Home > Active Directory, Microsoft, Windows 2003 > SYSVOL holder list wrong on multi-site AD config

SYSVOL holder list wrong on multi-site AD config


After authentication to a Windows 2003 Domain Controller, the DC will then list the possible SYSVOL servers for the client to use for GPO related files/folders. By default the order is as follows;

· List all Site-local holders to the client

· Randomly list the remaining SYSVOL holders, not based on Site Costing.

Consider a three-site AD structure, with a single DC at each site;

A user authenticated against the DC in SITEA would get the following SYSVOL servers presented to it;

1 entries…
Entry: domainnamesysvol
ShortEntry: domainnamesysvol
Expires in 0 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[DC1.domainnamesysvol] State:0x21 ( ACTIVE )
1:[ DC2.domainnamesysvol l] State:0x21 ( )
2:[ DC3.domainnamesysvol] State:0x21 ( )

N.B. entry 1 and 2 are randomly generated, and could as easily be reversed

In this scenario, no further configuration or design thoughts are required and SYSVOL will always be presented from a local-to-site server.

However, consider a more complicated design that contains multiple sites without local Domain Controllers. This is fine for authentication, as site-based costing is utilised to decide the nearest DC to each site – this is stored within DNS so that clients can always see their nearest authentication server (GC).

As the default behaviour for SYSVOL location is Local Site, then Random (with no Site Costing based calculations done), this consider the following;

A User authenticates from SITEC. There are no local Domain Controllers (with the GC role) available; however it is able to locate DC2 as the nearest authentication point using DNS. DC2 is then asked for a list of available SYSVOL points, and calculates using the formula below;

· List all Site-local holders to the client

· Randomly list the remaining SYSVOL holders, not based on Site Costing.

As there are no site-local holders of the SYSVOL share, it skips the first point and lists the remaining SYSVOL holders randomly, giving a result similar to;

1 entries…
Entry: domainnamesysvol
ShortEntry: domainnamesysvol
Expires in 0 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[DC1.domainnamesysvol] State:0x21 ( ACTIVE )
1:[ DC2.domainnamesysvol l] State:0x21 ( )

N.B. Again this can be random, and DC2 could just as likely be first priority.

This works fine if DC1 is over a fast WAN link, and therefore responsive enough for the end user to not notice. However, if DC1 is placed on the end of a 2mbit site-to-site link and DC2 is on a 100Mbit LES/MPLS, the difference is then astounding – especially in environments with multiple Group Policies.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: