Still battling the issue of replication of GPO and FRS in Active Directory.
The problem that I'm facing is that a lot of the tools that were available for AD have not been updated to work along side all the updates that have been happening to 2003 and 2003 R2 server. This makes it for a very complicated process to keep track of GPO changes, and find the discrepancies.
According to the Microsoft engineer, the only way is to look at specific values in ADSI, and the Group Policy INI files to see whether the version match. (it's quite cumbersome).
So, the action plan is to do this:
I will be working on demoting some of the domain controllers on the sites, and perhaps keeping one or two out there, just for backup. the DCs that are within the same site usually replicate almost immediately, where the remote sites have to reply on the replication intervals set for them in Active Directory.
We will monitor performance, to make sure that this is not affecting authentication times. According to MS engineer, 4-6 domain controllers should be sufficient to authenticate about 6000 users in an Exchange environment.
After that is done, we will have to start working to move from 2003 server to 2008 R2 which will give us the more up to date tool to work with and troubleshoot AD, as well as new functionality in Active Directory altogether.
For the next couple of days, if you do need to make a change in any GPO, and in any domain, please make sure to shoot me an email with the following information, for every change you make:
- What GPO you changed
- At what time
- On what domain controller you made the change.
If you are unsure about any of this information, please talk to me first and i can help you get those GPOs in place. It is crucial to stay aware of changes, as these are very hard track without tools.
Once we verify that things are back on track, I will re-release the changes back to you, and you can carry on with your normal procedure to change GPOs.
If there are any immediate concerns of items that may directly be affected as a result of a DC being demoted. (speaking especially to Richard -- FSAE --, Steve Bibler). Please bring it to my attention ASAP.
Thank you for your attention to this matter.
The problem that I'm facing is that a lot of the tools that were available for AD have not been updated to work along side all the updates that have been happening to 2003 and 2003 R2 server. This makes it for a very complicated process to keep track of GPO changes, and find the discrepancies.
According to the Microsoft engineer, the only way is to look at specific values in ADSI, and the Group Policy INI files to see whether the version match. (it's quite cumbersome).
So, the action plan is to do this:
I will be working on demoting some of the domain controllers on the sites, and perhaps keeping one or two out there, just for backup. the DCs that are within the same site usually replicate almost immediately, where the remote sites have to reply on the replication intervals set for them in Active Directory.
We will monitor performance, to make sure that this is not affecting authentication times. According to MS engineer, 4-6 domain controllers should be sufficient to authenticate about 6000 users in an Exchange environment.
After that is done, we will have to start working to move from 2003 server to 2008 R2 which will give us the more up to date tool to work with and troubleshoot AD, as well as new functionality in Active Directory altogether.
For the next couple of days, if you do need to make a change in any GPO, and in any domain, please make sure to shoot me an email with the following information, for every change you make:
- What GPO you changed
- At what time
- On what domain controller you made the change.
If you are unsure about any of this information, please talk to me first and i can help you get those GPOs in place. It is crucial to stay aware of changes, as these are very hard track without tools.
Once we verify that things are back on track, I will re-release the changes back to you, and you can carry on with your normal procedure to change GPOs.
If there are any immediate concerns of items that may directly be affected as a result of a DC being demoted. (speaking especially to Richard -- FSAE --, Steve Bibler). Please bring it to my attention ASAP.
Thank you for your attention to this matter.
No comments:
Post a Comment
Please make your comment. (GMK)
Note: Only a member of this blog may post a comment.