Solved

Sysvol Replication: or How I Learned To Stop Worrying And Love The NTDS

Posted on 2012-04-03
8
603 Views
Last Modified: 2012-06-21
I had a previous question that I felt was well answered but I wanted to open up a new one to get deeper into the process.  (The IP subnets are all configured for their sites.)

The goal is to get GPO software installs to pull from a targeted server based on location/subnet. Our current method is to have a different GPO for every server which really sucks.  The previous question's answer explained how to use Sites And Services to properly do this.

Our current setup is based more on ISP providers rather than logical layout. Since we need two sites to create a link, our main site in is in every link. So our layout is:

Cable
Main Site (remote)
Site1 (local)
site3
etc
etc

Optaman
Main Site
site2
site4
etc
etc

So let's say I am in Site1. Now I noticed that when I ping domain.local the response is not always constrained to that link. I get responses from servers outside of my link. So my first question is:

Is ping a poor way to determine what server a GPO will pull from since GPO processing follows a different process? Also, what is the best way to determine what server a GPO would pull from... Would GPO modeling help with this?

Now, my proposed solution is to re-architect our site links. For example, If I am at Site 1 and I want all GPO Software installs located in sysvol to only process from that server/assigned subnet I will make a new Site Link:

Main Location
Main Site (remote)
Site1 (local)

So this leads to my second question.
If I have two sites in my link, one remote and one local to my location, what is stopping a client from skipping over Site1 and going from the other server in the link? What mechanism is being used by Group Policy to see the DC in that subnet and what influences the decision?
0
Comment
Question by:DarthRater
  • 4
  • 2
  • 2
8 Comments
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 100 total points
ID: 37802411
Question 1:
Is ping a poor way to determine what server a GPO will pull from since GPO processing follows a different process? Also, what is the best way to determine what server a GPO would pull from... Would GPO modeling help with this?
Ping isn't a good way to determine this because your DNS entries for domain.local should be universal, not subnet specific.

To determine which server is presenting your GPOs to a client, you can use this command from the client:

gpresult /r

It will return something like this toward the top:

Group Policy was applied from:      FQDN_of_GPO_Server_Which_Presented_You

Question 2:
If I have two sites in my link, one remote and one local to my location, what is stopping a client from skipping over Site1 and going from the other server in the link? What mechanism is being used by Group Policy to see the DC in that subnet and what influences the decision?
Honestly, if Sites and Services are properly set up, clients should choose an AD Server within their Site/Subnet, but it will go outside the defined Site if it is seeking a faster response.  As a remote Site cost should be higher and should also be slower, there is very little chance of GPO being served from an alternate location.  Honestly, though, is your network so bottle-necked that it would matter?  If it is, I would suggest you have bigger fish to fry than what server is presenting GPO.

DrUltima
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37802419
Can you post a screenshot of all subnets and sites expanded.
This will give more insight to the settings.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37802871
@Darth

As I posted in one of your other questions Sites and Services if properly configured should only reference the DC that is part of that site.
If your Site has two DC as part of it and one is local and the other is in a remote office the client will just pick randomly which one to authenicate to.
This being said your GPO that states to install an application via %logonserver%\SYSVOL and it authenicated to the remote office DC then the install will happen from the remote DC.

An example is listed below.
S&S1
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Expert Comment

by:Justin Owens
ID: 37802927
case in point, though, is that GPO is not always pushed from the LOGONSERVER.  On my Win 7 machine I am using, I have two different machines for logon server and gpo server.
0
 
LVL 22

Accepted Solution

by:
yo_bee earned 400 total points
ID: 37804463
But if your GPO logon script has the unc path %logonserver%\sysvol  with a properly configured Sites & Services you will always pull the exe or script from the local DC or whatever DC is associated with the Site no matter which Server is supplying the GP settings.

This is how DFS works as well.  If you have a DFS namespace and you have a local file server that is in a replication group the users will be accessing the local file server and not traversing the WAN.  

That is why you must make sure that the Sites and Services is properly setup or you will have weird symptoms.  

To try and address Darth's question at hand  you should setup your Sites as logical groupings where you want to place your DC's and not your  link types.
The links are only for means of controlling how the sites communicate with each other.


Let's say you have three sites all with the same cost and all linked

Site A: Cost 100: DC1
Site B: Cost 100: DC2
Site C: Cost 100: DC3

This means that if Site A needs to replicate it will goto either B or C no matter the latency.  This is the same for the rest.
So if you have a High Speed connection between A-C and A-B you want the cost to be lower than B-C forcing the other 2 sites (B & C) to alway talk to A first before moving on to the other.

What this means to users is if you have identical cost for all three sites and the local server is not responsive it will round robin to whichever site next no matter the latency.


When is comes to the Site setup you only want the local DC associated with it (like the example I posted previously)
Third and for most this Sites mean nothing is you do not setup the subnets association properly.  
Example:

Site A: No Subnet associated
Site B: Subnet , but not DC
Site C: Subnet and 2 DC's from two different location.

Users in Site A see that there is a DC, but not subnet to isolate.  Users will authenticate to any of the other two sites
Users in Site B see that there in a site, but there are no DC's so they will talk to Site A due to a lower cost than C
Users in Site C see that there is a DC local and one from Site A.  They will authenticate to A of C due to the misconfiguration of the Site.

If you have them setup properly

Site A : Subnet/Subnets for Site A: DC for Site A
Site B:       "
Site C:       "

Users from A will authenticate from A unless DC A is not available and then will choice B or C because they have the same cost
User from B will authenticate to B unless DC B is not available  then it will goto Site A due to a lower cost than C
Users from C will act the same way as B.
0
 

Author Closing Comment

by:DarthRater
ID: 37810871
yobee, this piece (%logonserver%\sysvol) awards you the slow clap. Thank you very much
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37811027
a good command to confirm that your clients are talking to the proper server is to run this from a command line

set Logon
This will spit back the Authentication server you are currently challenging
0
 

Author Comment

by:DarthRater
ID: 37812197
Thanks, I have another client with multiple (20) sites in one Site Link. I take it this is also a poor practice?
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question