DC Selection

By default, the tests are performed against all the DCs in the domain. However, it's possible to define which DCs you want to include in the test.  The Domain level test, as shown above, provides a list of DCs that have been discovered; you can limit which DCs will be included in the test by selecting as required DCs.  This selection is then used for both the Domain and Individual tests.

Test Details

The testing is completed in two phases; first, the details are collected from each of the selected DCs, and then in phase two, the captured details are compared across all the selected DCs.  The first selected DC in the server list is used as the source, and all the other DCs are compared against this DC; you can change this by using the context menu to move another DC to the top of the list, which will be used as the source DC.

During the Collection phase, the following details are captured and tests performed:

• Display Name of the Policy
• Sysvol Path
• Functionality Version
• GPO Flags
• GPO Version Number (User and Machine)
• WMI Filter assigned
• GPO Machine Extensions
• GPO User Extensions
• When Created
• When Last Changed
• AD Permissions
• Number of sub-AD objects under the GPO for both User and Machines settings
• Check the Sysvol path is accessible
• Capture the security permissions of the root of the policy folder
• Check that the trustees assigned Apply Group Policy right in the AD have access to the following location in the Sysvol path:
  • The root of the policy folder
  • GPT.ini
  • User folder
  • Machines folder
• Capture the GPO version details from the GPT.ini file (User and Machine)
• Capture the file count, total file size, and directory count for these sub-directories:
  • Machine
  • User

Once the details have been captured from all the selected DCs, phase two will compare each value to confirm the details are the same across all the DCs.  If there are any differences, it will report an error, or the traffic lights indicators for the test will be Red.   The Compare phase, in addition to comparing the details captured in phase one, will also complete the following tests:

• Compare the AD DACL ACE Count
• Compare the Sysvol DACL ACE Count
• Confirm the ACE in the Sysvol DACL are in the same order
• Compare the AD Security Descriptor
• Compare the Sysvol Security Descriptor
• Check for duplicate ACEs
• Check the order of the permissions

The Individual test option displays the results as pass\fail and doesn't provide much detail on the reason for the failure.  However, the Domain level test provides details of the captured information and failure details when the Display Policy Details option is selected before running the test.

If any AD replication tests fail, you can select the individual GPO and use the Context Menu option to run a Check AD Replication test on the GPO AD object; this will automatically populate the Attribute Replication test for you.