Group Policy depends on other technologies in order to properly replicate between domain controllers in a network environment. A GPO is a virtual object stored in both Active Directory and the SYSVOL of a domain controller. Property settings, stored in the Group Policy container, are replicated through Active Directory replication. Replication automatically copies the changes that originate on a writable directory partition replica to all other domain controllers that hold the same directory partition replica. More specifically, a destination domain controller pulls these changes from the source domain controller.
Data settings, stored in the SYSVOL as the Group Policy template, are replicated through the File Replication Service (FRS), which provides multi-master file replication for designated directory trees between designated servers running Windows Server 2000 and above. The Group Policy container stores GPO properties, including information about version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a directory structure within the file system that stores Administrative Template-based policy settings, security settings, script files, and information regarding applications that are available for software installation. The Group Policy template is located in SYSVOL in the \Policies sub-directory for its domain. GPO’s are identified by their globally unique identifiers (GUIDs) and stored at the domain level. The settings from a GPO are only applied when the Group Policy container and Group Policy template are synchronized.
To check the status of Active Directory and Sysvol replication on each server
- If available, open the GPOTOOL.TXT output from the “Network Connectivity and Configuration” test.
- The status output from Gpotool.exe indicates all necessary information to diagnose if Active Directory and Sysvol are synchronized for each domain controller that you can connect to.
- Go to the bottom of the GPOTOOL.TXT output.
- If the GPOTOOL output shows “Policies OK”, then the Active Directory and SYSVOL portions or Group Policy are synchronized.
- If Active Directory is not synchronized between domain controllers discontinue troubleshooting Group Policy, and investigate Active Directory replication.
- If you find that Sysvol is not synchronized between two domain controllers, discontinue troubleshooting Group Policy, and investigate the File Replication Service (FRS) replication.
Additional Test 1
To verify that Active Directory is replicating successfully:
On the domain controller that the client workstation received its policy settings from open a CMD prompt. (How to tell which domain controller the workstation received its group policy settings from)
Type the following command:
Repadmin /showreps > Repadmin.txt
Open repadmin.txt with notepad.
Verify that the last replication (Last Attempt) for this domain controller was successful with its connection partner(s).
Example Output from RX-ADC2:
DC Options: (none)
Site Options: (none)
DC object GUID: 4fac5f9a-542f-44ce-8795-8118a781c68f
DC invocationID: 093fadfb-f793-4ae7-92e0-11a48bbc2131
==== INBOUND NEIGHBORS ======================================
Default-First-Site-Name\RX-DC1 via RPC
DC object GUID: 71cb15bc-fb24-4a84-b803-e77fddbd6f33
Last attempt @ 2013-08-21 15:42:48 was successful.
Additional Test 2 (not practical in large environments)
To verify that the File Replication Service is replicating SYSVOL:
Create and copy a small text file into the \\domain.com\SYSVOL\domain.com folder.
Wait for at least one replication cycle.
Check the SYSVOL folder on all of the domain controllers for the presence of the TXT file.