being denied access to replicate and that’s why I get the “access denied” error above.
From the KB article above I came across another one that has steps on how to force a of SYSVOL from one server to all the others. (In the linked article, the section ‘How to perform an authoritative synchronization of DFSR-replicated SYSVOL (like “D4” for FRS)’ is what I am talking about). Here’s what I did:
- I launched
adsiedit.msc
and connected with the default settings - Then I opened
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=WIN-DC01,OU=Domain Controllers,DC=rakhesh,DC=local
(replace the DC name and domain name with yours; in my case WIN-DC01 is the DC I want to set as authoritative) and … - … I set
msDFSR-Enabled=FALSE
andmsDFSR-options=1
- Next, I opened
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=WIN-DC02,OU=Domain Controllers,DC=rakhesh,DC=local
– WIN-DC02 being the DC that is out of sync – and setmsDFSR-Enabled=FALSE
. - For AD replication through out the domain:
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364C:\Users>repadmin /syncallCALLBACK MESSAGE: The following replication is in progress:From: 6fdae042-053c-47e2-be5f-67db18dfc088._msdcs.rakhesh.localTo : bdb02ab9-5103-4254-9403-a7687ba91488._msdcs.rakhesh.localCALLBACK MESSAGE: The following replication completed successfully:From: 6fdae042-053c-47e2-be5f-67db18dfc088._msdcs.rakhesh.localTo : bdb02ab9-5103-4254-9403-a7687ba91488._msdcs.rakhesh.localCALLBACK MESSAGE: SyncAll Finished.SyncAll terminated with no errors.C:\Users>repadmin /replsummaryReplication Summary Start Time: 2014-09-20 13:25:07Beginning data collection for replication summary, this may take awhile:.....Source DSA largest delta fails/total %% errorWIN-DC01 33m:53s 0 / 5 0WIN-DC02 38m:51s 0 / 5 0Destination DSA largest delta fails/total %% errorWIN-DC01 38m:51s 0 / 5 0WIN-DC02 33m:53s 0 / 5 0C:\Users>repadmin /showreplRepadmin: running command /showrepl against full DC localhostDefault-First-Site-Name\WIN-DC01DSA Options: IS_GCSite Options: (none)DSA object GUID: bdb02ab9-5103-4254-9403-a7687ba91488DSA invocationID: bdb02ab9-5103-4254-9403-a7687ba91488==== INBOUND NEIGHBORS ======================================DC=rakhesh,DC=localDefault-First-Site-Name\WIN-DC02 via RPCDSA object GUID: 6fdae042-053c-47e2-be5f-67db18dfc088Last attempt @ 2014-09-20 13:24:18 was successful.CN=Configuration,DC=rakhesh,DC=localDefault-First-Site-Name\WIN-DC02 via RPCDSA object GUID: 6fdae042-053c-47e2-be5f-67db18dfc088Last attempt @ 2014-09-20 13:25:00 was successful.CN=Schema,CN=Configuration,DC=rakhesh,DC=localDefault-First-Site-Name\WIN-DC02 via RPCDSA object GUID: 6fdae042-053c-47e2-be5f-67db18dfc088Last attempt @ 2014-09-20 12:46:16 was successful.DC=DomainDnsZones,DC=rakhesh,DC=localDefault-First-Site-Name\WIN-DC02 via RPCDSA object GUID: 6fdae042-053c-47e2-be5f-67db18dfc088Last attempt @ 2014-09-20 12:46:16 was successful.DC=ForestDnsZones,DC=rakhesh,DC=localDefault-First-Site-Name\WIN-DC02 via RPCDSA object GUID: 6fdae042-053c-47e2-be5f-67db18dfc088Last attempt @ 2014-09-20 12:46:16 was successful.
- The result of the above steps will be that SYSVOL replication is disabled through out the domain. I confirmed that by going to the “DFS Replication” logs and noting an event with ID 4114:
The replicated folder at local path C:\Windows\SYSVOL\domain has been disabled. The replicated folder will not participate in replication until it is enabled. All data in the replicated folder will be treated as pre-existing data when this replicated folder is enabled.
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 0546D0D8-E779-4384-87CA-3D4ABCF1FA56
Replication Group Name: Domain System Volume
Replication Group ID: 7C0BF99B-677B-4EDA-9B47-944D532DF7CB
Member ID: 09E14860-47F6-49EE-820E-43F7ED015FEB - Then I went back to
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=WIN-DC01,OU=Domain Controllers,DC=rakhesh,DC=local
but this time I setmsDFSR-Enabled=TRUE
. - Again, I forced AD replication through out the domain.
- Next, I ran
dfsrdiag pollad
on WIN-DC01 (the DC with the correct copy) to perform an initial sync with AD. (Note: My DC was a Server 2012 Core install. This didn’t havedfsrdiag
by default. I installed it viaInstall-WindowsFeature RSAT-DFS-Mgmt-Con
in PowerShell). - I checked the Event Logs of WIN-DC01 to confirm SYSVOL is now replicating (event ID 4602 should be present):
The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member is the designated primary member for this replicated folder. No user action is required. To check for the presence of the SYSVOL share, open a command prompt window and then type “net share”.
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 0546D0D8-E779-4384-87CA-3D4ABCF1FA56
Replication Group Name: Domain System Volume
Replication Group ID: 7C0BF99B-677B-4EDA-9B47-944D532DF7CB
Member ID: 93D960C2-DE50-443F-B8A1-20B04C714E16
Read-Only: 0 - Finally, I went back to
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=WIN-DC01,OU=Domain Controllers,DC=rakhesh,DC=local
and setmsDFSR-Enabled=TRUE
. You can see what’s happening, don’t you? First we disabled SYSVOL replication on all the DCs. Then we enabled it on the authoritative DC and got it to sync to AD. And now we are re-enabling it on all the other DCs so they get a fresh copy from the authoritative DC. - Lastly, I did a
dfsrdiag pollad
on WIN-DC02 … and while it should have worked without any issues, I got the following error:
C:\Users>dfsrdiag pollad
[ERROR] Access is denied when connecting to WMI services on computer: WIN-DC02.r
akhesh.localOperation Failed
However, Event Logs on WIN-DC02 showed that SYSVOL was now replicating successfully and clients are now able to download GPOs successfully. So it looks like the “access denied” error is something else altogether (as I suspected initially, yaay!). I’ll have to look into that later – I know in the past I’ve fiddled with the WMI settings on this machine so maybe I made some change that I forgot to reset.
Good stuff!