1

I am experiencing some GPO Replication issues that trying to resolve with my server team is resulting in a finger pointing match like a false start during a football game.

I have been trying to make some new GPO’s for both testing and production purposes, make them in the Group Policy utility, assign their groups and when I do a GPUpdate I get “The processing of Group Policy failed. Windows attempted to read the file \Path\to\gpt.ini was not successful”

Since we have a multi-DC environment I went individually to each DC and this is where I’m seeing problems. The “baseline” DC has no issues. Between our other 2 domain controllers I am seeing that either the \Policies{identifier} folder is missing, or it may exist but when I check its security properties it tells me that I don’t have access to read the contents of the folder.

Back in the Status screen of the GPO I can see the domain controllers with replication in progress saying that SysVol may be Inaccessible, or has ACLs listed.

My server guys restarted the replication service one time and said that “it was fixed” even though they did not verify that GPO’s were replicating which I verified that they were not. It is my understanding that GPO replication (and associated folder rights) are handled automatically by the DC servers and should just be copies of each other, and something with replication has to be broken that is resulting in the GPO folders missing between the DC’s or not having identical folder rights. We should not have to directly access the folder security properties and change anything, it should be handled by Windows.

I feel like I’ve exhausted the options available to me shy of deleting and recreating GPO’s which I am reluctant to do because they can be elaborate, and even GPO’s that I’m just changing seem to be having issues after I touch them. Has anyone been through this situation and have some pointers or anything that I can try to push along to my server guys to try since they can access the DC’s?

3 Spice ups
2

Have you run something like the AD replication status too to prove that there is an issue?

https://www.microsoft.com/en-us/download/details.aspx?id=30005

Tel them that updates have been known to bork permissions so they are full of shit.

1 Spice up
3

Check the DFS replication logs on each DC. Also run “repadmin /showrepl” on a DC to see if any errors show up.

4

You need to make sure your DNS is in order and then if repadmin doesn’t show the problem move on to running DCDIAG on all DC’s.

5

I would say to check ALL DCs IP address setting to see what was entered in the 1st, 2nd & 3rd DNS server.

  • If each site have 2 DCs, then 1st DNS server IP should be other DC in that site and 2nd DNS server IP address should be HQ-DC-1, 3rd should be HQ-DC-2 and last is 127.0.0.1. Check if all the DCs are in ALL the DNS server records.If any changes were made please wait 24-72 hours and then check event logs for errors (not every change will have immediate effect).

Then check if all the sites are properly listed in Domain Sites & Services and all DCs are in the correct sites (subnets). Then worse case is to “replicate now” using Domain Sites & Services to force replication among the DCs.

1 Spice up
6

Hi. 16-Year MVP (14 years in Group Policy.)

So far, all good suggestions. If it helps, here’s my guide to troubleshooting this: 03: Troubleshooting Group Policy Replication Problems - PolicyPak

Nothing to sell here; hope it helps you.