Domain admin can't edit GPOs on DC

Question

I have come across a weird situation.

We have 3 domain controllers, 2 Server 2008 R2 & 1 Server 2008, in our single domain environment. When I login to one of the DCs, let's say DC1, with my domain admin account and access Group Policy Management Console (GPMC), I can't edit any GPOs, and also I can see inaccessible next to few GPOs applied to the domain. However, with the same domain admin, when I access GPMC on another DC, I can see all the GPOs applied to the domain and I can also edit all the GPOs.

I have also noticed that under the problematic DC,DC1, I cannot see 2 GPOs at all under the Group Policy Objects node on GPMC. Whereas, I can see them on the other two DCs.

I have done a lot of research on this, but so far no luck!

Please help!

What does event viewer say? Any errors related to ntfrs service? — FACTORY909, Jan 24 '17 at 01:59
Hi, I can see NTFrs error 13568 in event viewer. It's been logged there every now and then. Any opinion? Thanks — R. Blueryan, Jan 24 '17 at 03:02

score 0 · Answer 1 · answered Jan 24 '17 at 02:28

0

Hi Ryan looks like a classic replication issue,when editing gpos on any dc-usually it changes files in the sysvol folder on the Domain Controller holding the PDC Emulator role ,determine which DC holds the PDC role,and test replication from it to the problematic DC.

answered Jan 24 '17 at 02:28

Devops_Dave

21
4

Hi, thanks for your reply. I should have mentioned that when I use another domain admin on the problematic DC, DC1, I can access all the GPOs and edit them etc. It's only a particular domain admin on that particular DC, DC1, which seems to have those problems. – R. Blueryan Jan 24 '17 at 02:53
1.does that domain admin work fine on the other DC which holds pdc role? 2.is it a new account? BR – Devops_Dave Jan 28 '17 at 21:00
That domain admin works fine on the PDC emulator. And no, it's not a new account. – R. Blueryan Jan 30 '17 at 11:48

score 0 · Answer 2 · answered Jan 24 '17 at 05:22

Stop FRS.
Start Registry Editor (Regedt.exe).
Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process at Startup

On the Edit menu, click Add Value , and then add the following registry value:

Value name: BurFlags Data type: REG_DWORD Radix: Hexadecimal Value data: D2

Quit Registry Editor.
Restart FRS. You will then see events under the File Replication Service source showing the SYSVOL being rebuilt. It will take down the SYSVOL and NETLOGON shares until the replication has finished. You can run the net share command to verify.

Domain admin can't edit GPOs on DC

2 Answers2