Some computers are not able to process group policy after local domain controller is shut down

bmar28 20 Reputation points
2024-06-30T23:45:47.3766667+00:00

I have a site that I have migrated local server resources to Azure recently. I have a local DC on prem left and I also have DC's in Azure.

I have pointed all the client computers to look at Azure DC's and that seems to work fine. I then shut off the local DC just to see if there were any other dependencies before I demoted it out of the domain. The computers on prem are not able to run group policy to map drives now that the local DC is off.

I have connectivity to the Azure DC's and name resolution across the WAN. It's connected via L2L VPN. I also have connectivity to a data center where we have other DC's including the PDC.

Here is the error I get when I try and run gpupdate /force on a computer:

The processing of Group Policy failed. Windows attempted to read the file \test.local\sysvol\test.local\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,503 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,131 questions
0 comments
Accepted answer
  1. Daisy Zhou 20,556 Reputation points Microsoft Vendor
    2024-07-01T12:55:06.63+00:00

    Hello bmar28,

    Thank you for posting in Q&A forum.

    It sounds like you're experiencing issues with Group Policy replication and access over the VPN connection to the Azure DCs.

    Here are some troubleshooting steps you can try to resolve this issue:

    1.Check Connectivity:

    • Ensure that the client computers can reach the Azure DCs over the network. You can use the ping command to test connectivity.
    • Verify that there are no firewall rules or network security groups blocking traffic between the on-premises clients and the Azure DCs. Specifically, ensure that ports required for LDAP, SMB, and Kerberos are open (e.g., TCP/UDP 389, TCP/UDP 445, TCP/UDP 88).

    2.DNS Configuration:

    • Ensure the client computers are using the correct DNS servers that can resolve the domain names to the IP addresses of the Azure DCs.
    • You can use the nslookup command to verify DNS resolution for the domain and DCs.

    3.Replication Health:

    • Check the replication status of your domain controllers using the repadmin /replsummary command on a DC.
    • Ensure that the SYSVOL folder is properly replicated across all domain controllers.

    Use dcdiag /v and net share commands to verify SYSVOL status.

    4.DC Health:

    • Run dcdiag /v on the Azure DCs to ensure they are functioning correctly and there are no issues reported.
    • Check the event logs on the Azure DCs for any errors or warnings related to replication or Group Policy.

    5.SMB and DFS:

    • Ensure that the client machines can access the SYSVOL share on the Azure DCs. You can try accessing the path \\AzureDC\SYSVOL from a client machine.
    • Verify that Distributed File System (DFS) is functioning correctly, as it is used for SYSVOL replication.

    6.Group Policy Objects (GPOs):

    • Ensure that the GPOs are correctly applied and replicated to the Azure DCs. You can use the Group Policy Management Console (GPMC) to view the status of GPOs.

    7.Force Replication:

    • You can manually force replication using repadmin /syncall /AdeP to ensure all changes are synchronized across DCs.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest