Ally0025
(Ally0025)
1
Hi Community,
I recently upgraded our environment from Windows Server 2012 R2 to Windows Server 2022 and raised the forest and domain functional level from 2008 R2 to 2016. Everything was running smoothly until I demoted and removed the old 2012 R2 domain controllers.
I made sure to:
- Remove all DNS records related to the old DCs
- Perform metadata cleanup using
ntdsutil
- Confirm SYSVOL and NETLOGON shares are present on the new DCs
- Ensure AD replication and DNS are healthy between the new DCs
However, I’m now experiencing Group Policy issues. When I run gpupdate /force on client machines, I get the following error:
The processing of Group Policy failed. Windows attempted to read the file
\\domain\SysVol\domain\Policies\{549775DE-E955-4E11-B7CD-CED832811343}\gpt.ini
from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved.
In Group Policy Management, the existing GPOs show an error:
“The system cannot find the file specified”
Even when I try creating a new GPO, it doesn’t properly register or apply.
I checked DFSR and confirmed that:
- Replication is working between the two new DCs
- SYSVOL is initialized and shared
- The error seems to indicate one DC (DC02) is still referencing the old 2012 R2 SYSVOL path or GPO structure
Despite confirming all old DC traces are removed, Group Policy is still broken and the system appears to look for GPOs from the now-removed 2012 R2 DC.
Has anyone encountered a similar issue after retiring older domain controllers? Any tips on fully reinitializing SYSVOL or resetting GPO replication state across DCs would be appreciated.
Thanks in advance!
6 Spice ups
Rod-IT
(Rod-IT)
2
What are your DCs using for their DNS?
Note it MUST be DC1 uses DC2, then 127.0.0.1 and DC2 uses DC1 then 127.0.0.1
Your clients should use DC1/DC2 but not in any specific order, and nothing else.
4 Spice ups
Ally0025
(Ally0025)
3
Yes they’re using the correct DNS settings. Luckily I have the old 2012R2 DCs available so I powered them on. Backup the SYSVOL configuration and then copied over to the DC01. I run the command below copy to sysvol of the DC01 (Primary DC);
Copy-Item -Path “C:\Users\admin\Downloads\Backup-SYSVOL-2012R2\domain\Policies*” ** ** -Destination "C:\Windows\SYSVOL\domain\Policies\"
** -Recurse -Force**
After that, Open Group Policy Management console, click on the policy and click OK for the prompt on permissions. This resolved the GPO issues.
For DC02 pointing to old 2012R2 server, I change the Parent Computer from this directory in registry edit Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols\WHHS.GOV.PG to DC01.
Restart the DFS on both DFS on both DCs and can see replication running successfully and also GPO issue is resolved.
Hope it helps someone who having this issue.
1 Spice up
WOOOOOOOOOOOO hold the phone…you had old DC’s offline?? That changes everything! You can’t just turn those off, you have to demote then remove them!
Rod-IT
(Rod-IT)
5
How, if you’ve demoted them they wont be DCs, but as Jay said, if you’re just powering them off, that’s not the correct way to remove old DCs.
This isn’t how it should be handled, you should have pointed one of your existing DCs to the old DC and let it replicate.
I worry you’ll be back here again in a few weeks, maybe a month with other issues because something wasn’t done correctly.
You said demoted, but do you mean correctly or demoted as in turned off?
Why would you need to do this, if everything was removed cleanly?
Your initial post suggested you did everything correctly, but this can’t be true given what you’ve recently posted.
I’m glad it’s resolved, but I do worry you’ll be back soon with a more serious issue.
1 Spice up
Ally0025
(Ally0025)
6
I demtoedd all the old 2012DC from domain and cleanup all data. It was offline for nearly 2 weeks and everything working fine until I GPO not applying on some new computer therefore I investigate.
