?
Solved

Sysvol Replication: or How I Learned To Stop Worrying And Love The NTDS

Posted on 2012-04-03
8
Medium Priority
?
607 Views
Last Modified: 2012-06-21
I had a previous question that I felt was well answered but I wanted to open up a new one to get deeper into the process.  (The IP subnets are all configured for their sites.)

The goal is to get GPO software installs to pull from a targeted server based on location/subnet. Our current method is to have a different GPO for every server which really sucks.  The previous question's answer explained how to use Sites And Services to properly do this.

Our current setup is based more on ISP providers rather than logical layout. Since we need two sites to create a link, our main site in is in every link. So our layout is:

Cable
Main Site (remote)
Site1 (local)
site3
etc
etc

Optaman
Main Site
site2
site4
etc
etc

So let's say I am in Site1. Now I noticed that when I ping domain.local the response is not always constrained to that link. I get responses from servers outside of my link. So my first question is:

Is ping a poor way to determine what server a GPO will pull from since GPO processing follows a different process? Also, what is the best way to determine what server a GPO would pull from... Would GPO modeling help with this?

Now, my proposed solution is to re-architect our site links. For example, If I am at Site 1 and I want all GPO Software installs located in sysvol to only process from that server/assigned subnet I will make a new Site Link:

Main Location
Main Site (remote)
Site1 (local)

So this leads to my second question.
If I have two sites in my link, one remote and one local to my location, what is stopping a client from skipping over Site1 and going from the other server in the link? What mechanism is being used by Group Policy to see the DC in that subnet and what influences the decision?
0
Comment
Question by:DarthRater
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 400 total points
ID: 37802411
Question 1:
Is ping a poor way to determine what server a GPO will pull from since GPO processing follows a different process? Also, what is the best way to determine what server a GPO would pull from... Would GPO modeling help with this?
Ping isn't a good way to determine this because your DNS entries for domain.local should be universal, not subnet specific.

To determine which server is presenting your GPOs to a client, you can use this command from the client:

gpresult /r

It will return something like this toward the top:

Group Policy was applied from:      FQDN_of_GPO_Server_Which_Presented_You

Question 2:
If I have two sites in my link, one remote and one local to my location, what is stopping a client from skipping over Site1 and going from the other server in the link? What mechanism is being used by Group Policy to see the DC in that subnet and what influences the decision?
Honestly, if Sites and Services are properly set up, clients should choose an AD Server within their Site/Subnet, but it will go outside the defined Site if it is seeking a faster response.  As a remote Site cost should be higher and should also be slower, there is very little chance of GPO being served from an alternate location.  Honestly, though, is your network so bottle-necked that it would matter?  If it is, I would suggest you have bigger fish to fry than what server is presenting GPO.

DrUltima
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37802419
Can you post a screenshot of all subnets and sites expanded.
This will give more insight to the settings.
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37802871
@Darth

As I posted in one of your other questions Sites and Services if properly configured should only reference the DC that is part of that site.
If your Site has two DC as part of it and one is local and the other is in a remote office the client will just pick randomly which one to authenicate to.
This being said your GPO that states to install an application via %logonserver%\SYSVOL and it authenicated to the remote office DC then the install will happen from the remote DC.

An example is listed below.
S&S1
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 31

Expert Comment

by:Justin Owens
ID: 37802927
case in point, though, is that GPO is not always pushed from the LOGONSERVER.  On my Win 7 machine I am using, I have two different machines for logon server and gpo server.
0
 
LVL 23

Accepted Solution

by:
yo_bee earned 1600 total points
ID: 37804463
But if your GPO logon script has the unc path %logonserver%\sysvol  with a properly configured Sites & Services you will always pull the exe or script from the local DC or whatever DC is associated with the Site no matter which Server is supplying the GP settings.

This is how DFS works as well.  If you have a DFS namespace and you have a local file server that is in a replication group the users will be accessing the local file server and not traversing the WAN.  

That is why you must make sure that the Sites and Services is properly setup or you will have weird symptoms.  

To try and address Darth's question at hand  you should setup your Sites as logical groupings where you want to place your DC's and not your  link types.
The links are only for means of controlling how the sites communicate with each other.


Let's say you have three sites all with the same cost and all linked

Site A: Cost 100: DC1
Site B: Cost 100: DC2
Site C: Cost 100: DC3

This means that if Site A needs to replicate it will goto either B or C no matter the latency.  This is the same for the rest.
So if you have a High Speed connection between A-C and A-B you want the cost to be lower than B-C forcing the other 2 sites (B & C) to alway talk to A first before moving on to the other.

What this means to users is if you have identical cost for all three sites and the local server is not responsive it will round robin to whichever site next no matter the latency.


When is comes to the Site setup you only want the local DC associated with it (like the example I posted previously)
Third and for most this Sites mean nothing is you do not setup the subnets association properly.  
Example:

Site A: No Subnet associated
Site B: Subnet , but not DC
Site C: Subnet and 2 DC's from two different location.

Users in Site A see that there is a DC, but not subnet to isolate.  Users will authenticate to any of the other two sites
Users in Site B see that there in a site, but there are no DC's so they will talk to Site A due to a lower cost than C
Users in Site C see that there is a DC local and one from Site A.  They will authenticate to A of C due to the misconfiguration of the Site.

If you have them setup properly

Site A : Subnet/Subnets for Site A: DC for Site A
Site B:       "
Site C:       "

Users from A will authenticate from A unless DC A is not available and then will choice B or C because they have the same cost
User from B will authenticate to B unless DC B is not available  then it will goto Site A due to a lower cost than C
Users from C will act the same way as B.
0
 

Author Closing Comment

by:DarthRater
ID: 37810871
yobee, this piece (%logonserver%\sysvol) awards you the slow clap. Thank you very much
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37811027
a good command to confirm that your clients are talking to the proper server is to run this from a command line

set Logon
This will spit back the Authentication server you are currently challenging
0
 

Author Comment

by:DarthRater
ID: 37812197
Thanks, I have another client with multiple (20) sites in one Site Link. I take it this is also a poor practice?
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question