We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Group policy being applied from NON PDC emulator and over slow WAN link

rptsysadmin
rptsysadmin asked
on
Medium Priority
476 Views
Last Modified: 2008-01-16
I am running a windows 2003 AD network. Users (including myself) are geting the group policy via a DC from different remote sites. I have confirmed my local DC is the PDC emulator, RID and global catalog. The only reason I noticed this was, a group policy i changed was not taking affect, so after running gpupdate, then gpresult i noticed the host was pulling from DC's on completly different subnets over WAN links. Any I insight would be appreciated. On top of that the 2 site they are talking to are over our slowest WAN links.
Comment
Watch Question

Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
Group Policy is distributed from any ADC in your domain.  The PDC emulator is there for the sole purpose of allowing backward compatibility to WinNT.


Open AD Sites and Services
Configure a "Site" for each physical location
Configure a Subnet for each site
Configure a Site Link for each WAN link
Move the servers into their correct sites

This is how AD can tell where you are logging on from and which server it should pull authentication and group policies from.

Also you should have a Global Catalog server at every site.
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
FYI - You will want to configure site links under Inter-Site Transports/IP.  SMTP is not reccomended for replication unless you have a very very slow WAN link (like a 56k)

If you have more than one WAN link you may want to consider configuring a Site Link Bridge too.

Here is more information from the horses' mouth
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx

Author

Commented:
I have all that configured already. All Site ahve their respective DC's and their respective subnets assigned.

Author

Commented:
Under inter-site transports the deafult site link has all my sites in  the link.

Author

Commented:
Am I supposed to create a new site link for each site? The deafault site link i just mentioned is obviously just for the default site, not all my remote sites that i added, right? It just seemed confusing, so each dc at each remote location should be the bridgehead server then, right?
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
You should have a site link for every WAN link, so think of it like defining your T1, VPN, etc...

If you had 3 sites and each of them were connected to each other you would have 3 links
A&B
A&C
B&C

If you had 3 sites and B and C were connected to A but not to each other you would have 2 Site Links
A&B
A&C


Remember to set a cost on each link, slower links get a higher cost.  You can be arbitrary, i use 500 for my VPNs and 100 for my T1, but you could use 10 and 50 with the same results.



Author

Commented:
Understood. This should be configured under site links? So, if i right click on my remote server I should add the ip transport and make it a local bridge head server, right?
LAN/WAN Systems Administrator
CERTIFIED EXPERT
Commented:
Configure in AD Sites and Services | Sites | Inter-Site Transports | IP


AD will assign bridgehead servers automagically but you can specify if you like; I always do.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thanks!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.