Group Policy points to wrong DC



  • As the title suggests, I have recently been having a hell of a time getting policies to apply in a timely manner.

    I ran gpresult /z and it returned our backup DC instead of the primary.

    So I start researching how to possibly point Group Policy at the main DC and come up with either "it can't be done", or you have to adjust the "weight" of the DC's and make the main one "heavier", which I mostly understand, but won't explain because the Registry key change they suggested doesn't exist and the walkthrough was from 2013 so it possibly doesn't apply.

    So I'm in AD Sites and Services and see that our backup DC is set for replication intervals of 180 minutes (explains the less than timely policy updates). And now I'm finding and reading all I can on how to configure and understand AD Sites and Services.

    I'm wondering, should my main DC and backup DC be in the same "SITE" (Default-First-Site-Name) or is them having an IP Inter-Site Transport really the only important detail here? If, from what I've read so far, the Inter-Site Transport is responsible for replication, then I feel like moving the backup to another "SITE" would be the right move as they will still be set for replication because they are still present in the Inter-Site Transport. However, after doing this nothing has changed and gpresult /z still returns backup DC.

    Is AD Sites and Services even what I should be looking at?



  • @G-I-Jones said in Group Policy points to wrong DC:

    As the title suggests, I have recently been having a hell of a time getting policies to apply in a timely manner.

    I ran gpresult /z and it returned our backup DC instead of the primary.

    So I start researching how to possibly point Group Policy at the main DC and come up with either "it can't be done", or you have to adjust the "weight" of the DC's and make the main one "heavier", which I mostly understand, but won't explain because the Registry key change they suggested doesn't exist and the walkthrough was from 2013 so it possibly doesn't apply.

    So I'm in AD Sites and Services and see that our backup DC is set for replication intervals of 180 minutes (explains the less than timely policy updates). And now I'm finding and reading all I can on how to configure and understand AD Sites and Services.

    I'm wondering, should my main DC and backup DC be in the same "SITE" (Default-First-Site-Name) or is them having an IP Inter-Site Transport really the only important detail here? If, from what I've read so far, the Inter-Site Transport is responsible for replication, then I feel like moving the backup to another "SITE" would be the right move as they will still be set for replication because they are still present in the Inter-Site Transport. However, after doing this nothing has changed and gpresult /z still returns backup DC.

    Is AD Sites and Services even what I should be looking at?

    Are your DCs in the same physical site ( NOT separated by WAN or VPN)? If so, then yes, Main DC and backup DC should be in the same site.

    Regardless, you may want to cut that replication time from 3 hours down to something more reasonable like 15 minutes. Our AD servers here are in the "Default-First-Site-Name and generally replicate nearly real time.



  • What is the output of Get-ADDomainController -Discover -Service PrimaryDC ?



  • Regardless, you may want to cut that replication time from 3 hours down to something more reasonable like 15 minutes. Our AD servers here are in the "Default-First-Site-Name and generally replicate nearly real time.

    You know, I thought about that, but wondered if that would bog down the network.



  • @G-I-Jones said in Group Policy points to wrong DC:

    Regardless, you may want to cut that replication time from 3 hours down to something more reasonable like 15 minutes. Our AD servers here are in the "Default-First-Site-Name and generally replicate nearly real time.

    You know, I thought about that, but wondered if that would bog down the network.

    If your AD servers are on the same network, it shouldn't bog it down. Shouldn't even come close.



  • @DustinB3403 said in Group Policy points to wrong DC:

    What is the output of Get-ADDomainController -Discover -Service PrimaryDC ?

    It points to the main DC



  • Are your DCs in the same physical site ( NOT separated by WAN or VPN)? If so, then yes, Main DC and backup DC should be in the same site.

    So it sounds like there isn't a way to choose the DC that Group Policy reads from. Or at least set a priority for one.



