I have recently installed a second domain controller and all replication seems to be working fine except for group policy – In windows 2012r2, through the new Group Policy Management, when I click on "Detect Now", results show ACLs not in sync with the baseline domain…
Environment:
DC1: Windows 2008 R2;
DC2: Windows 2012 R2;
Forest & Domain Functional levels: Windows 2003;
Replication Type: FRS;
I have run dcdiag, looked at event logs, repadmin /showrepl etc and everything seems fine but group policies won't sync… I've checked the sysvol ACL's in both DC's and they seem to have the same permissions… Also the group policy central store has replicated correctly (which is sysvol)…
I found someone else has this problem here http://sysadminconcombre.blogspot.com.au/2014/06/microsoft-dfs-r-problem-sysvol.html and a resolution which involved restarting DFSR … but I have FRS since the DFL is 2003 🙁
My question is, is there any way to fix this without migrating to DFSR or should I move to DFSR first? … Everything says that I shouldn't move from FRS to DFSR without replication working 'perfectly' ….
Any suggestions are appreciated 🙂
Best Answer
Update: I managed to fix this by manually applying the sysvol ACL's for the policies at both servers... for some reason I had to add the domain\administrators group as full control for each policy under sysvol\policies and then it synced fine.... everythings working now and I'll look at migrating to DFRS later when we can upgrade the DFL, Cheers
Anyone else seeing this problem - if you only have one or two policies it might be quicker to back up the settings, delete them all out and then add them back in again which would have the same effect.