No announcement yet.

GPO/Logon concern

  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO/Logon concern

    Hello everybody!

    I've touched on this problem before...sort of, but am noticing it on a different environment, and have seen a couple of other indications as to why I think something's not right...Hopefully someone will be able to shed some light

    I'm building an AD infrastructure which is spanning 50 odd sites. Single domain. Each site has a DC, DNS server + DHCP.

    The primary DC is in a datacentre, and most of the config is done from here. All sites are on a nationwide MPLS with the firewall in the same datacentre being the breakout point. There is no need for each site to talk to other sites (and is in fact a customer requirment due to security issues), so both the network and the AD design is very much hub and spoke.

    I've configured seperate site links for the Datacentre DC and each site, and removed them from the DEFAULTSITELINK. The intention was simply for hub and spoke based replication - this seems to be working fine...

    What's concerning me is that GPOs are taking forever to take effect on client machines. Even if the GPO was configured on the DC local to that client.

    What I've noticed is that when I log on to a client PC, and type in 'SET' into the command prompt, the LOGONSERVER changes every single time to DCs in other sites completely randomly. It's as if there's a DNS round robin load balancer.

    What I think is happening is the client will then try and download the GPOs from the DC it logged on to, and if that site hadn't yet got the latest replica, it won't be able to download it.

    Surely this is part of the point of having Sites and Services? So that if the IP of the client is in the same subnet as defined in Sites and Services, it would authenticate/download GPOs from that DC??

    Any help would be GREATLY appreciated!

  • #2
    Re: GPO/Logon concern

    PS...If for example i create a user on Site20's DC (this was purely for a test), and then try to log on to one of the clients in Site20, it will not be able to find the user for about 30-45 mins, which I presume is because it has to replicate to all DCs, and the client then picks one at random...

    Can clients not be forced to use the local DC for auth and GPOs?




    • #3
      Re: GPO/Logon concern

      I presume you have checked your subnets are correctly defined and assigned to sites correctly?

      Check the DHCP servers are set to give the local DNS server (and maybe the central site) only
      Check DNS has the correct reverse lookup zones and that the SRV records exist and are correctly weighted

      What are the event logs showing about replication between DCs?

      Have you tried DCDIAG?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd

      ** Remember to give credit where credit is due and leave reputation points where appropriate **


      • #4
        Re: GPO/Logon concern

        Hey Ossian,

        Yeah, 3 million % sure, sites and services are set up correctly.

        Part of the project is that DHCP is only used for guest access. All physical ports are locked, and all clients workstations are given static IPs. Have checked and double checked, and they are pointing to the local DNS server.

        Event logs look very clean actually, and repadmin is showing replication has completed successfully.

        Yeah, did a DCDIAG yesterday, and everything passed OK.

        I found something on Google yesterday (but cannot remember where it is or what I typed t find it) that it does use some sort of DNS round robin...although I can't see this being correct...! I'm a bit reluctant to disable this , I may try it in a test environment if I get a chance.


        • #5
          Re: GPO/Logon concern

          It seems like this is just a 'feature'....

          When I do a gpresult it says where the GPO was obtained from, and it's always another server other than the one local to the client.

          If I type in 'SET' and look at the logon server, it usually matches up with the DC that the GPO was obtained from, although if I change this, and run gpupdate, it doesn't change the location the GPO was obtained from.

          The links between the sites are probably borderline on the default slow link threshold as there is a lot of data going back and forth, which will basically disable certain policies (like folder redirection etc), rather than picking a DC on a higher speed connection (I think..?)

          Yes I can increase the slow link threshold so policies aren't excluded, but it would just be a lot more efficient if policies were downloaded from the local DC on the gigabit network, rather than from another site on the MPLS at ADSL speeds...

          Any ideas anyone?


          • #6
            Re: GPO/Logon concern

            OK, I haven't tested this yet, but I think it could be what I'm looking for.

            Add a DWord entry on the DCs called 'AutoSiteCoverage' in

            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Net-logon\Parameters

            and set the value to '0'

            AD automatically 'load balances' auth requests even to clients outside of it's own site. From what I understand this prevents that.

            Thought I would post as there's been a number of other people I've seen with the same problem.