Announcement

Collapse
No announcement yet.

GPO default server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO default server

    I'm trying to figure out how I can control what server gives out GPO to clients. I have 3 2003 servers in the same domain but in diffrent location and sites. I do a gpresult on a client PC and it shows the workstations grabbing the GPO from a server that's 300 miles away.

    How can I control what server hands out GPO's to clients? I would like the local server give out GPO's to local users.

    Thanks in advance.

  • #2
    Re: GPO default server

    Break up your domain into sites? The local DC at the local site should hand out Policies/process authentication without needing to go across WAN links to do it (assuming each site has a DC locally, of course.)

    If not, it might be time to upgrade/redesign.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: GPO default server

      GPOs get applied from the Domain Controller that the client has found through the normal domain controller location process.

      "domain controller location process":

      By default the client will querying DNS asking for a DC that in the same site (*). The client therefore uses the site name that is cached in the registry.
      If for any reason no site-specific DNS record could be found for this site or if a client does not know yet any site names, the Locator begins to search for a DNS record that is not site-specific (**).

      On the client under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Netlogon\Parameters the value of DynamicSiteName is the name of the site that is used by the DC locator process by default. After the client logged on succesfully, the DC will then determine on the basis of the actual client IP address what the closest site is to the client by querying the sites information stored in AD. The client updates the information in the registry automatically based new information returened by the DC.

      When the client IP address cannot be found in the subnet-to-site mapping table, the domain controller returns a NULL site name, and the client uses the returned domain controller.

      If there is in the above registry key also an entry with the name SiteName, it is static. The locator use always this specific site to start querying dns for a DC.
      (*) The client finds a DC (writeable DC or RODC) in a particular site via site specific DNS SRV records. The SRV record by default was registerd in DNS automatically by a DC.

      (**) The client finds any DC (writable DCs) in the domain by a DNS SRV record that by default was registerd automatically in DNS by the DC. The DCs in the domain list are in a random order and provided by the DNS round robin mechanism. Read-Only DCs (RODCs) in Windows Server 2008 will not register domain-wide SRV records, they only register SRV records for the AD site they are in.


      If you look at the situation where a portable client queries for a DC in the domain because it does not know yet in what AD site it currently is in, it can be somewhat interesting when you find out the client is communicating with some DC on the other side of the world. <: http://blogs.dirteam.com/blogs/jorge...k8-part-1.aspx>
      Since you aready have configured multiple sites,
      check the SRV records on the DNS servers used by the client.
      check the client's current IP config and check the Netlogon Parameters in the registry on the client.
      check also if there might be any replication issues.
      And run through this article http://technet.microsoft.com/en-us/l.../cc978016.aspx

      /Rems
      Last edited by Rems; 7th January 2012, 01:54.

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: GPO default server

        Originally posted by RicklesP View Post
        Break up your domain into sites? The local DC at the local site should hand out Policies/process authentication without needing to go across WAN links to do it (assuming each site has a DC locally, of course.)

        If not, it might be time to upgrade/redesign.


        I have domain controllers in sites for each domain. I have a domain controller in each location for each domain. I ran gpresult on a users workstation and the GPO is comming from a server we have in our Dallas location and the user is in the Houston location.

        Comment


        • #5
          Re: GPO default server

          Originally posted by hlobell View Post
          I have domain controllers in sites for each domain.
          How many domains do you have? If you have a domain for each location then the user and/or computer will need to authenticate against a domain controller in its own domain. If Dallas has a domain and all the domain controllers for the Dallas domain are in Dallas, then users and computers that are part of the Dallas domain, regardless of where they travel to, need to authenticate against the domain controllers in Dallas.
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: GPO default server

            Originally posted by JeremyW View Post
            How many domains do you have? If you have a domain for each location then the user and/or computer will need to authenticate against a domain controller in its own domain. If Dallas has a domain and all the domain controllers for the Dallas domain are in Dallas, then users and computers that are part of the Dallas domain, regardless of where they travel to, need to authenticate against the domain controllers in Dallas.
            We have 3 domains. domainA.company.com, domainB.company.com, domainC.company.com

            We have 3 locations Spring, Houston, Dallas

            Company users are in Spring. We have a domain controller in Spring, Houston and Dallas for each domain a,b and c. User are auth off the Dallas DC but users are located in Spring.

            DomainB is located in Houston. We have a Citrix Farm and our Client auth of DoaminB. These servers are in a Data Center. But we also have a DC for domain A and C in this location.

            DomainC is our web domain. All web servers are in domainC. This domain I'm not worried about becasue we dont allow our web stuff to connect to any internal stuff. We do have a one way trust to the Web doamin.

            To recap, DomainB is in Houston Data Center and is for our clients that access our apps through Citrix and client accounts are set up in DomainB. We have a DC for DomainB which holds all the FSMO roles. We also have a DC for domainA and DomainC in this location.

            DomainA is in Spring. This is for all employes. Spring location has a domain controller for each doamin, A,B and C.

            Comment


            • #7
              Re: GPO default server

              It's either the DNS records of the DC's are not registered properly or the subnets have not been configured properly in ADSS. (note that you cannot use summarized subnets when configuring ADSS)
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment

              Working...
              X