got it working. I did the burflags thing. On the server throwing the 13508, I backed up sysvol, stopped ntfrs and changed the registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\BurFlags to D4 , started ntfrs, and then went to the other two domain controllers.
On them I stopped ntfrs and changed:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\BurFlags to D2
and started ntfrs.
after a few minutes the logs were clean. I logged in to a workstation and group policy didn't throw any errors.