Group Policy replication and domain controller selection
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Group Policy replication and domain controller selection
In a domain that contains more than one domain controller, Group Policy information takes time to propagate, or replicate, from one domain controller to another. Low bandwidth network connections between domain controllers slow replication. The Group Policy infrastructure has mechanisms to manage these issues.
Each Group Policy object (GPO) is stored partly in the Sysvol on the domain controller and partly in Active Directory. The Group Policy Management Console (GPMC) and Group Policy Object Editor present and manage the GPO as a single unit. For example, when you set permissions on a GPO in GPMC, GPMC is actually setting permissions on objects in both Active Directory and the Sysvol. It is not recommended that you manipulate these separate objects independently outside of GPMC and the Group Policy Object Editor. It is important to understand that these two separate components of a GPO rely on different replication mechanisms. The file system portion is replicated through the File Replication Service (FRS), independently of the replication handled by Active Directory.
The tools used to manage Active Directory and Group Policy, such as GPMC, the Group Policy Object Editor, and Active Directory Users and Computers all communicate with domain controllers. If there are several domain controllers available, changes made to objects like users, computers, organizational units, and GPOs may take time to appear on other domain controllers. The administrator may see different data depending on the last domain controller on which changes were made and which domain controller they are currently viewing the data from.
For example, if you create a GPO on one domain controller and immediately attempt to link it on another domain controller, the operation could fail. In each domain, GPMC uses the same domain controller for all operations in that domain, in order to avoid any synchronization issues. This includes all operations on GPOs, organizational units, and security groups in that domain. In addition, when the Group Policy Object Editor is opened from GPMC, it will also use the same domain controller in use by GPMC. Finally, GPMC uses the same domain controller for all operations on sites within a given forest. This domain controller for sites is used to read and write information about the links to GPOs that exist on any given site; information regarding the GPO itself is obtained from the domain controller of the domain hosting the GPO. This domain controller is used to read and write information about the links to GPOs that exist on any given site; information regarding the GPO itself is obtained from the domain controller of the domain hosting the GPO.
By default, when you add a new domain to the console, GPMC uses the PDC emulator in that domain to help ensure that all administrators are using the same domain controller. For managing sites, GPMC uses the PDC emulator in the user's domain by default. You can change the default choice of domain controller using the Change Domain Controller dialog box in GPMC. If you are located at a remote site with a slow connection to the default domain controller, you may want to do this.
It is important for administrators to consider the choice of domain controller in order to avoid replication conflicts particularly because both Active Directory and FRS use multi-master replication. This is especially important to consider because GPO data resides in both Active Directory and on Sysvol, and two independent replication mechanisms must be used to replicate GPO data to the various domain controllers in the domain. If two administrators are simultaneously editing the same GPO on different domain controllers, it is possible for the changes written by one administrator to be overwritten by another administrator, depending on replication latency.
If multiple administrators manage a common GPO, it is recommended that all administrators use the same domain controller when editing a particular GPO, to avoid collisions in FRS.
Options governing selection of a domain controller for GPMC
In GPMC, when you right-click a domain or the sites container and click Change Domain Controller, you see a Change Domain Controller dialog box. The domain controller options for GPMC are:
The one with the Operations Master token for the PDC emulator. This is the default and preferred option.
Use any available domain controller. This is the least safe option.
Use any available domain controller that is running Windows Server 2003 or later. This option is useful if you are restoring deleted GPOs that contain software installation settings. If possible, it is recommended to perform restoration of GPOs containing software installation settings on domain controllers running Windows Server 2003. For more information, see Restore using GPMC.
This domain controller. This option allows you to choose a specific domain controller from a list of domain controllers in the domain.
If you are changing the domain controller for a site, you can also choose any available trusted domain from the Look in this domain drop-down list box in the Change Domain Controller dialog box.
When you open the Group Policy Object Editor from GPMC it always uses the same domain controller that is targeted in GPMC for the domain where that GPO is located.
For step-by-step instructions for choosing a domain controller, see Specify a domain controller.