Sysvol replication question

  • 48 Views
  • Last Post 4 weeks ago
SmitaCarneiro posted this 24 February 2017

Came across something new and I wonder if any of you who have Server 2016 know about this. We have a new domain with Server 2012 R2 DCs. Clients have just started migrating into this. Windows 7 and Windows 10. One department has added Server 2016. The Schema is at 2012 R2 level. On a 2016 server running gpresult shows a mismatch between AD and sysvol   I ran repadmin and also used the DFS management tool to check the health of Sysvol. Clean. DCDiag also shows no errors. No error in the DFS logs. Used PowerShell to compare the versions of the user and computer portions of the GPO in AD and on sysvol.   Everything I have used shows no errors. This only happens on a Server 2016 box.   Any ideas?           Smita Carneiro, GCWN Active Directory Systems Engineer IT Security and Policy Ross Enterprise Center 3495 Kent Avenue, Suite 100 West Lafayette, IN 47906      

Order By: Standard | Newest | Votes
darren posted this 24 February 2017

This is a known reporting issue when running RSOP against Win7/2008-R2 machines. I’m curious if you also see it on Win10 machines, and also, what version of Windows you are

running gpresult on?

 

Darren

 

 

show

SmitaCarneiro posted this 24 February 2017

Strange, I’ve never see that error before.

Server 2016.

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906



 

show

darren posted this 24 February 2017

So Server 2016 the target that is generating this error or Server 2016 is where gpresult is running (or both?)?

 

Darren

 

 

 

show

SmitaCarneiro posted this 24 February 2017

He’s running gpresult on Server 2016 and I believe the target is Server 2016.

He’s doing some more digging. (This is a different department and someone else owns and looks after the server)

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906



 

show

SamErde posted this 5 weeks ago

This reminds me of a question asked on ServerFault a few years ago. There were two answers that provide a resolution by modifying the GPT.INI file due to a version mismatch between the Default Domain Controllers Policy DS and Sysvol.
"Any ideas why the group policy diagnostic utility GPOTool would report a GPO version mismatch between two domain controllers if the version numbers are a match?"
http://serverfault.com/questions/400118/why-is-gpo-tool-reporting-a-gpo-version-mismatch-when-the-gpo-version-s-do-mat
Is your server in question a domain controller?
Sam


show

SmitaCarneiro posted this 4 weeks ago

Sam,

 

Sorry I did not reply earlier, meant to and …

Anyway, the server is not a domain controller.

I ran a PowerShell script to compare the user and computer versions of each sysvol version of each GPO with the AD counterpart.

In each GPO, the user versions were the same for both AD and sysvol. The same for the computer versions.

 

I do not see this error when I run gpresult on a Windows 8.1, this has only been seen so far on a Server 2016 box.

 

Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906

 

show

SamErde posted this 4 weeks ago

Hmmm, then I guess I'd follow with some questions:
What version OS are you creating/editing the GPOs from? (Windows 10 and Server 2016, or an older base?)
Are you using AGPM?
Could it be related to the PolicyDefinitions folder on the 2016 server having a newer version of an ADMX file than what is in SysVol?
For some reason your screenshot is barely legible on my screen, so maybe these questions have already been answered. Is that version mismatch regarding a Windows Firewall GPO, a different GPO, or just a different section in the same GPO?
Sam


show

SmitaCarneiro posted this 4 weeks ago

Yes the GPOs were created earlier using Windows 8.1.

No AGPM used.

 

The newer PolicyDefinition folder on the 2016 server could be the issue. I’ll definitely look into that.



The mismatches seemed to be for a number of GPOs, and they are a mixture of older and newer ones. Just one deals with a firewall.

 

Thanks Sam!

 

 

 

Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906

 

show

darren posted this 4 weeks ago

I just wrote a blogpost about this (https://sdmsoftware.com/group-policy-blog/gp-troubleshooting/making-sense-of-group-policy-sysvol-mismatch-errors/). Just to be clear, are

you seeing it running GPResults against Server 2016 systems or from Server 2016 to Win7/2008-R2 systems? Specifically, I have not seen this show up on any versions of Windows except for Win7-2008-R2, but that said, I admittedly don’t have

a bunch of Server 2016 systems here in my test environment.

 

That said, it’s important to keep in mind that this is not a SYSVOL replication problem. This is strictly a client-side reporting problem, where the client is not correctly

reporting what it thinks the SYSVOL version of the GPOS it’s processing, is. In all cases  that I’ve seen this, the actual SYSVOL (GPT) version in the GPTI.ini in SYSVOL is consistent with the AD (GPC) version. I can even see in GP history on a given client

where it is recording the SYSVOL version as FFFF (as shown here):

 



 

 

So I think the bottom line is that this is a broken RSOP reporting problem for Microsoft (that I would be surprised if they fixed). I do agree that it can set off alarm bells

when you look at it, but as near as I can tell, it is a non-issue in real-terms.



 


Darren

 

show

SmitaCarneiro posted this 4 weeks ago

Darren,   I believe he is running it on a Server 2016 box. I agree it seems like a client side reporting problem. Sam Erde suggested it could also be a difference in .admx files. So when I get a chance I’m going to spin up a test 2012R2 domain and then add a Server 2016 box to the domain.   Thanks,      

Smita Carneiro, GCWN Active Directory Systems Engineer IT Security and Policy Ross Enterprise Center 3495 Kent Avenue, Suite 100 West Lafayette, IN 47906

 

SamErde posted this 4 weeks ago

Smita, you can also put the newest version of all ADMX files into your sysvol. Microsoft releases a downloadable package with each release of Windows. 
Just note that there can be some settings renamed in newer ADMX files, and not just added. 
Sam
On Mar 2, 2017 8:06 AM, "Carneiro, Smita A." <carneiro@xxxxxxxxxxxxxxxx> wrote:

Darren,   I believe he is running it on a Server 2016 box. I agree it seems like a client side reporting problem. Sam Erde suggested it could also be a difference in .admx files. So when I get a chance I’m going to spin up a test 2012R2 domain and then add a Server 2016 box to the domain.   Thanks,      

Smita Carneiro, GCWN Active Directory Systems Engineer IT Security and Policy Ross Enterprise Center 3495 Kent Avenue, Suite 100 West Lafayette, IN 47906

 


SmitaCarneiro posted this 4 weeks ago

“Just note that there can be some settings renamed in newer ADMX files, and not just added”

 

Yes I’ve been bitten by that one before

J

 

Thanks Sam!

 

Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906

 

show

Close