Why is GPO Tool reporting a GPO version mismatch when the GPO version #'s do match?

windows active-directory windows-server-2003 group-policy replication

Solution 1:

Your issue is caused by a version mismatch between the Default Domain Controllers Policy DS and Sysvol portions, not a difference between the two DC's. Your DC's are in sync with each other, but the data they are syncing is out of sync with itself. What you want to do is set the DS and Sysvol versions to the the same value. To be safe, go with 1(user) 45(machine). The value you will need to enter is 65581 (1 * 65536 + 45 = 65581). Open \\domainname\sysvol\policies\{Default_Domain_Controllers_Policy_GUID}\gpt.ini in notepad and set Version=65581. Now using ADSIEdit, ADExplorer, adfind, etc, browse to CN={Default_Domain_Controllers_Policy_GUID},CN=Policies,CN=System,DC=domainname and set versionnumber to 65581. Now go to lunch and whenyou come back, run GPOTool again. All the version numbers should report as 65581 and/or 1(user) 45(machine).

Note: The Default Domain Controllers Policy GUID is always 6AC1786C-016F-11D2-945F-00C04FB984F9, but verify that is in fact the GUID in case someone renamed it and created another GPO with the same name.

See the following pages for more in depth descriptions of how GPO version numbers are calculated and utilized:

  • http://blogs.technet.com/b/grouppolicy/archive/2007/12/14/understanding-the-gpo-version-number.aspx?Redirected=true
  • https://blogs.technet.com/b/grouppolicy/archive/2008/01/08/understanding-the-domain-based-gpo-version-number-scripts-included.aspx?Redirected=true

Solution 2:

It's not saying your DCs are version mismatched, it's saying that one of your GPOs is.

You need to track down the offending policy ("Policy {GUID}") and under the sysvol folder on your DCs, navigate to its folder (\DC\sysvol\policies{GUID}) and check the GPT.INI file on both the DCs. It will have a version number in it, and the version number will be different on the different DCs - this is the version mismatch it's complaining about.

Correcting it depends on what exactly caused the mismatch - you may be able to correct it by editing the version number in GPT.ini, or it may be a result of some bigger problem, like faulty FRS replica sets, ACL settings on that particular GPO, etc. Not enough information to determine what exactly the root cause is.

Related

iptables - Clear all PREROUTING rules with a specific destination address
Nagios best practices for setting up hosts/services?
Why is Denic not accepting my nameservers?
Postfix SMTP sends to localhost, ignores MX records set to Google Apps
Windows 7 Network Connections empty
How to configure teaming, teamed VLANs, and hyper-v?
How to make working TFTP server on CentOS 6.2
Awstats: awstats_buildstaticpages.pl only builds 1 report, not full reports
Can I configure OWA (2010) to tell a user when their account is locked out?
SSHing with the nobody user
Routes bound to virtual interfaces, Debian, and how to determine specifics, after the fact
Is it possible to define a block in a zone file as constant in Dynamic DNS (using bind)?