Been working on a issue on some of my Domain Controllers receiving the following error
The SysVol Permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the Baseline domain controller
In researching and testing this, I found that modifying a clean GPO would sometimes result in the error showing up. I also saw that it was always the difference with DCs of varying windows OSes not matching up. So Server 2012 DCs didn’t sync up with 2012 R2 DCs, but always where in sync with the same Server OS DCs.
Some searches indicated that I needed KB 2866345 installed. After verifying that all servers do indeed have this patched and rebooted, I was back to researching. DCDiag is monitored by tools automatically for failures, but checking this yielded no results indicating any replication issues with my DCs.
Some searches indicate renaming the GPOs fixed their issue, but did not resolve it for me. I did a comparison of all permissions on one of the GPOs but could not find any permission differences between the DCs. Checking the GPOs on both DCs directly indicated they where in sync.
Event logs provided no relevant information related to GPO sync issues or AD replication problems. I started a BPA scan just to see if I could find anything possibly amiss and came across a interesting issue
Warning There should not be a large number of replication conflicts in the replicated folder ‘SYSVOL Share’ Operation
Checking my DCs, they did in fact have a lot of replication conflicts and deleted from ages ago and a handful of ones in the past year.
My PDC only had 3 files in conflictanddeleted and was trusted to have the correct GPO results. Ensure you have backups and aware of what you are doing. The next step was to clear this out to cleanup that BPA issue
https://gallery.technet.microsoft.com/Clear-DFSR-ConflictAndDelet-66a1d81c
A handy powershell script allowed me to run though my DCs quickly and remove these. This script didn’t run on my PDC, so I ran this manually against my DC
$dfsrinfo = Get-CimInstance -ComputerName $hostname -Namespace root/MicrosoftDfs -ClassName DfsrReplicatedFolderInfo -filter “ReplicationGroupName = ‘Domain System Volume'” -ErrorAction Stop
$result = $dfsrinfo | Invoke-CimMethod -name cleanupconflictdirectory
After this, checking my GPOs, shows everything is in sync now. Modifications of them don’t result in any errors showing up.