“AD / SYSVOL version mismatch” message is displayed unexpectedly in the Group Policy Results report in Windows
Summary:
In this post, would like to share that I recently encountered a group policy error for an enterprise customer whose Active directory infrastructure is Windows serve 2012 R2 Forest / Domain mode in which sysvol was already provisioned with DFSR mode on which those group policy settings have shown as AD / SYSVOL version mismatch.
Incident details:
While wizard using the Group Policy Management Console (GPMC) snap-in on a Windows 8-based, Windows Server 2012-based, Windows 8.1-based, or Windows Server 2012 R2-based computer, the following message is displayed unexpectedly in the alerts section of the Group Policy Results report:
AD / SYSVOL version mismatch
This issue also occurs when you use the Gpresult.exe command-line tool on a client computer.
The alerts section of the Group Policy Results report displays the result of the comparison between the version of the Group Policy template and the version of the Group Policy Container (GPC) for each GPO.
Before we proceeding with fixing the version mismatch warning on the domain controller, we first need to understand the importance of the AD / SYSVOL container in detail as follows-
Group Policy is stored in two locations as follows
1. Group Policy Container (GPC)
2. Group Policy Template (GPT)
Group Policy Container (GPC):-
A Group Policy container is a location in Active Directory that stores GPOs and their properties. The properties of a GPO include both computer and user Group Policy information. The Policies container is the default location of GPOs. The path to the Policies container, in Lightweight Directory Access Protocol (LDAP) syntax, is CN=Policies, CN=System,DC=Domain_Name, where the Domain_Name values specify a fully qualified domain name (FQDN).
The Active Directory store contains the Group Policy container of each GPO in the domain. The Group Policy container contains attributes that are used to deploy GPOs to the domain, to OUs and sites within the domain. The Group Policy container also contains a link to the file system component of a GPO — the Group Policy template. Some of the information in a Group Policy container includes:
Version information. Ensures that the information is synchronized with the Group Policy template information.
Status information. Indicates whether the user or computer portion of the GPO is enabled or disabled.
List of components. Lists (extensions) that have settings in the GPO. These attributes are gPCMachineExtensionNames and gPCUserExtensionNames.
File system path. Specifies the Universal Naming Convention (UNC) path to the Sysvol folder. This attribute is gPCFileSysPath.
Functionality version. Gives the version of the tool that created the GPO. Currently, this is version 2. This attribute is gPCFunctionalityVersion.
WMI filter. Contains the distinguished name of the WMI filter. This attribute is gPCWQLFilter.
Group Policy Template (GPT)
Group Policy settings are stored in the file system of the domain controllers, which is known as the Group Policy template.
The GroupPolicyContainer object for each GPO has a property, GPCFileSysPath, which contains the UNC path to its related Group Policy template.
E.g.: \\rs.local\sysvol\rs.local\Policies\{00011441–173B-4868-B058–1A7807D93B58}
All Group Policy templates in a domain are stored in the \\domain_name\Sysvol\domain_name\Policies folder, where domain_name is the FQDN of the domain.
The Group Policy template contains actual data for the policy extensions, for example, the Security Settings inf file, Administrative Template-based policy settings .adm and .pol files, applications available for the Group Policy Software installation extension, and potentially scripts.
Resolution
Modifying the GPO Version using GPMC management and also from ADSIEDIT Tool to remediate the Mismatched Version Policies are gathered from the GPOTool
a) Generating a Fresh report by using gpotool (Gpotool /domain: rs. local /verbose)
b) Look for the Value Version Mismatched based Policy
c) Backing up the Specified Mismatched Policies from GPMC Tool — Select the Policy and Right Click “Backup” and Select the Target Place to store the Backup
Scenario -1:-
If Sysvol GPT (Group Policy Template) Version are in later timestamp than the GPC (Group Policy Container) Version number then those attribute needs to be modified from the parameter “CN=Policies, CN=System, DC=rs, DC=local” by locating the specified GUID through the Tool ADSIEDIT.msc
Login to PDC Server “PDC”
Step-1 Click start->Run->ADSIEDIT.msc
Step-2:- Navigate to “CN=Policies,CN=System, DC=rs,DC=local”
Step-3:- Select the Mismatched GPO Policy for the GUID as shown below reference
Step-4:- Right Click the selected GUID Policy and Click Properties
Step-5:- select the attributed named “VersionNumber” and modified to the version as equal to Sysvol version from the Same Policy GUID Container by navigating to \\rs.local\sysvol\rs.local\Policies\{512A1F53–694C-4B88–8E6A-269CBEE4DC00}
Open the GPT.ini File and copy the version number and paste the same in the below screenshot based Version number and Click Ok to complete the change
Scenario -2:-
If the DS Version GPC (Group Policy Container) is in a later timestamp, then the Sysvol GPT (Group Policy Template) Version needs to be modified from the parameter by navigating to the corresponding GUID \\csmglobal.net\sysvol\csmglobal.net\Policies\{GUID}\User or Machine for the file GPT.ini to the corresponding later timestamp
Login to PDC Server “PDC”
Step -1:- Select the Mismatched the Policy (GUID) Value and paste it to notepad
Step -2:- Click start-> Run-> Type \\rs.local\sysvol\rs.local\Policies\
Step-3:- In Search Box and Paste the Mismatched Policy GUID and Click Search
Step-4:- Click start->Run->ADSIEDIT.msc
Step-5:- Navigate to “CN=Policies,CN=System, DC=rs.local,DC=net”
Step-6:- Select the Mismatched GPO Policy for the GUID as shown below reference
Step-7:- Right Click the selected GUID Policy and Click Properties
Step-8:- Select the attributed named “VersionNumber” and Copy the Version Value as shown below
Step-9 — Select the attributed named “VersionNumber” and Copy the Version Value as shown below
Step-10:- Open that GUID from the searched template (GPT) from \rs.local\sysvol\rs.local\Policies\ and then open the file named GPT.ini
Step 11:- Paste the Version Value copied from ADSIEDIT VersionNumber attribute and Click GPT.ini file and refresh the Policy from GPMC Tool
Validation
a) Open GPMC Console
b) Navigate to the policy which has recently changed
c) Click on the Details tab
d) Ensure both the AD & SYSVOL version number are matched
