Fixing Replication Issues for Domain Controllers

If you have issues with Group Policy not replicating correctly some of the following steps might help you. 95% of the time there is something wrong with the permissions.

First, make sure that the GPOs permissions are set correctly. You might want to reset them to default in case there are too many changes.

In Group Policy Management Console, click on your domain then Delegation tab -> Advanced -> Advanced -> Restore Defaults.

At this point you will have to wait at least 15 minutes to replicate all the group policy files to all the domain controllers. Wait time are going to depend on your replication setting and the amount of group policies in use.

You will probably see more ACL errors while everything is replicating.

If you want to force a replication you can use the following powershell command:

Get-ADDomainController -Filter * | %{repadmin /syncall /edjQSA $_.hostname}

I also recommend making sure that the sysvol permissions on all your domain controllers are correct. You could use the PowerShell script below to make sure that “Enterprise Domain Controllers” have the appropriate rights.

Save the code below as a .ps1 file and make sure you replace your domains FQDN below:

$FQDN = “yourdomainhere”
$acl = Get-Acl C:\Windows\SYSVOL\sysvol\$FQDN\Policies*
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule “NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS”,”WriteData”,”Allow”
$acl.SetAccessRule($accessRule)
$acl | Set-Acl C:\Windows\SYSVOL\sysvol\$FQDN\Policies*
$acl.RemoveAccessRule($accessRule)
$acl | Set-Acl C:\Windows\SYSVOL\sysvol\$FQDN\Policies*

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.