3

I've created two test VMs in VMWare, both Server 2012 R2 Standard. One was promoted to a DC, with the domain name being test2.local. I modified the DNS record on the other server, and joined it to the test domain. Then I did (from an administrative command prompt) gpupdate /force and the gpresult /H gpresult.html. I looked in the gpresult.html file and saw a warning on the Default Domain Policy. It says: A fast link was detected (not worrying about now) and "AD / SYSVOL Version Mismatch" on Default Domain Policy. Opening up the Default Domain Policy under Applied GPOs shows that the SYSVOL number is 65535.

From what I have been able to gather, this mismatch occurs when there is security filtering and/or WMI filtering in place. I don't think I'm using either one of those, unless they are applied by default.

At this point, I just want a clean base that applies the unchanged Default Domain Policy to a machine without any errors. Then I can keep testing the GPO I'm building without wondering where the errors/warnings are coming from.

Carrot
  • 266
  • 3
  • 8
  • What does GPMC show for the user and computer versions (n/n)? – Greg Askew Dec 16 '15 at 19:13
  • 65535 is always a sign that there was a failure to read the GPO. This could be caused by security filtering or WMI filtering, or read gpLink/gpOptions permissions missing, or replication delays, etc. – Ryan Ries Dec 16 '15 at 19:24
  • @GregAskew User version: 0/0 Computer version: 1/1 – Carrot Dec 16 '15 at 19:48
  • @RyanRies That's what I was reading, but I can't seem to find a way to fix it. I didn't do anything other than join the computer to the domain. Is there something special I need to do in order to allow the machine to read the GPO? – Carrot Dec 16 '15 at 19:52
  • Does gpresult /h report the expected information when run on the domain controller? – Greg Askew Dec 16 '15 at 20:01
  • @GregAskew No, it has the same problem. It shows both the Default Domain Policy AND the Default Domain Controller Policy as having an AD/SYSVOL Version Mismatch. And they're both 65535. – Carrot Dec 16 '15 at 21:17

1 Answers1

0

If you're ok with reverting to the default, you can try running the following on the domain controller:

dcgpofix /ignoreschema /target:Domain  

https://technet.microsoft.com/en-us/library/hh875588.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Still nothing... I'm seeing the version numbers increment in GPMC, but when I run gpresult on the domain controller, it still shows the SYSVOL version as 65535. – Carrot Dec 16 '15 at 23:49
  • Try enabling group policy environment debug logging to see if that reveals anything: http://social.technet.microsoft.com/wiki/contents/articles/4506.group-policy-debug-log-settings.aspx – Greg Askew Dec 17 '15 at 18:24