Group Policy does not replicate
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This topic explains how to troubleshoot replication issues for Group Policy.
Causes
There can be a lag time after a change has been made on one domain controller before the change is replicated to all other domain controllers. The propagation and resolution of these changes throughout the network is an ongoing process called replication convergence.
Until changes to a GPO have been replicated to the domain controller that a client is accessing, that client will receive the earlier version of the GPO during Group Policy refresh. If you suspect both replication and Group Policy refresh issues, address the replication issue first. Then refresh Group Policy at the client.
Changes to the OU memberships of computers and users also need to be replicated before they can be reflected in Group Policy application at the client. For more information see GPO does not apply to a specific user or computer.
In general, it is best to use the same domain controller for all GPO editing or to agree a process — such as delegated administration of GPOs — to minimize the likelihood of the same GPO being edited on a different domain controller. If changes are made to the same GPO at two different domain controllers, the last change wins. In addition, if you delegate control of a specific GPO to a user group, members of that group might be unable to perform the delegated tasks until the permissions have been replicated to their domain controller.
Although Remote Procedure Call (RPC) is not required for general application of policy settings, FRS does require RPC to be working on the domain controller. In addition, anything that calls the Local Security Authority (LSA) requires RPC.
Solutions
There are several options for troubleshooting replication issues:
The Group Policy container and Group Policy template are each assigned version numbers, which are incremented when the GPO is modified. Use GPOTool to verify that the versions are synchronized.
Use Event Viewer to examine the directory service for event log on the domain controller. Active Directory replication errors appear with source=KCC.
Use Event Viewer to examine the File Replication service event log on the domain controller. FRS errors appear with source=NTFRS.
Verify that the SYSVOL share exists on the domain controller. You should be able to find \\domain_controller_name\SYSVOL, where domain_controller_name is the fully qualified domain name (not the NetBIOS name) of the domain controller.
Use Gpotool.exe to determine if there is an inconsistency between Active Directory and SYSVOL versions of the same GPO across peer domain controllers. This information can help you determine if replication latency is causing the Windows client to not receive the correct policy. If you think this is the case, use Replmon.exe and Repadmin.exe (included with Windows 2000 Support Tools) to determine the replication partners for the domain controller that the client used as a source for the Group Policy and determine if replication is succeeding.
To troubleshoot file replication issues, check the status of the Directory File Service links and targets. Group Policy requires Directory File Service. For more information, see "To check status of a DFS root, DFS link, or target" in Help and Support Center for Windows Server 2003.
You can use the Sonar.exe tool to check the health of the SYSVOL share.