No announcement yet.

How does a client choose the DC to get GPO's from?

  • Filter
  • Time
  • Show
Clear All
new posts

  • How does a client choose the DC to get GPO's from?


    I have a strange problem I'm trying to sort out.

    I have 2 sites (SiteA and SiteB). SiteA has 2 DC's. SiteB has 1 DC which replicates between both DC's in SiteA.

    The clients in SiteB can connect to the local DC, and they can connect to one of the DC's in SiteA, but they can't connect to the second DC in SiteA due to firewalling.

    The clients in SiteB log userenv error 1054 in the eventlog and have trouble applying group policy, but sometimes group policy will apply fine. As an example, if I create a new GPO and apply it to the clients in SiteB it would usually take a few restarts before the new policy is visible in the RSOP for that client.

    They can all connect to \\domain\sysvol 100% of the time, and they never have any other domain related errors.

    I always thought that clients within a site will perform all of their AD-related communications with the local DC's, but the only thing I can think of that explains this behaviour is that the clients are randomly selecting a DC to download the group policy from, and sometimes this DC happens to be the uncontactable one in SiteA.

    What am I missing here?
    Last edited by andrew.r; 22nd October 2009, 11:18.

  • #2
    Re: How does a client choose the DC to get GPO's from?


    In case anyone is interested in future, I resolved it.

    Turns out that all the W2K3 clients in siteB were affected, but none of the W2K8 clients, even connecting to the local DC.

    The local DC was firewalled away from the clients in siteB, and ping wasn't enabled between the two.

    I turned on userenv auditing and discovered that the errors were logged every time the clients tried to ping the local DC as part of the gpupdate process and failed, which resulted in an error called "ProcessGPOs: DSGetDCName failed with 59."

    Enabling ping between the two fixed the issue.

    I guess W2K8 doesn't rely on ping for it's group policy processing.