  • @G-I-Jones said in Group Policy points to wrong DC:

    Are your DCs in the same physical site ( NOT separated by WAN or VPN)? If so, then yes, Main DC and backup DC should be in the same site.

    So it sounds like there isn't a way to choose the DC that Group Policy reads from. Or at least set a priority for one.

    Correct, as every DC is a "master" you can choose where a role resides, but they are supposed to be equal.



  • @G-I-Jones said in Group Policy points to wrong DC:

    @DustinB3403 said in Group Policy points to wrong DC:

    What is the output of Get-ADDomainController -Discover -Service PrimaryDC ?

    It points to the main DC

    There isn't a concept of "main" in Active Directory. There was a primary and secondary concept in non-AD systems that went away in 1999. But now, they are just a pool of equal peers since 2000 when AD was released. Nothing with AD in the name has ever had a main vs. non-main.



  • First of all, you need to have sites properly set up if you have more than one DC. Replication can be quick between DCs in the same site. Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.

    Secondly, there are no "Backup DCs". It's not something you use like that, and it really makes sense why. It's a HA system by design, think CDN style if you see what I mean.



  • @G-I-Jones said in Group Policy points to wrong DC:

    Is AD Sites and Services even what I should be looking at?

    My guess is no, because I take it both DCs are in the same physical and logical site atm.

    If your second DC is in a different site on a different subnet, then yes, you should look at sites and services, and properly configure it so that devices in the second site are using the second DC. If one goes down, clients will know to use the second one, if the environment is properly configured.



  • @Obsolesce said in Group Policy points to wrong DC:

    First of all, you need to have sites properly set up if you have more than one DC.

    Not if you only have a single site 😉



  • Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.

    I guess what I was playing at was how I could trick the process of "the best DC will be chosen". I figured if I moved the secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most important, I can just manage Group Policy on the secondary and there wouldn't be a wait, and two, I don't have a full understanding of how Windows picks the "best DC". Is it hops? Is it strictly Subnet? Maybe I'll look into that at some point. For now I'll consider this issue solved.



  • @Obsolesce said in Group Policy points to wrong DC:

    Secondly, there are no "Backup DCs". It's not something you use like that, and it really makes sense why. It's a HA system by design, think CDN style if you see what I mean.

    Thanks for the heads up on the terminology. ✊🏼



  • @G-I-Jones said in Group Policy points to wrong DC:

    Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.

    I guess what I was playing at was how I could trick the process of "the best DC will be chosen".

    So if this is just an exercise in learning. Great. If not, let's back up. Why do you want to do this? What makes you feel one is better than another?



  • @scottalanmiller said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.

    I guess what I was playing at was how I could trick the process of "the best DC will be chosen".

    So if this is just an exercise in learning. Great. If not, let's back up. Why do you want to do this? What makes you feel one is better than another?

    It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.



  • @G-I-Jones said in Group Policy points to wrong DC:

    e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i

    As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.

    On the client machine in question, open CMD and type set.
    0a31aa2c-f000-4822-93a6-d1e48d760c49-image.png

    The listed logon server is who the client device will use by default for all domain services, unless it doesn't respond, then the machine will query DNS again.



  • @G-I-Jones said in Group Policy points to wrong DC:

    @scottalanmiller said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.

    I guess what I was playing at was how I could trick the process of "the best DC will be chosen".

    So if this is just an exercise in learning. Great. If not, let's back up. Why do you want to do this? What makes you feel one is better than another?

    It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.

    Then, as you suggested, you need to see which server your client is querying, and make your changes directly there - then you can run gpupdate /force and you'll see your changes nearly immediately.



  • @Dashrender said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i

    As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.

    Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but set replies with the secondary.



  • @G-I-Jones said in Group Policy points to wrong DC:

    @scottalanmiller said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.

    I guess what I was playing at was how I could trick the process of "the best DC will be chosen".

