Share via

After applying the Windows Server 2016 Security baseline GPO to the domain controllers OU replication does not work (Access Dined error)

Ashan Dissanayake 46 Reputation points
2025-10-17T03:33:25.68+00:00

Dear Team,

After implementing the Windows Server 2016 Security baseline GPO (https://www.microsoft.com/en-us/download/details.aspx?id=55319) on the Domain Controllers OU, replication functions have ceased across all domain controllers. Our environment includes five domain controllers, one of which is hosted in Azure, and none are currently replicating. Additionally, we have observed that the DFSR port is not listening on any of the DCs. Introducing an additional domain controller did not resolve the issue, as it also fails to replicate. We kindly request your prompt assistance in resolving this matter.

Best regards,

Ashan Dissanayake.

Windows for business | Windows Server | Directory services | Deploy group policy objects
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ashan Dissanayake 46 Reputation points
    2025-10-30T15:53:35.22+00:00

    Dear VP,

    We haven't restored yet. Currently the FSMO role holder is DC01 (we seized it DC03 and DC04), now we can add computers to the domain and promote new DCs. But still SYSVOL is not replicating to new DCs. SYSVOL is basically empty and net share does not show Netlogon and Sysvol shares in the newly promoted DCs. We just promoted a new DC and here is the error we receive and we were unable to fix it. Also, there we still have DC05 and when we ran the netdom query FSMO, it shows PDC, RID and Infrastructure Master roles are in the deleted object in DC03. When we check the replsum the new DCs can replicate with DC01. But DC01 can't replicate with other DCs, showing Access is Denied issue.

    New DC's latest DFSR event.

    The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner DC01.domain.com. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. 

    Additional Information: 

    Replicated Folder Name: SYSVOL Share 

    Replicated Folder ID: 88B18AB9-00A0-4BEC-B1B8-0D52671B26D9 

    Replication Group Name: Domain System Volume 

    Replication Group ID: 8663A13A-A144-48F7-96E6-211D8F58D6A4  Member ID: D5B77240-CF0B-4820-8D26-7B82D3ED183B 

    Read-Only: 0

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.