In the past few articles, we have seen that each Group Policy Object (GPO) is split into two distinct parts. It...
is important to understand that these two parts are stored in different locations found on every domain controller in the domain. Because the information is stored on one domain controller by default, the information must be replicated to other domain controllers over time. This article will discuss the replication of the Group Policy Template (GPT), and the next article will discuss the Group Policy Container (GPC) replication.
Overview of the GPT
One of the parts of the GPO is the GPT, which is responsible for storing the specific settings created within the GPO. The GPT is stored in the Policies subfolder, which is under the SYSVOL folder on each domain controller. The GPT includes key files and folders including:
- Machine and User folders
- Scripts (Logon, Logoff, Startup, and Shutdown) folders
Replication of the GPT
Since the GPT is located under the SYSVOL folder, the replication of these files for each GPO is controlled by the File Replication Service (FRS). FRS is a simple replication service that replicates not only policy information, but also the scripts, legacy system policies, etc that reside under the Sysvol folder. (Note, there are two "sysvol" folders, the top level folder is not shared, but the lower level one is shared as SYSVOL. Two levels under the second sysvol, \
FRS is a state-based service that triggers replication from one domain controller to another one as soon as a change within the SYSVOL is recognized. FRS, unlike the Active Directory replication service, does not adhere to site boundaries and is not limited to a schedule. This makes the replication of the GPT fast and efficient between domain controllers.
The GPT is essential to the success of a GPO because it holds the settings that are made within the GPO. The GPT stores these settings in a large structure of folders and files. In order for the settings to apply successfully to all computer and user objects, the GPT must be replicated to all domain controllers within the domain.
The GPT is located under the SYSVOL folder, so the FRS handles replication of these folders and files. Because FRS replicates information between domain controllers quickly, the GPT is quick to update on all domain controllers throughout the domain. As we will see in the next article, this behavior is far different from how the Group Policy Container (GPC) replicates.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore. He also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at [email protected].