• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Full GPO replication

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory

View previous topic :: View next topic  
Author Message
evl
Just Arrived
Just Arrived


Joined: 14 Feb 2006
Posts: 0
Location: Best

Offline

PostPosted: Mon Apr 26, 2010 11:21 am    Post subject: Full GPO replication Reply with quote

I get a lot of errors like the following:

Policy {811CF975-2319-4D2C-86E1-FB8DC9FF120E}
Friendly name: Office 2003 Users
Error: Cannot access \\dc01.svz.loc\sysvol\svz.loc\policies\{811CF975-2319-4D2C-86E1-FB8DC9FF120E}, error 53

Policy {74EC90FD-0C1D-479E-9D57-1EF5FD33FA49}
Friendly name: Terminal Server Users
Error: Cannot access \\dc03.svz.loc\sysvol\svz.loc\policies\{74EC90FD-0C1D-479E-9D57-1EF5FD33FA49}, error 53

Policy {1EFFF79A-1643-4F80-BC16-4B7560B8C90B}
Friendly name: SUS Updates Servers
Error: dc01.SVZ.LOC - dc02.svz.loc sysvol mismatch
Error: dc01.svz.loc - dc03.svz.loc sysvol mismatch

I am looking for a command to push GPO replication.
From one domain controller to another domain controller.
Not only the GPO's that changed in the last couple of minutes.
I want a full replication.

I expect a full replication will solve many error messages.
Back to top
View user's profile Send private message Visit poster's website
JRBTech
Just Arrived
Just Arrived


Joined: 23 Apr 2010
Posts: 0


Offline

PostPosted: Mon Apr 26, 2010 3:55 pm    Post subject: Reply with quote

What AD are you running? 2000,2003,2008?

You can try REPADMIN /SYNCALL depending on the version you are running. Google the command if you need more details on how it works.

Hope this helps.
Back to top
View user's profile Send private message Visit poster's website
evl
Just Arrived
Just Arrived


Joined: 14 Feb 2006
Posts: 0
Location: Best

Offline

PostPosted: Mon Apr 26, 2010 4:43 pm    Post subject: Full GPO replication Reply with quote

We are running a Windows 2003 AD.

I have used repadmin /syncall a number of times.
I normally add /e to the command to sync to all servers in the domain and /P to push updates to other domain controllers.
It solved many AD synchronization problems.

I do not think that repadmin /syncall is also replicating GPO's.
Repadmin /syncall is only synchronizing Active Directory data.

Maybe it is better to change one of the settings, and undo the change, in every GPO that needs to replicate.
Back to top
View user's profile Send private message Visit poster's website
JRBTech
Just Arrived
Just Arrived


Joined: 23 Apr 2010
Posts: 0


Offline

PostPosted: Mon Apr 26, 2010 5:15 pm    Post subject: Reply with quote

That might work...

The only other command I can think of that might help is replmon. This would bring up the Replication Monitor so you should be able to see when the GPO is being replicated. It will not force replication, but would allow you to see if replication is occuring at all.
Back to top
View user's profile Send private message Visit poster's website
nonsence
Just Arrived
Just Arrived


Joined: 20 Oct 2003
Posts: 0


Offline

PostPosted: Thu May 06, 2010 8:51 pm    Post subject: gpo troubleshooting Reply with quote

repadmin is NOT used to check group policy replication since those files are not part of active directory but rather a folder called sysvol which uses frs for replication, or dfs-r on windows 2008.

use gpupdate and gpotool to troubleshoot the application and versions of gpo objects on the domain.
using gpotool you can see the gui name of the gpo and find that in active directory to make sure the reference for the files are there.

http://support.microsoft.com/kb/315457
here's a kb that shows how to recreate the sysvol share on a windows 2003 box which uses frs. this wouldnt apply if u r using server 2008 with dfsr.

if you are using dfsr then the tool to use is the dfs management console which can give you html reports of replication status or dfsradmin.exe

don't confuse active directory replication with group policy replication, they are 2 different things. activedir just keeps a reference of the group policy objects it does not hold the actual files or templates and scripts in the database. those are stored as normal files in a shared folder called sysvol which gets replicated using a different service and protocol seperate from activedir database.
Back to top
View user's profile Send private message
mickdonald37
Link Spammer
Link Spammer


Joined: 14 May 2011
Posts: 16777215


Offline

PostPosted: Sat May 14, 2011 9:29 am    Post subject: Reply with quote

It will not force replication, but would appropriate you to see if replication is occuring at all. This would bring up the Replication Monitor so you should be able to see when the GPO is being replicated.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register