The effects of GPO version numbers on Group Policy replication

The relationship of the version numbers for the Group Policy Template and Group Policy Console of each GPO are important for proper Group Policy replication. Expert Derek Melber discusses this relationship and explains why the numbers don't always add up when using Windows Server 2000.

EDITOR'S NOTE: This tip applies to Windows Server 2000.

There are two portions of every GPO. The Group Policy Template (GPT) is stored in the SYSVOL of each domain controller and the Group Policy Container (GPC) is stored in the Active Directory database. Each of these GPO portions has an associated version number that keeps track of how many changes have occurred to the computer and user portions within the GPO. Knowing how these two portions replicate to all domain controllers is important, especially when Group Policy does not apply as planned.

Replication of the GPT

We have seen that the GPT is stored in the SYSVOL of the domain controller. The SYSVOL of each domain controller replicates to all other domain controllers until the contents is synchronized. The File Replication Service (FRS) is responsible for ensuring that the replication between the domain controllers is performed efficiently and successfully.

FRS is a state based replication service, which means that when a change occurs to the GPT, it is immediately recognized and replicated to the other domain controllers. FRS does not adhere to any Active Directory replication topology, so there is no lag time when replicating between domain controllers in a different Active Directory site.

Replication of the GPC

The GPC is stored in the Active Directory database. The Active Directory database does not rely on FRS to replicate to each domain controller, rather it relies on Active Directory replication. The two replication services do not depend on each other, nor use the same replication schedule.

Related info:
Fast Guide: The ABCs of GPOs
Active Directory replication is controlled by the Knowledge Consistency Checker (KCC) and adheres to a replication schedule of time, not changes. The Active Directory database replicates to other domain controllers on a five minute schedule (Windows Server 2003 domain controllers are on a 15 second schedule). There is a maximum of 15 minutes that it will take to replicate a single change on one domain controller to all domain controllers in the same Active Directory site (45 seconds for Windows Server 2003 domain controllers). If replication needs to occur between domain controllers in different Active Directory sites, the default time to replicate the changes is every three hours.

When GPO version numbers don't match

As you can imagine, there will be instances over time when the version number of the GPT will have replicated with the latest updates to the GPO and the GPC will be waiting to replicate the changes to the GPO. When the GPT and GPC version numbers don't match and a computer tries to refresh policy, the policy update will fail. It is only when the GPT and GPC version numbers match after replication convergence that the policy updates will begin applying the changes to the target objects.

Summary

The GPT that is stored in the SYSVOL of the domain controllers is replicated to all domain controllers using FRS. In a like manner, the GPC stored in the Active Directory database relies on the Active Directory replication service to get the changes of the GPC replicated to all domain controllers. Since these two replication services work on a different schedule, there are going to be times when the version number of the GPT and GPC don't match for the same GPO. At these times, the Group Policy processing will fail for this GPO during the refresh intervals. When the version numbers converge for both portions of the GPO, processing will continue again successfully.

Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.

This was first published in April 2006

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close