Solved

Sysvol Replication: or How I Learned To Stop Worrying And Love The NTDS

Posted on 2012-04-03
8
599 Views
Last Modified: 2012-06-21
I had a previous question that I felt was well answered but I wanted to open up a new one to get deeper into the process.  (The IP subnets are all configured for their sites.)

The goal is to get GPO software installs to pull from a targeted server based on location/subnet. Our current method is to have a different GPO for every server which really sucks.  The previous question's answer explained how to use Sites And Services to properly do this.

Our current setup is based more on ISP providers rather than logical layout. Since we need two sites to create a link, our main site in is in every link. So our layout is:

Cable
Main Site (remote)
Site1 (local)
site3
etc
etc

Optaman
Main Site
site2
site4
etc
etc

So let's say I am in Site1. Now I noticed that when I ping domain.local the response is not always constrained to that link. I get responses from servers outside of my link. So my first question is:

Is ping a poor way to determine what server a GPO will pull from since GPO processing follows a different process? Also, what is the best way to determine what server a GPO would pull from... Would GPO modeling help with this?

Now, my proposed solution is to re-architect our site links. For example, If I am at Site 1 and I want all GPO Software installs located in sysvol to only process from that server/assigned subnet I will make a new Site Link:

Main Location
Main Site (remote)
Site1 (local)

So this leads to my second question.
If I have two sites in my link, one remote and one local to my location, what is stopping a client from skipping over Site1 and going from the other server in the link? What mechanism is being used by Group Policy to see the DC in that subnet and what influences the decision?
0
Comment
Question by:DarthRater
  • 4
  • 2
  • 2
8 Comments
 
LVL 31

Assisted Solution

by:DrUltima
DrUltima earned 100 total points
Comment Utility
Question 1:
Is ping a poor way to determine what server a GPO will pull from since GPO processing follows a different process? Also, what is the best way to determine what server a GPO would pull from... Would GPO modeling help with this?
Ping isn't a good way to determine this because your DNS entries for domain.local should be universal, not subnet specific.

To determine which server is presenting your GPOs to a client, you can use this command from the client:

gpresult /r

It will return something like this toward the top:

Group Policy was applied from:      FQDN_of_GPO_Server_Which_Presented_You

Question 2:
If I have two sites in my link, one remote and one local to my location, what is stopping a client from skipping over Site1 and going from the other server in the link? What mechanism is being used by Group Policy to see the DC in that subnet and what influences the decision?
Honestly, if Sites and Services are properly set up, clients should choose an AD Server within their Site/Subnet, but it will go outside the defined Site if it is seeking a faster response.  As a remote Site cost should be higher and should also be slower, there is very little chance of GPO being served from an alternate location.  Honestly, though, is your network so bottle-necked that it would matter?  If it is, I would suggest you have bigger fish to fry than what server is presenting GPO.

DrUltima
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Can you post a screenshot of all subnets and sites expanded.
This will give more insight to the settings.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
@Darth

As I posted in one of your other questions Sites and Services if properly configured should only reference the DC that is part of that site.
If your Site has two DC as part of it and one is local and the other is in a remote office the client will just pick randomly which one to authenicate to.
This being said your GPO that states to install an application via %logonserver%\SYSVOL and it authenicated to the remote office DC then the install will happen from the remote DC.

An example is listed below.
S&S1
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
case in point, though, is that GPO is not always pushed from the LOGONSERVER.  On my Win 7 machine I am using, I have two different machines for logon server and gpo server.
0
Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 21

Accepted Solution

by:
yo_bee earned 400 total points
Comment Utility
But if your GPO logon script has the unc path %logonserver%\sysvol  with a properly configured Sites & Services you will always pull the exe or script from the local DC or whatever DC is associated with the Site no matter which Server is supplying the GP settings.

This is how DFS works as well.  If you have a DFS namespace and you have a local file server that is in a replication group the users will be accessing the local file server and not traversing the WAN.  

That is why you must make sure that the Sites and Services is properly setup or you will have weird symptoms.  

To try and address Darth's question at hand  you should setup your Sites as logical groupings where you want to place your DC's and not your  link types.
The links are only for means of controlling how the sites communicate with each other.


Let's say you have three sites all with the same cost and all linked

Site A: Cost 100: DC1
Site B: Cost 100: DC2
Site C: Cost 100: DC3

This means that if Site A needs to replicate it will goto either B or C no matter the latency.  This is the same for the rest.
So if you have a High Speed connection between A-C and A-B you want the cost to be lower than B-C forcing the other 2 sites (B & C) to alway talk to A first before moving on to the other.

What this means to users is if you have identical cost for all three sites and the local server is not responsive it will round robin to whichever site next no matter the latency.


When is comes to the Site setup you only want the local DC associated with it (like the example I posted previously)
Third and for most this Sites mean nothing is you do not setup the subnets association properly.  
Example:

Site A: No Subnet associated
Site B: Subnet , but not DC
Site C: Subnet and 2 DC's from two different location.

Users in Site A see that there is a DC, but not subnet to isolate.  Users will authenticate to any of the other two sites
Users in Site B see that there in a site, but there are no DC's so they will talk to Site A due to a lower cost than C
Users in Site C see that there is a DC local and one from Site A.  They will authenticate to A of C due to the misconfiguration of the Site.

If you have them setup properly

Site A : Subnet/Subnets for Site A: DC for Site A
Site B:       "
Site C:       "

Users from A will authenticate from A unless DC A is not available and then will choice B or C because they have the same cost
User from B will authenticate to B unless DC B is not available  then it will goto Site A due to a lower cost than C
Users from C will act the same way as B.
0
 

Author Closing Comment

by:DarthRater
Comment Utility
yobee, this piece (%logonserver%\sysvol) awards you the slow clap. Thank you very much
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
a good command to confirm that your clients are talking to the proper server is to run this from a command line

set Logon
This will spit back the Authentication server you are currently challenging
0
 

Author Comment

by:DarthRater
Comment Utility
Thanks, I have another client with multiple (20) sites in one Site Link. I take it this is also a poor practice?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now