DarthRater
asked on
Sysvol Replication: or How I Learned To Stop Worrying And Love The NTDS
I had a previous question that I felt was well answered but I wanted to open up a new one to get deeper into the process. (The IP subnets are all configured for their sites.)
The goal is to get GPO software installs to pull from a targeted server based on location/subnet. Our current method is to have a different GPO for every server which really sucks. The previous question's answer explained how to use Sites And Services to properly do this.
Our current setup is based more on ISP providers rather than logical layout. Since we need two sites to create a link, our main site in is in every link. So our layout is:
Cable
Main Site (remote)
Site1 (local)
site3
etc
etc
Optaman
Main Site
site2
site4
etc
etc
So let's say I am in Site1. Now I noticed that when I ping domain.local the response is not always constrained to that link. I get responses from servers outside of my link. So my first question is:
Is ping a poor way to determine what server a GPO will pull from since GPO processing follows a different process? Also, what is the best way to determine what server a GPO would pull from... Would GPO modeling help with this?
Now, my proposed solution is to re-architect our site links. For example, If I am at Site 1 and I want all GPO Software installs located in sysvol to only process from that server/assigned subnet I will make a new Site Link:
Main Location
Main Site (remote)
Site1 (local)
So this leads to my second question.
If I have two sites in my link, one remote and one local to my location, what is stopping a client from skipping over Site1 and going from the other server in the link? What mechanism is being used by Group Policy to see the DC in that subnet and what influences the decision?
The goal is to get GPO software installs to pull from a targeted server based on location/subnet. Our current method is to have a different GPO for every server which really sucks. The previous question's answer explained how to use Sites And Services to properly do this.
Our current setup is based more on ISP providers rather than logical layout. Since we need two sites to create a link, our main site in is in every link. So our layout is:
Cable
Main Site (remote)
Site1 (local)
site3
etc
etc
Optaman
Main Site
site2
site4
etc
etc
So let's say I am in Site1. Now I noticed that when I ping domain.local the response is not always constrained to that link. I get responses from servers outside of my link. So my first question is:
Is ping a poor way to determine what server a GPO will pull from since GPO processing follows a different process? Also, what is the best way to determine what server a GPO would pull from... Would GPO modeling help with this?
Now, my proposed solution is to re-architect our site links. For example, If I am at Site 1 and I want all GPO Software installs located in sysvol to only process from that server/assigned subnet I will make a new Site Link:
Main Location
Main Site (remote)
Site1 (local)
So this leads to my second question.
If I have two sites in my link, one remote and one local to my location, what is stopping a client from skipping over Site1 and going from the other server in the link? What mechanism is being used by Group Policy to see the DC in that subnet and what influences the decision?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Darth
As I posted in one of your other questions Sites and Services if properly configured should only reference the DC that is part of that site.
If your Site has two DC as part of it and one is local and the other is in a remote office the client will just pick randomly which one to authenicate to.
This being said your GPO that states to install an application via %logonserver%\SYSVOL and it authenicated to the remote office DC then the install will happen from the remote DC.
An example is listed below.
As I posted in one of your other questions Sites and Services if properly configured should only reference the DC that is part of that site.
If your Site has two DC as part of it and one is local and the other is in a remote office the client will just pick randomly which one to authenicate to.
This being said your GPO that states to install an application via %logonserver%\SYSVOL and it authenicated to the remote office DC then the install will happen from the remote DC.
An example is listed below.
case in point, though, is that GPO is not always pushed from the LOGONSERVER. On my Win 7 machine I am using, I have two different machines for logon server and gpo server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yobee, this piece (%logonserver%\sysvol) awards you the slow clap. Thank you very much
a good command to confirm that your clients are talking to the proper server is to run this from a command line
set Logon
This will spit back the Authentication server you are currently challenging
set Logon
This will spit back the Authentication server you are currently challenging
ASKER
Thanks, I have another client with multiple (20) sites in one Site Link. I take it this is also a poor practice?
This will give more insight to the settings.