Any ideas why the group policy diagnostic utility GPOTool would report a GPO version mismatch between two domain controllers if the version numbers are a match?
Policy {GUID}
Error: Version mismatch on dc1.domain.org, DS=65580, sysvol=65576
Friendly name: Default Domain Controllers Policy
Error: Version mismatch on dc2.domain.org, DS=65580, sysvol=65576
Details:
------------------------------------------------------------
DC: dc1.domain.org
Friendly name: Default Domain Controllers Policy
Created: 7/7/2005 6:39:33 PM
Changed: 6/18/2012 12:33:04 PM
DS version: 1(user) 44(machine)
Sysvol version: 1(user) 40(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{GUID}]
Functionality version: 2
------------------------------------------------------------
DC: dc2.domain.org
Friendly name: Default Domain Controllers Policy
Created: 7/7/2005 6:39:33 PM
Changed: 6/18/2012 12:33:05 PM
DS version: 1(user) 44(machine)
Sysvol version: 1(user) 40(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{GUID}]
Functionality version: 2
Your issue is caused by a version mismatch between the Default Domain Controllers Policy DS and Sysvol portions, not a difference between the two DC's. Your DC's are in sync with each other, but the data they are syncing is out of sync with itself. What you want to do is set the DS and Sysvol versions to the the same value. To be safe, go with
1(user) 45(machine). The value you will need to enter is65581(1 * 65536 + 45 = 65581). Open\\domainname\sysvol\policies\{Default_Domain_Controllers_Policy_GUID}\gpt.iniin notepad and setVersion=65581. Now using ADSIEdit, ADExplorer, adfind, etc, browse toCN={Default_Domain_Controllers_Policy_GUID},CN=Policies,CN=System,DC=domainnameand setversionnumberto65581. Now go to lunch and whenyou come back, run GPOTool again. All the version numbers should report as65581and/or1(user) 45(machine).Note: The Default Domain Controllers Policy GUID is always 6AC1786C-016F-11D2-945F-00C04FB984F9, but verify that is in fact the GUID in case someone renamed it and created another GPO with the same name.
See the following pages for more in depth descriptions of how GPO version numbers are calculated and utilized:
It's not saying your DCs are version mismatched, it's saying that one of your GPOs is.
You need to track down the offending policy ("Policy {GUID}") and under the sysvol folder on your DCs, navigate to its folder (\DC\sysvol\policies{GUID}) and check the GPT.INI file on both the DCs. It will have a version number in it, and the version number will be different on the different DCs - this is the version mismatch it's complaining about.
Correcting it depends on what exactly caused the mismatch - you may be able to correct it by editing the version number in GPT.ini, or it may be a result of some bigger problem, like faulty FRS replica sets, ACL settings on that particular GPO, etc. Not enough information to determine what exactly the root cause is.
I would look to see if your AD environment is in a Journal wrap state. We ran into this same issue and had to do a D2 restore to get all GPO's back to consistent state.