Specifying a Domain Controller for Setting Group Policy

Two methods are available to set domain controller options for Group Policy One method is to use the Group Policy snap-in user interface, where the user can set domain controller options by using the DC Options dialog box, as described next. The other method allows the primary domain administrators to set domain controller options by using a policy in the Administrative Templates node, as described in Specifying Policy for Domain Controller Options listed later.

The Group Policy snap-in View menu contains an entry called DC Options, which opens the Options for the domain controller selection dialog box, where you will be able to specify a preference for a domain controller to use for editing Group Policy. Figure 22.6 shows the Options for domain controller selection dialog box.

Figure 22.6 Options for Domain Controller Selection Dialog Box

In the Options for domain controllerselection dialog box shown in Figure 22.6, you can choose the following options:

The one with the Operations Master token for the PDC emulator.    This is the default and preferred option. Using this option helps ensure that no data loss occurs. This forces the Group Policy snap-in to use the same domain controller. Data loss can occur if two administrators are working on changes to the same Group Policy object on different domain controllers within the replication cycle. Group Policy writes data to the Group Policy object for each change. If two administrators are editing a Group Policy object on different domain controllers, it increases the possibility of changes being overwritten by replication. It is strongly recommended that you limit the number of administrators permitted to administer Group Policy, and that you make sure that Group Policy uses the primary domain controller emulator Operations Master. It is also recommended that administrators be aware of other administrators who might be editing the same Group Policy object.

The one used by Active Directory Snap-ins.    Uses the domain controller that Active Directory management snap-ins are using. Each of these snap-ins includes an option for changing which domain controller is the focus of its current operations. When this option is selected, the Group Policy snap-in uses the same domain controller.

Use any available domain controller.    The third, and least desirable option in most cases, allows the Group Policy snap-in to choose any available domain controller. When this option is used it is likely that a domain controller in the local site will be selected.

You can override all of these options using a policy setting, as described in the following section.

Specifying Policy for Domain Controller Options

The Group Policy snap-in uses the primary domain controller emulator operations master token when editing a Group Policy object. This token makes sure that the Group Policy snap-in is always focused on the same domain controller. User preference options and policy settings are available to modify this behavior so that Group Policy can use a different domain controller.

If you are the primary domain administrator, you can use a policy to specify how Group Policy chooses a domain controller — that is, you can specify which domain controller option should be used. If the selected option is not available, the user receives an error message. When this occurs, the DC Options menu item is shaded (unavailable) because a policy is in place that overrides any setting that the user picks. This policy allows domain administrators to indicate that all administrators must use the primary domain controller, for example. The domain controller options settings are available in the User Configuration, Administrative Templates, System, Group Policy node of the Group Policy snap-in. The available domain controller options are the same as the preference settings listed above in the Options for domain controller selection dialog box description.

For example, if you are an administrator on one continent and the primary domain controller is on another, you can make your policy edits locally, so that the performance is acceptable. Remember, though, that if someone else edits the same Group Policy object simultaneously, the winner depends on the unpredictable actions of the network.

If the Group Policy snap-in cannot reach the intended domain controller, by default you receive the following error message: "Error Handling on Failure to Reach a Domain Controller." Then you are given the option to cancel the operation or make a selection to retry accessing a domain controller using the following choices:

• The one with the Operations Master token for the primary domain controller emulator.

• The one used by Active Directory Snap-ins.

• Use any available domain controller.

If instead of the error message just described, you get the message "Failed to find a domain controller. There may be a policy that prevents you from selecting another domain controller," then check to see whether the following Group Policy setting is in effect:

< Group Policy object name >/User Configuration/Administrative Templates/System/Group Policy/Group Policy domain controller selection

Domain Controller Selection Results

Table 22.3 shows the results of various combinations of domain controller conditions. The following terms are used in Table 22.3:

• Primary Domain Controller : is the domain controller with the Operations Master token for the primary domain controller emulator.

• Inherit : is the domain controller used by Active Directory snap-ins.

• 1) and 2) : means that 1) is tried first then 2).

Table   22.3 Domain Controller Selection Results

User preference	Policy	Inherit domain controller	Results
Undefined	Undefined	N/A	1) Primary domain controller 2) Prompt
Primary domain controller	Undefined	N/A	1) Primary domain controller 2) Prompt
Inherit	Undefined	Yes	Inherit
Inherit	Undefined	No	Any domain controller
Any domain controller	Undefined	N/A	Any domain controller
N/A	Primary domain controller	N/A	Primary domain controller only
N/A	Inherit	Yes	Inherit
N/A	Inherit	No	Any domain controller
N/A	Any	N/A	Any domain controller