First of all some stats:
- I stood up my Domain Controller on Fri Sep 13 2013 22:53:26 UTC+0200 (Central European Summer Time). It is a 2012R2 Essentials at first, now its a 2019 Essentials. On the same hardware that still sets next to me.
- 2 HDDs and 1 SSD that had the OS on them have died during that time – the backup was what saved me each time.
But right now, it keeps on slowly dying – on the inside. I recently bought new hardware and finally P2Ved the machine and now it seems to bug out more and more. With an Essentials SKU there where many roles installed on this one machine. Standing up more servers wasn’t an option due to costs attached. The issue is that I can no longer install updates. KB5014692 keeps failing with an error, that is very unknown and my google-fu isn’t strong enough. So it is clearly time to set up a new one.
Moving the FSMO roles wasn’t even that much of an issue (shoutout to Argonsys that keep updating their article for that). However, I ran into the issue of not being able to sync group policy objects. A question mark let me know, that the Sysvol folder could not be synchronised (for some objects).
The DFS Replication service is stopping communication with partner <DC Hostname> for replication group Domain System Volume due to an error. The service will retry the connection periodically.
Source: DFSR Event
Additional Information:
Error: 9036 (Paused for backup or restore)
Connection ID: A GUID
Replication Group ID: Another GUID
The solution in PowerShell form
After some digging I found this old technet post and the answer to that is actually the answer to the problem! So I sat down and wrote a quick and dirty PowerShell script to fix it. It needs to be run on the old (hopefully still running) domain controller. Do not create new GPOs on the old domain controller after that, because the issue will appear again. Please make sure you have a valid backup of your server or at least of that folder.
#https://social.technet.microsoft.com/Forums/ie/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016
#########CHANGE THE DOM ADMIN GROUP NAME DEPENDING ON THE LANGUAGE OF YOUR FIRST DC###########
$DomAdminsName = "Domänen-Admins"
$SID = New-Object System.Security.Principal.Ntaccount ($DomAdminsName)
$DomName = (Get-ADDomain).Forest
$GPOs = Get-ChildItem "C:\Windows\SYSVOL\sysvol\$DomName\Policies"
if($GPOs[0].name -eq "PolicyDefinitions"){$GPOs[0] = ""}
$AccessRuleRemove = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomAdminsName","FullControl","Allow")
$AccessRuleAllow = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomAdminsName","FullControl","Allow")
foreach($Gpo in $GPOs){
if($Gpo -ne ""){
#Remove ACL first
$FolderACL = Get-Acl $GPO.FullName
$FolderACL.PurgeAccessRules($SID)
Set-Acl -Path $GPO.FullName -AclObject $FolderACL
Start-Sleep 1
#Re-Add it afterwards
$FolderACL = Get-Acl $GPO.FullName
$FolderACL.SetAccessRule($AccessRuleAllow)
Set-Acl -Path $GPO.FullName -AclObject $FolderACL
}
}
Don’t forget to re-sync with:
repadmin /syncall
repadmin /syncall /AdePq
After that, you should see the following event.
The DFS Replication service successfully established an inbound connection with partner <DC Hostname> for replication group Domain System Volume.
Source: DFSR Event
Additional Information:
Connection Address Used: <FQDN of the original DC>
Connection ID: A GUID
Replication Group ID: Another GUID