Architecture of Windows Group Policy for Windows Server 2008 and Windows Vista

  • 3/5/2008

Domain Controller Selection During GPO Management

Consider a typical Active Directory environment that has multiple domain controllers. As you have seen, all domain controllers house a copy of each GPO. The replication of the GPOs is handled by the two replication technologies: DFSR and Active Directory replication. But which domain controller makes the initial changes to the GPOs?

The answer is quite simple. The domain controller that has the PDC emulator role is relied upon to make the changes to a GPO. Then this domain controller replicates the changes to the other domain controllers.

In some instances, you either cannot or do not want to use the domain controller that has the PDC emulator role to make the initial changes, and you may want to use another domain controller to update the GPOs. For these reasons, there is a built-in ability to alter the default behavior.

Using the PDC Emulator

Every time a GPO is viewed or changed, the GPMC and the GPME locate the domain controller that is responsible for the PDC emulator role. It is the GPO from this domain controller that is viewed and updated. There is no inherent reason for choosing this domain controller by default; one domain controller must be selected, because changes must occur on one domain controller and then replicate to all domain controllers. Because the PDC emulator is already responsible for many other critical domain tasks, it makes sense to use this domain controller for GPO updates as well.

There are times when the domain controller running the PDC emulator role is not available or is not the ideal candidate for updating the GPOs. If the PDC emulator is not available when a change must be made to a GPO, the system displays an error message, as shown in Figure 4-2.

Figure 4-2

Figure 4-2 When the domain controller running the PDC emulator role is not available for editing the GPO, an error message appears.

Note that not only does the system display a dialog box indicating that the domain controller is not available, it also gives you the option to choose a different domain controller. In most cases, selection of the domain controller for updating a GPO has no effect on the result of updating a GPO. Sometimes, however, selecting a different domain controller will result in faster or slower GPO deployment situations. This is because of the way in which a computer receives information regarding domain controllers during initial bootup. Computers receive a list of domain controllers from DNS that prioritizes them based on network location. The domain controllers in the computers own site are first; then the other domain controllers follow. If you make a change to a GPO that is initially updated on a domain controller that is not in the target computer’s site, it can take a while to replicate to the domain controller in the computer’s site. This could cause a delay in the processing of the GPO until all replication converges.

Selecting the Domain Controller for GPO Editing

To eliminate the processing delay described in the previous section, you can select a domain controller that is in the computer’s site. Of course, you must know which site the target computers are in, as well as which domain controllers correspond to that site.

You can also control which domain controller is used when you edit a GPO within the GPMC. Again, this is beneficial when you want to update a specific domain controller to ensure the fastest and most reliable application of the policy settings. To change the domain controller used for editing GPOs from within the GPMC, follow these steps:

  1. Right-click the domain name in the GPMC window.

  2. Click Change Domain Controller.

  3. Make your selection from the list of possible domain controller options, as shown in Figure 4-3.

The next time you edit a GPO from within the GPMC, you will be using the domain controller that you selected. Do not forget that you changed the domain controller in the interface.

Figure 4-3

Figure 4-3 The domain controller used to edit GPOs can be selected from within the GPMC to optimize the application of the settings configured in the GPO.

Figure 4-4

Figure 4-4 The domain controller that is used for editing GPOs can be configured in a GPO, located under User Configuration\Administrative Templates\System\Group Policy.