The sysvol permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the baseline domain
Update: I managed to fix this by manually applying the sysvol ACL's for the policies at both servers... for some reason I had to add the domain\administrators group as full control for each policy under sysvol\policies and then it synced fine.... everythings working now and I'll look at migrating to DFRS later when we can upgrade the DFL, Cheers
Anyone else seeing this problem - if you only have one or two policies it might be quicker to back up the settings, delete them all out and then add them back in again which would have the same effect.
This occurs when a GPO has changed on the local computer but a replication event has not completed to the other participating Domain Controllers. You can force replication to the other DCs in the Forest "Get-ADDomainController -Filter * | %{repadmin /syncall /edjQSA $_.hostname}" or simply wait for 15-20 minutes and refresh the GPMC. This is by design and will typically resolve itself on the next replication cycle.