lundi 16 juin 2014

Microsoft DFS-R problem : The sysvol permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the baseline domain

Hello,
Recently, I encountered a Distributed File System Replication problem in our Active Directory.
Notice : pay attention that the AD replication and Sysvol replication are two very different things. Indeed, the replication of Sysvol is done wit DFS mechanism which replaced FRS since 2008.
In windows 2012r2, through the new Group Policy Management, when I click on "Detect Now", results show ACLs not in sync with the baseline domain...



The sysvol permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the baseline domain

First thing, the level of the domain and forest functionnal level is 2008r2.

I check first the DFS Replication with tools provided by Microsoft in the DFS Management Console on the baseline DC (Health Report, Propagation test et Propagation report). The result was ok...
You can use dfsrdiag to check DFS-R operations.
dfsrdiag.exe syncnow /rgname:“domain system volume” /partner:yourBaselineDC /time:1 /verbose

Steps to solve the problem :

1. DNS check on all DCs (the first DNS server must be the DC itself)
2. Resume replication on volume c:\ on the baseline DC
Get the volumeGuid
GWMI -namespace root\cimv2 -class win32_volume | FL -property DriveLetter, DeviceID
Resume replication on volume
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where 'volumeGuid="ce3fb9d1-6ecf-447e-b99c-6e451cab8012"' call ResumeReplication
3. Force the authoritative synchronisation for the DFSR-replicated SYSVOL (was the "D4" when we used FRS in the past) from the PDC Emulator (http://support.microsoft.com/kb/2218556)
a)
Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=YourPDCEmulation,OU=Domain Controllers,DC=domain,DC=com" -properties * 
b) 
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=YourPDCEmulation,OU=Domain Controllers,DC=domain,DC=com" -Replace @{"msDFSR-Enabled"="FALSE";"msDFSR-Options"=1} 
c) On all other DCs
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DCx,OU=Domain Controllers,domain,DC=com" -Replace @{"msDFSR-Enabled"="FALSE"} 
d) repadmin /syncall /AdeP
e) Start of the DFSR service on the PDC Emulator.
f) On the PDC Emulator :
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=YourPDCEmulation,OU=Domain Controllers,DC=domain,DC=com" -Replace @{"msDFSR-Enabled"="TRUE"} 
g) repadmin /syncall /AdeP
h) From the PDC Emulator in an elevated command prompt : DFSRDIAG POLLAD
i)  Start of the DFSR service on all other DCs
j) On all other DCs  :
Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DCx,OU=Domain Controllers,domain,DC=com" -Replace @{"msDFSR-Enabled"="TRUE"} 
k) On all other non-authoritative DCs  in an elevated command prompt : DFSRDIAG POLLAD
4) Then reset permissions of all listed GPOs 
In Group Policy Management Console, click on a GPO>delegation tab>Advanced>Advanced>Restore Defaults (or make a script to restore defaults permissions and to keep custom permissions.


Note :

Remember that it's recommended to edit your GPOs from the PDC Emulator. The PDC Emulator is the prefered admistration entry point for services like GPOs and DFS.

When using Remote Server Administration Tools, you can choose the domain controlter to use.

In Administrative Users and Computers console>right click on your domain>change domain controller



Then choose the DC to use.