Logo

Optimization

This video will look at how Group Policy is configured, how you can get consistent results and what you can do to force Group Policy to be applied rather than wait for the next refresh.

Show lesson content
In this video
This video will look at the following:

Group policy change process

Forcing replication

Settings to speed up the process

Manually forcing an update

The Group Policy Process
By default, Group Policy Management Console (GPMC) will attempt to make changes on the Domain Controller holding the PDC Emulator role. By having administrators change Group Policy in this location helps prevent conflicts when multiple administrators make changes. To change the Domain Controller used, right click the domain in the GPMC and select the option change Domain Controller.

Active Directory Replication
A single Group Policy has two parts. One part is stored in Active Directory and the other part is file based and stored in the SysVol folder.

In order to force a replication of Active Directory, open Active Directory Sites and Services and expand down until the connections are found under NTDS Settings folder. To force a replication, right click the connection you want to force the replication on and select replicate now. To force a replication from the command prompt, run the following command from the Domain Controller that you want to force to replicate.

RepAdmin /Syncall

If you experience problems with replication, you can check for replication problems using the command DCDiag.

To replicate the SysVol, use the following commands depending on which replication your domain is using.

FRS

NTFRSUTL ForceRepl Computer /r SetName /p DNSName

e.g. NTFRSUTL ForceRepl nydc3 /r “Domain System Volume (SYSVOL share)” /p londc2.ITFreeTraining.local

DFSR

DFSRDiag SyncNow /Partner:RemoteComptuer /RGName:Name /Time:Duration

e.g. DFSRDiag SyncNow /Partner:londc2 /RGName:”Domain System Volume”

Group Policy Problems
Sometimes Group Policy may be applied on a computer before the networking on the computer has had a chance to start up. Certain group policy settings are applied at start up and when the user logs in. If this has already occurred, Group Policy will not be correctly applied until the next system reboot or login depending on the setting. To ensure time is allowed for the networking on the computer to start before Group Policy is applied, you can configure the following option.

Computer Configuration\Polices\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon

If you use groups with Group Policy this can delay Group Policy deployment. If the group membership is changed and replication has not occurred, Group Policy will be deployed based on the old group membership. To ensure the correct Group Policy settings are deployed, force a replication of Active Directory after group membership has changed.

Group Policy Refresh
By default, a Group Policy refresh will happen a 90 minutes with a 30 minutes random interval added. If you want to change the timing you can do so at the following locations for computers and Domain Controllers.

Computer Configuration\Polices\Administrative Templates\System\Group Policy\Group Policy refresh interval for computers

Computer Configuration\Polices\Administrative Templates\System\Group Policy\Group Policy refresh interval for domain controllers

GPUpDate
GPUpDate will trigger a background update of Group Policy. This will not download new Group Policy and will not apply settings in Group Policy that have changed.

If you add the /force parameter, this will download Group Policy and reapply all Group Policy settings even if they have not changed.

If you add /User or /Computer to GPUpDate, this will limit the update to the user or computer settings of Group Policy.

If you add /Logoff or /Boot to GPUpDate, this will cause the computer to reboot or the user to be logged off if required.

References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition” pg 255
“Force Replication Between Domain Controllers” http://technet.microsoft.com/en-us/library/cc816926(v=ws.10).aspx
“Repadmin /syncall” http://technet.microsoft.com/en-us/library/cc835086(v=ws.10).aspx

Credits

Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Group Policy

Active Directory is a system which offers centralized control of your computers.

Modules

Active Directory Infrastructure

Lessons

Group Policy

Lessons