GPMC on 2012 mbr to 2008R2 Sysvol

Home Forums Microsoft Networking and Management Services GPO GPMC on 2012 mbr to 2008R2 Sysvol

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    RicklesP
    Member
    #161853

    Got one for the real geeks out there:

    Standing up a new system, and have been having problems with GP settings. Have finally tracked down the root problem, but don’t understand what’s causing it. Searches haven’t turned up an answer so far.

    Physical Environment: 4 servers as Srvr 2012 Datacenter with Hyper-V roles, in 2 clusters (Prime & Replica), with SANs duplicated at each cluster. 1 additional hardware server at each cluster as remote admin, also 2012, but Stnd, with AD, DFS, etc admin remote tools installed. All other servers, including DCs, are VMs in Primary cluster (yeah, it does work with 2012 Hyper-V.)

    Logical Environment:
    *-Forest root with 1 child domain (at present.) Call it ‘parent.local’. Contains DC01 as Forest roles holder, root CA and forest KMS server (no other member servers this level). Forest funct lvl is 2008R2.
    *-Child domain ‘child.parent.local’ has DC02 (domain roles holder, subordinate CA) and DC03. Both DCs are DNS, DHCP in addition to AD. Domain funct lvl is 2008R2. Forest and domain preps were run from 2012 media prior to adding 2012 members to domain.

    What we see is this: changes to GP made thru either domain-level DC are applied, and replicated, as expected. Viewing of GP thru the remote admin server shows all changes/status allowing for replication times. Changing of GP thru the same remote admin server apply changes to AD, but don’t apply changes to the Sysvol share, so we end up with version mismatches between the 2. And so we have inconsistent policy application to clients. Makes no difference what account we log into the remote admin server with (God acct included), either. But I can add folders/files to any location in the sysvol share from this remote admin server without incident.

    We can’t use a 2012-OS for the DCs, for reasons I can’t go into. DCDiag, netdiag results show every line as ‘PASSED’. Event logs on DCs show no issues with replication, etc. Anybody have any idea why I can’t change GP from a 2012 member server to a 2008R2 DC, but I can apparently view/access all resources without limitation?

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.