Why isn’t my GPO Change replicating?

Real life conversation within Microsoft IT:

GPO Admin:  Why isn’t my GPO change replicating?

 

AD Admin:  Because it was written to an RODC.

 

GP:  errr…huh?  I thought the RO in RODC was “Read Only”

 

AD:  Yup, it is…  but the GPO change was still written to it.  And that’s why it’s not replicating to the rest of the domain.

 

GP:  HUH?  Explain please.

 

AD:  Remember that GPO’s actually have 2 parts, there are the files which are written into SYSVOL, and there are the changes which are written to the AD objects.  When you launch GPEdit, it typically connects to the PDC for the AD portion of the writes, but gets a DFS referral for the SYSVOL portion.  Even if you connected directly to an RODC for the AD portion, the RODC will return an LDAP write referral to a full DC, so that write operation will still work. 

However with the DFS referral doesn’t know the difference between a full and an RODC.  So if you connect to SYSVOL on an RODC, then the files will be written/updated as expected.  What you’re seeing, is that because an RODC is read-only, any changes which are made will never, ever replicate to the rest of the domain.

 

GP:  So, then the AD update worked, so now we’ve got version number mismatches, because the updated files never replicate?

 

AD:  Yes, but that’s not all.  DFSR will actually detect that this is one-way replication, AND that the files don’t match.  So you’re change will be “fixed” during the next update, when DFSR puts the files in SYSVOL back to their original state.

 

GP:  wow.

So, it’s important to note here, that the majority of users on our main campus (including our admins) are all part of a single, fairly large AD site.  For this domain, our site includes about 35 full DC’s, and 6 RODC’s.  So it was a little bit of a fluke that we hit this, and I wouldn’t expect it to occur very often if you deploy RODC’s in the typical branch office type of deployment.

But It’s useful to know that RODC’s are actually writeable for SYSVOL, but that if you do writes then those changes will not replicate out and you end up with version mismatches.