Group Policies fail to apply on Windows 10 and Windows 2012 R2 machines joined to DSfW domain

Joined Windows 10 to the DSfW domain.
The GPOs are not applied when user logs in to the domain or when gpupdate is run on the command prompt.
Joined Windows 2012 R2 the DSfW domain.
The GPOs are not applied when the user logs in to the domain or when the gpupdate command is run on the command prompt,when the DFS link for the SYSVOL share points to an additional domain controller.

Besides applying the October 2016 OES hot patch for DSfW on the DSfW servers the following manual steps have to be executed:

1. Ensure that no principals are obtained in keytab using the command #klist -k | grep -i "cifs/`hostname --fqdn`/`hostname -d`"
2. Add the required principals to keytab in all Domain Controllers of the domain using the command  #setpassword -NDSOf -r -u <server name(output of command 'hostname')>$ -E "<domain fqdn(output of command 'hostname --fqdn')>/<domainname(output of the command 'hostname -d')>,<domain fqdn with hostname in all CAPS>/<domainname>,<domain fqdn with domainname in all CAPS>/<domainname in all CAPS)>,<domain fqdn with hostname and domainname in all CAPS>/<domainname in all CAPS)>,<domain fqdn with hostname and domainname in all small>/<domainname in all small)>" -k /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
   The input for the parameter of -E option "<domain fqdn with hostname and domainname in all small>/<domainname in all small)>" is required only if the hostname is in mixed case.
3. Reload all the DSFW services on all the Domain Controllers using the command #xadcntrl reload
4. Verify that the required principals are added to keytab using the command #klist -k | grep -i "cifs/`hostname --fqdn`/`hostname -d`"
5. Create a soft link in the primary domain controller using the command (Make sure that you are in /var/opt/novell/xad/sysvol/sysvol when creating the link) server:/var/opt/novell/xad/sysvol/sysvol # ln -s <domain_name>/Policies/ Policies
6. Run the command #sysvolsync in the primary domain controller.
7. Restart the workstations joined to the domain.
   The setpassword command that will be run on domain controllers will enable gpupdate command to work on Windows10 workstations and Windows 2012 R2 and  member servers. This will however work only if we reboot the workstations, because the newly auto-generated server password is downloaded to the client workstation only after the reboot.(Even logoff-login does not download the new password).
   The reboot is not only needed for Windows10 and Windows 2012 R2 , but also for existing Windows7 or equivalent member server workstations joined to the domain. After running setpassword command, the server password cached in these systems becomes obsolete, and therefore it requires reboot to download the new password.
   

The sysvol access in Windows 10 and Windows 2012 R2 servers using domain name requires additional CIFS service principal names in the kerberos keytab file.

We have the following script available to automate the above steps. Save this script in a file on the DC and call it fixspn.sh , then make it executable with chmod +x fixspn.sh and execute it with ./fixspn.sh