    So if this is just an exercise in learning. Great. If not, let's back up. Why do you want to do this? What makes you feel one is better than another?

    It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.

    Then time to go to a single DC 🙂

    But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.



  • @G-I-Jones said in Group Policy points to wrong DC:

    @Dashrender said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i

    As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.

    Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but set replies with the secondary.

    It's random to load balance.



  • @G-I-Jones said in Group Policy points to wrong DC:

    @Dashrender said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i

    As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.

    Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but set replies with the secondary.

    you're misunderstanding DNS. The query the client machine is making is - give me the IP of a DC - ANY DC, and DNS is likely following a round robin affect and just handing out the IP of the next one that hasn't been handed out.
    Let's assume there are 2 DCs.
    ClientA queries for any DC - answer - DC1
    ClientB queries for any DC - answer - DC2
    ClientC queries for any DC - answer - DC1
    etc



  • @scottalanmiller said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    @Dashrender said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i

    As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.

    Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but set replies with the secondary.

    It's random to load balance.

    Is it truly random? not just round-robin?



  • @Dashrender said in Group Policy points to wrong DC:

    @scottalanmiller said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    @Dashrender said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i

    As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.

    Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but set replies with the secondary.

    It's random to load balance.

    Is it truly random? not just round-robin?

    Well, it's round robin, but you can't know, as a client, how many queries are going on. So to you, it is random as there is a randomizer in the background.

    Nothing is truly random in the universe. But to the client it is as random as anything else.



  • @scottalanmiller said in Group Policy points to wrong DC:

    Nothing is truly random in the universe.

    Stars being born and dying isn't random?



  • @Dashrender said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    @Dashrender said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i

    As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.

    Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but set replies with the secondary.

    you're misunderstanding DNS. The query the client machine is making is - give me the IP of a DC - ANY DC, and DNS is likely following a round robin affect and just handing out the IP of the next one that hasn't been handed out.
    Let's assume there are 2 DCs.
    ClientA queries for any DC - answer - DC1
    ClientB queries for any DC - answer - DC2
    ClientC queries for any DC - answer - DC1
    etc

    Ah, I see what you are saying here. Goes in with the idea that these are a pool. Appreciate that point of view, I hadn't thought of that just yet.



  • @G-I-Jones said in Group Policy points to wrong DC:

    @Dashrender said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    @Dashrender said in Group Policy points to wrong DC:

    @G-I-Jones said in Group Policy points to wrong DC:

    e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i

    As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.

    Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but set replies with the secondary.

    you're misunderstanding DNS. The query the client machine is making is - give me the IP of a DC - ANY DC, and DNS is likely following a round robin affect and just handing out the IP of the next one that hasn't been handed out.
    Let's assume there are 2 DCs.
    ClientA queries for any DC - answer - DC1
    ClientB queries for any DC - answer - DC2
    ClientC queries for any DC - answer - DC1
    etc

    Ah, I see what you are saying here. Goes in with the idea that these are a pool. Appreciate that point of view, I hadn't thought of that just yet.

    This is one of the many things you learn reading a Windows Server/Active Directory book. Though everyone here will tell you that's a waste of time.



  • @scottalanmiller said in Group Policy points to wrong DC:

    It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.

    Then time to go to a single DC 🙂

    But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.

    What alternative to Group Policy do you recommend?



  • @G-I-Jones said in Group Policy points to wrong DC:

    @scottalanmiller said in Group Policy points to wrong DC:

    It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.

    Then time to go to a single DC 🙂

    But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.

    What alternative to Group Policy do you recommend?

    Using a tool like PDQ Deploy is pretty smooth, but it's a substantial annual cost.



  • @G-I-Jones said in Group Policy points to wrong DC:

    @scottalanmiller said in Group Policy points to wrong DC:

    It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.

    Then time to go to a single DC 🙂

    But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.

    What alternative to Group Policy do you recommend?

    Salt would likely be his first suggestion.


Log in to reply