Specifying a Domain Controller for Editing Group Policy

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In each domain, GPMC uses the same domain controller for all operations in that domain. This includes all operations on the GPOs that are located in that domain, as well as all other objects in that domain, such as OUs and security groups. When you open the Group Policy Object Editor from GPMC, it uses the same domain controller.

GPMC also uses the same domain controller for all operations on sites. This domain controller is used to read and write information about what links to GPOs exist on any given site, but information regarding the GPOs themselves is obtained from the domain controllers of the domains that host the GPOs.

By default, when you add a new domain to the console, GPMC uses the PDC emulator in that domain for operations in that domain. For managing sites, GPMC uses the PDC emulator in the user’s domain by default.

The choice of domain controllers is important for administrators to consider to avoid replication conflicts. This is especially important because GPO data is located both in Active Directory and in Sysvol, which rely on independent replication mechanisms to replicate GPO data to the various domain controllers in the domain. If two administrators simultaneously edit the same GPO on different domain controllers, it is possible for the changes written by one administrator to be overwritten by another administrator, depending on replication latency.

To avoid this, GPMC uses the Operations Master token for the PDC emulator in each domain as the default. This helps ensure that all administrators are using the same domain controller and guards against data loss. However, it might not always be desirable for an administrator to use the PDC to edit GPOs. For example, if the administrator is located in a remote site, or if the majority of the users or computers targeted by the GPO are in a remote site, the administrator might choose to target a domain controller at the remote location. For example, if you are an administrator in Japan and the PDC emulator is in New York, it might be inconvenient to rely on a WAN link to access the New York PDC emulator.

Important

  • If multiple administrators manage a common GPO, all administrators should use the same domain controller when editing a particular GPO in order to avoid collisions in the File Replication service (FRS).

Use the Change Domain Controller function to specify the domain controller to be used for a given domain or for all sites in a forest. In each case, you have four options:

  • The domain controller with the Operations Master token for the PDC emulator (the default option)

  • Any available domain controller

  • Any available domain controllerrunning Windows Server 2003 or later.

  • This domain controller: Select a specific domain controller to be used.

The selected option is used each time that you open a saved console, until you change the option.

This preference is saved in the .msc file and is used when you open that .msc file. It is generally not recommended that you use the Any available domain controller option unless you are performing read-only operations.