Group Policy points to wrong DC
-
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
On the client machine in question, open CMD and type set.
The listed logon server is who the client device will use by default for all domain services, unless it doesn't respond, then the machine will query DNS again.
-
@G-I-Jones said in Group Policy points to wrong DC:
@scottalanmiller said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.
I guess what I was playing at was how I could trick the process of "the best DC will be chosen".
So if this is just an exercise in learning. Great. If not, let's back up. Why do you want to do this? What makes you feel one is better than another?
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
Then, as you suggested, you need to see which server your client is querying, and make your changes directly there - then you can run gpupdate /force and you'll see your changes nearly immediately.
-
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but
setreplies with the secondary. -
@G-I-Jones said in Group Policy points to wrong DC:
@scottalanmiller said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
Your client devices will use the DC that is in their same site, and if there's more than one DC in it's site, the best DC will be chosen... which leads to the second point.
I guess what I was playing at was how I could trick the process of "the best DC will be chosen".
So if this is just an exercise in learning. Great. If not, let's back up. Why do you want to do this? What makes you feel one is better than another?
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
Then time to go to a single DC
But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.
-
@G-I-Jones said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but
setreplies with the secondary.It's random to load balance.
-
@G-I-Jones said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but
setreplies with the secondary.you're misunderstanding DNS. The query the client machine is making is - give me the IP of a DC - ANY DC, and DNS is likely following a round robin affect and just handing out the IP of the next one that hasn't been handed out.
Let's assume there are 2 DCs.
ClientA queries for any DC - answer - DC1
ClientB queries for any DC - answer - DC2
ClientC queries for any DC - answer - DC1
etc -
@scottalanmiller said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but
setreplies with the secondary.It's random to load balance.
Is it truly random? not just round-robin?
-
@Dashrender said in Group Policy points to wrong DC:
@scottalanmiller said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but
setreplies with the secondary.It's random to load balance.
Is it truly random? not just round-robin?
Well, it's round robin, but you can't know, as a client, how many queries are going on. So to you, it is random as there is a randomizer in the background.
Nothing is truly random in the universe. But to the client it is as random as anything else.
-
@scottalanmiller said in Group Policy points to wrong DC:
Nothing is truly random in the universe.
Stars being born and dying isn't random?
-
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but
setreplies with the secondary.you're misunderstanding DNS. The query the client machine is making is - give me the IP of a DC - ANY DC, and DNS is likely following a round robin affect and just handing out the IP of the next one that hasn't been handed out.
Let's assume there are 2 DCs.
ClientA queries for any DC - answer - DC1
ClientB queries for any DC - answer - DC2
ClientC queries for any DC - answer - DC1
etcAh, I see what you are saying here. Goes in with the idea that these are a pool. Appreciate that point of view, I hadn't thought of that just yet.
-
@G-I-Jones said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but
setreplies with the secondary.you're misunderstanding DNS. The query the client machine is making is - give me the IP of a DC - ANY DC, and DNS is likely following a round robin affect and just handing out the IP of the next one that hasn't been handed out.
Let's assume there are 2 DCs.
ClientA queries for any DC - answer - DC1
ClientB queries for any DC - answer - DC2
ClientC queries for any DC - answer - DC1
etcAh, I see what you are saying here. Goes in with the idea that these are a pool. Appreciate that point of view, I hadn't thought of that just yet.
This is one of the many things you learn reading a Windows Server/Active Directory book. Though everyone here will tell you that's a waste of time.
-
@scottalanmiller said in Group Policy points to wrong DC:
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
Then time to go to a single DC
But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.
What alternative to Group Policy do you recommend?
-
@G-I-Jones said in Group Policy points to wrong DC:
@scottalanmiller said in Group Policy points to wrong DC:
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
Then time to go to a single DC
But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.
What alternative to Group Policy do you recommend?
Using a tool like PDQ Deploy is pretty smooth, but it's a substantial annual cost.
-
@G-I-Jones said in Group Policy points to wrong DC:
@scottalanmiller said in Group Policy points to wrong DC:
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
Then time to go to a single DC
But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.
What alternative to Group Policy do you recommend?
Salt would likely be his first suggestion.
-
@Dashrender said in Group Policy points to wrong DC:
@scottalanmiller said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
e secondary to another site, then it would default to the one I wanted it to, but I got two things wrong: first and most i
As I recall - it's either which ever DC is provided by DNS when a query for a DC is given, OR in the case of broadcast - whomever answers first.
Yea I think it might be the latter, as the DNS for my machine's NIC is pointing to the primary DC, but
setreplies with the secondary.It's random to load balance.
Is it truly random? not just round-robin?
AD is a multi-master system. The best DC for the client in the site will reply.
-
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
@scottalanmiller said in Group Policy points to wrong DC:
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
Then time to go to a single DC
But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.
What alternative to Group Policy do you recommend?
Salt would likely be his first suggestion.
I didn't catch what his use case here was for not wanting to wait 15 minutes. Policy is something you set, and doesn't need to be instant.
Config management like you said, will work for that. I used Salt heavily in a Windows environment where Group Policy was really lacking. It was a great success.
-
@Obsolesce said in Group Policy points to wrong DC:
@Dashrender said in Group Policy points to wrong DC:
@G-I-Jones said in Group Policy points to wrong DC:
@scottalanmiller said in Group Policy points to wrong DC:
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
Then time to go to a single DC
But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.
What alternative to Group Policy do you recommend?
Salt would likely be his first suggestion.
I didn't catch what his use case here was for not wanting to wait 15 minutes. Policy is something you set, and doesn't need to be instant.
Config management like you said, will work for that. I used Salt heavily in a Windows environment where Group Policy was really lacking. It was a great success.
Likely his reasoning is testing - he makes a change and doesn't want to wait to test that change. I already provided a solution to the waiting above.
find the server the client is polling,
update GPO on that server
tell client to gpupdate /force
see resultsBut you (@Obsolesce) quoted my Salt reply which was a response to what other tools to use besides GPO.
Salt could be a good GP replacement in a LANLess setup, for example.
-
@Dashrender said in Group Policy points to wrong DC:
Salt could be a good GP replacement in a LANLess setup, for example.
Works fine LAN-based, too.
-
@G-I-Jones said in Group Policy points to wrong DC:
@scottalanmiller said in Group Policy points to wrong DC:
It really only boiled down to I don't want to wait 15 minutes (the minimum replication between DC's) for a GPO to apply.
Then time to go to a single DC
But GPOs aren't meant to work this way, really. If you want faster results, GPO is the wrong tool.
What alternative to Group Policy do you recommend?
Salt, Ansible, Chef, Puppet, etc.
