Group Policy in replicated environments

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy in replicated environments

In a domain that contains more than one domain controller, Active Directory information takes time to propagate from one domain controller to another. This topic describes the replication mechanism as it relates to Group Policy.

By default, Group Policy objects are created or edited only on the domain controller that is holding the primary domain controller (PDC) emulator operations master token. This token moves from one domain controller to another over time, as Active Directory information is replicated to keep the domain controllers synchronized.

An organizational unit must be replicated to the domain controller that is holding the token before the Group Policy object that is created there can be linked to it, which allows the Group Policy settings to be applied. If you use Active Directory Users and Computers, you can create an organizational unit on any domain controller. These considerations are more significant if the intradomain links are slow. For more information, see Group Policy over slow links and Group Policy on sites.

Options governing selection of a domain controller

When you click the name of the Group Policy object in the console tree of Group Policy Object Editor, the View menu contains a command called DC Options. This command opens the Options for domain controller selection dialog box, where you can specify a domain controller to use for editing Group Policy. The options in this dialog box are as follows:

• The one with the Operations Master token for the PDC emulator--This is the default and preferred option, and it is the best option from the standpoint of data safety.

• The one used by the Active Directory snap-ins--This option uses the same domain controller as the utility from which the Group Policy Object Editor was invoked, if Group Policy was started this way.

• Use any available domain controller--This option allows Group Policy Object Editor to choose any available domain controller. This is the least safe option, because different administrators could theoretically edit a Group Policy object simultaneously, with an indeterminate outcome. On the other hand, when you use this option, it is likely that a domain controller in the local site will be selected. If only one administrator can administer Group Policy on a large domain with several sites, the performance gain might be worthwhile.

Domain controller selection set through Group Policy

In addition to the DC Options command, there is also a Group Policy setting for domain controller selection. This is part of the System.adm Administrative Template that is loaded into Group Policy Object Editor by default. You can find this Group Policy setting in Group Policy Object Editor under User Configuration\Administrative Templates\System\Group Policy. You can double-click Group Policy domain controller selection in the details pane, and then click the appropriate setting in the list.