Blog

How to Fix Group Policy Not Syncing Between Domain Controllers on Windows 11: Step-by-Step Solutions

Group Policy is essential for managing settings across multiple computers in a Windows domain. Sometimes, you may notice that Group Policy Objects (GPOs) are not syncing properly between domain controllers. This can cause inconsistent settings and security issues within your network.

Fixing Group Policy sync problems can seem complicated, but with clear steps, you can troubleshoot and resolve most issues quickly. This article will guide you through simple, detailed solutions to get Group Policy syncing correctly again on Windows 11 domain controllers.

Following these instructions carefully will help maintain the health of your Active Directory environment. Let’s begin by understanding some quick checks before diving into deeper troubleshooting.

By the end, you’ll have a better grasp of how to identify and fix common causes of Group Policy synchronization failures.

Quick Note: Prerequisites and Initial Checks

  • Ensure Network Connectivity: Both domain controllers must be able to communicate over the network without issues.
  • Check Time Synchronization: Domain controllers should have their system clocks synced to avoid replication problems.
  • Verify DNS Settings: Proper DNS resolution is critical as domain controllers rely on DNS to locate each other.
  • Confirm Replication Health: Active Directory replication must be working properly for Group Policy to sync.

These quick checks help you eliminate basic network or system issues before moving on to more specific Group Policy troubleshooting.

Step 1: Verify Replication Status Between Domain Controllers

Group Policy synchronization depends on Active Directory replication. If replication is broken, GPOs won’t sync. To check replication status, use the repadmin tool:

repadmin /replsummary

This command summarizes the replication status between all domain controllers. Look for any errors or failures reported.

If errors appear, run:

repadmin /showrepl

This gives more detailed information about replication issues, including which partners are failing.

Why this matters: Group Policy objects are stored in Active Directory. Without proper replication, changes made on one domain controller won’t appear on others.

Step 2: Check the SYSVOL and Netlogon Shares

The SYSVOL folder stores the actual Group Policy templates and scripts. The Netlogon share is also essential for domain functions. If these shares are missing or inaccessible, Group Policy won’t sync.

To check if SYSVOL and Netlogon shares are present, open Command Prompt and run:

net share

Look for SYSVOL and NETLOGON in the list. If they’re missing, the File Replication Service (FRS) or Distributed File System Replication (DFSR) may be failing.

Fixing this:

  • Restart the DFS Replication service: net stop dfsr && net start dfsr
  • Check event logs under Applications and Services Logs → DFS Replication for errors.
  • If using FRS (older systems), ensure it’s running properly or consider migrating to DFSR.

Step 3: Force Group Policy Update Manually

Sometimes, Group Policy changes don’t propagate automatically or immediately. You can manually force an update on a domain controller by running:

gpupdate /force

This command forces the system to reapply all Group Policy settings immediately.

Note: Running gpupdate on client machines helps confirm if policies have been received, but on domain controllers, it ensures local policy consistency.

Step 4: Use the Group Policy Management Console (GPMC) to Check GPO Status

The Group Policy Management Console allows you to see which GPOs exist on each domain controller and their replication status.

  • Open GPMC by typing gpmc.msc in the Run dialog.
  • Navigate to the Group Policy Objects folder and inspect each GPO.
  • Check the Details tab for version numbers of User and Computer configurations.
  • If version numbers differ between domain controllers, replication is not up-to-date.

This visual check helps identify which GPOs are out of sync.

Step 5: Reset the Domain Controller’s NTFRS or DFSR Replication

If replication remains broken, you may need to reset the replication service. For DFSR, you can perform a non-authoritative or authoritative synchronization:

  • Non-authoritative restore: The domain controller gets a fresh copy of SYSVOL from a replication partner.
  • Authoritative restore: The domain controller’s copy overwrites others.

Use the DFSRDIAG tool or follow Microsoft’s official guides carefully, as improper use can cause data loss.

Alternative Method: Use PowerShell to Check Replication

PowerShell can quickly provide replication health info. Run:

Get-ADReplicationPartnerMetadata -Target <DomainControllerName>

This cmdlet shows replication metadata and helps identify partners with replication issues.

Frequently Asked Questions (FAQs)

Why is Group Policy not syncing between domain controllers?

Common reasons include replication failures, network connectivity issues, DNS misconfigurations, or problems with SYSVOL replication.

How do I know if Active Directory replication is working?

Use repadmin /replsummary to check the overall replication health. No errors usually mean replication is healthy.

What is SYSVOL and why is it important for Group Policy?

SYSVOL is a shared directory that stores GPO files and scripts. It must be replicated correctly between domain controllers for policies to sync.

Can I force replication manually?

Yes. You can use repadmin /syncall to force replication between domain controllers.

What if gpupdate /force doesn’t help?

It means the problem is likely with replication or SYSVOL shares, not the client side. Focus on checking Active Directory and replication health.

When Nothing Works

If you’ve followed all the steps and Group Policy still isn’t syncing, consider these final options:

  • Use Microsoft’s official troubleshooting guide for in-depth procedures.
  • Review event logs on domain controllers for critical errors related to DFSR, FRS, or Active Directory replication.
  • Consider restoring SYSVOL from backup or performing an authoritative DFSR restore as a last resort.
  • Contact Microsoft Support if the problem persists after all troubleshooting.

Conclusion

Group Policy not syncing between domain controllers can disrupt your network management, but most issues stem from replication or SYSVOL problems. Start by checking network connectivity, DNS, and replication health.

Use tools like repadmin, GPMC, and PowerShell to identify where the sync breaks down. Manually forcing updates and ensuring SYSVOL shares are available often resolves common problems.

If advanced steps are needed, carefully reset replication services or consult official Microsoft resources. With patience and systematic troubleshooting, you can restore consistent Group Policy synchronization across your domain controllers on Windows 11.

Leave a Reply