Every IT Pro have just one wish: never see a problem with Domain Controllers! But in real world this is not possible, so sometimes could be problems between one or more DC.
When try to run gpupdate /force the console show this message:
Updating policy…
Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows attempted to read the file \mydomain.lcl\SysVol\mydomain.lcl\Policies{5B86A76E-F2FF-4F33-BF5D-46CDC937E3CC}\gpt.ini from a domain controller and was not successful. Group Policy setting s may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. User Policy update has completed successfully.
It’s message means that the SYSVOL folders are not align so there’s a problem between Domain Controllers. Checking the event viewer you can find Event ID 2213, as showed in figure 1.
Figure 1 – Event ID 2213
Sometimes the command wmic /namespace:\root\microsoftdfs path dfsrVolumeConfig where volumeGuid=”0968820E-6969-11E2-93E7-806E6F6E6963″ call ResumeReplication works without problem but if doesn’t you can use the command chkdsk /f /r. Before running the command, remember to stop all the services about AD/DFS.
Have you solved? Great! If not, go ahead! ID 6004, figure 2, is another symthom of the problem.
Figure 2 – Event ID 6004
Check if the DCs are able to ping the network and if the replica is ok with cmd repadmin /showreps, as showed in figure 3.
Figure 3 – Repadmin /showreps
If is all ok, the Event ID 4012 could be the cause of the problem. This message, figure 4, say that the replica is disconnected because the MaxOfflineTimeInDays is too high respect the default value (60 days).
Figure 4 – Event ID 4012
Normally you can remove this server from the replication group, and then add it back to the group but with DC it’s impossible. So the only way is change the MaxOfflineTimeInDays of this Domain Controller with the command wmic.exe /namespace:\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=xxx (insert here the value + 1 showed in ID 4012).
Wait few minutes and check if the ID 4002 is present on source DC and the ID 5004 is present in destination DC.
You can also use another great tool, called AD Replication Status Tool, to check if the replica is ok: http://www.microsoft.com/en-us/download/details.aspx?id=30005
#DBS