EDITOR'S NOTE: This tip applies to Windows Server 2000.
There are two portions of every GPO. The Group Policy Template (GPT) is stored in the SYSVOL of each domain controller and the Group Policy Container (GPC) is stored in the Active Directory database. Each of these GPO portions has an associated version number that keeps track of how many changes have occurred to the computer and user portions within the GPO. Knowing how these two portions replicate to all domain controllers is important, especially when Group Policy does not apply as planned.
Replication of the GPT
We have seen that the GPT is stored in the SYSVOL of the domain controller. The SYSVOL of each domain controller replicates to all other domain controllers until the contents is synchronized. The File Replication Service (FRS) is responsible for ensuring that the replication between the domain controllers is performed efficiently and successfully.
FRS is a state based replication service, which means that when a change occurs to the GPT, it is immediately recognized and replicated to the other domain controllers. FRS does not adhere to any Active Directory replication topology, so there is no lag time when replicating between domain controllers in a different Active Directory site.
Replication of the GPC
The GPC is stored in the Active Directory database. The Active Directory database does not rely on FRS to replicate to each domain controller, rather it relies on Active Directory replication. The two replication services do not depend on each other, nor use the same replication schedule.
When GPO version numbers don't match
As you can imagine, there will be instances over time when the version number of the GPT will have replicated with the latest updates to the GPO and the GPC will be waiting to replicate the changes to the GPO. When the GPT and GPC version numbers don't match and a computer tries to refresh policy, the policy update will fail. It is only when the GPT and GPC version numbers match after replication convergence that the policy updates will begin applying the changes to the target objects.
The GPT that is stored in the SYSVOL of the domain controllers is replicated to all domain controllers using FRS. In a like manner, the GPC stored in the Active Directory database relies on the Active Directory replication service to get the changes of the GPC replicated to all domain controllers. Since these two replication services work on a different schedule, there are going to be times when the version number of the GPT and GPC don't match for the same GPO. At these times, the Group Policy processing will fail for this GPO during the refresh intervals. When the version numbers converge for both portions of the GPO, processing will continue again successfully.
Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at email@example.com.
This was first published in April 2006