Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Group Policy Replication and Domain Controller Selection (Group Policy Infrastructure)

Updated: April 7, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In a domain that contains more than one domain controller, Group Policy information takes time to propagate, or replicate, from one domain controller to another. Low bandwidth network connections between domain controllers slow replication. The Group Policy infrastructure has mechanisms to manage these issues.

Each GPO is stored partly in the Sysvol on the domain controller and partly in Active Directory. GPMC and Group Policy Object Editor present and manage the GPO as a single unit. For example, when you set permissions on a GPO in GPMC, GPMC is actually setting permissions on objects in both Active Directory and the Sysvol. It is not recommended that you manipulate these separate objects independently outside of GPMC and the Group Policy Object Editor. It is important to understand that these two separate components of a GPO rely on different replication mechanisms. The file system portion is replicated through File Replication Service (FRS), independently of the replication handled by Active Directory.

Lack of synchronization between the Group Policy template (data stored on Sysvol) and Group Policy container (data stored in Active Directory) portions of the Group Policy object can occur temporarily because of the differences in the replication schemes used by Active Directory and FRS.

For those Group Policy extensions that store data in only one data store (either Active Directory or Sysvol), this is not an issue, and Group Policy is applied as it can be read. Such extensions include Administrative Templates, Scripts, Folder Redirection, and most of the Security Settings.

For any Group Policy extension that stores data in both storage places (Active Directory and Sysvol), the extension must properly handle the possibility that the data is unsynchronized. This is also true for extensions that need multiple objects in a single store to be atomic in nature, since neither storage location handles transactions.

An example of an extension that stores data in Active Directory and Sysvol is Software Installation. The script files are stored on Sysvol and the Windows Installer package definition is in Active Directory. If the script exists, but the corresponding Active Directory components are not present, then nothing is done. If the script file is missing, but the package is known in Active Directory, application installation fails gracefully and will be retried on the next processing of Group Policy.

The tools used to manage Active Directory and Group Policy, such as GPMC, the Group Policy Object Editor, and Active Directory Users and Computers all communicate with domain controllers. If there are several domain controllers available, changes made to objects like users, computers, organizational units, and GPOs may take time to appear on other domain controllers. The administrator may see different data depending on the last domain controller on which changes were made and which domain controller they are currently viewing the data from.

For example, if you create a GPO on one domain controller and immediately attempt to link it on another domain controller, the operation could fail. In each domain, GPMC uses the same domain controller for all operations in that domain, in order to avoid any synchronization issues. This includes all operations on GPOs, organizational units, and security groups in that domain. In addition, when the Group Policy Object Editor is opened from GPMC, it will also use the same domain controller in use by GPMC. Finally, GPMC uses the same domain controller for all operations on sites within a given forest. This domain controller for sites is used to read and write information about the links to GPOs that exist on any given site; information regarding the GPO itself is obtained from the domain controller of the domain hosting the GPO. This domain controller is used to read and write information about the links to GPOs that exist on any given site; information regarding the GPO itself is obtained from the domain controller of the domain hosting the GPO.

By default, when you add a new domain to the console, GPMC uses the PDC emulator in that domain to help ensure that all administrators are using the same domain controller. For managing sites, GPMC uses the PDC emulator in the user's domain by default. You can change the default choice of domain controller using the Change Domain Controller dialog box in GPMC. If you are located at a remote site with a slow connection to the default domain controller, you may want to do this.

It is important for administrators to consider the choice of domain controller in order to avoid replication conflicts particularly because both Active Directory and FRS use multi-master replication. This is especially important to consider because GPO data resides in both Active Directory and on Sysvol, and two independent replication mechanisms must be used to replicate GPO data to the various domain controllers in the domain. If two administrators are simultaneously editing the same GPO on different domain controllers, it is possible for the changes written by one administrator to be overwritten by another administrator, depending on replication latency.

If multiple administrators manage a common GPO, it is recommended that all administrators use the same domain controller when editing a particular GPO, to avoid collisions in FRS.

Options governing selection of a domain controller for GPMC

In GPMC, when you right-click a domain or the sites container and click Change Domain Controller, you see a Change Domain Controller dialog box. The domain controller options for GPMC are:

  • The one with the Operations Master token for the PDC emulator. This is the default and preferred option.

  • Use any available domain controller. This is the least safe option.

  • Use any available domain controller that is running Windows Server 2003 or later. This option is useful if you are restoring deleted GPOs that contain software installation settings. If possible, it is recommended to perform restoration of GPOs containing software installation settings on domain controllers running Windows Server 2003.

  • This domain controller. This option allows you to choose a specific domain controller from a list of domain controllers in the domain.

If you are changing the domain controller for a site, you can also choose any available trusted domain from the Look in this domain drop-down list box in the Change Domain Controller dialog box.

When you open the Group Policy Object Editor from GPMC it always uses the same domain controller that is targeted in GPMC for the domain where that GPO is located.

  • All of these options may be overridden by a using policy setting, as described next. These settings are available in the User Configuration\Administrative Templates\System\Group Policy node of the Group Policy Object Editor.

Specifying a Domain Controller by Using Group Policy

Domain Admins can use a policy to specify how Group Policy chooses a domain controller—that is, they can specify which domain controller option should be used. In such cases, the option to choose a domain controller is unavailable since a policy is in place that overrides any setting that the user chooses. This policy allows Domain Admins to mandate that all administrators must use the PDC emulator, for example.

The Group Policy domain controller selection policy setting is available in the Administrative Templates node for User Configuration, in the System\Group Policy sub-container.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft