Group Policy Cmdlets, Replication & the '-Server' Parameter

  • Article

Hello GP Junkies! My name is Bryan Garretson, and I want to let you know about an interesting way we were able to leverage the new PowerShell cmdlets available in Windows Server 2008 R2 / Windows 7: to anticipate and test around replication delays in certain configurations.

 

When we were testing RODC read ops, we needed to create our data (GPOs/settings/permissions... GP cmdlets do it all) on a DC (ServerA); it's a PDC for the domain. Then, we tried to read that data from the test target (ServerB): an RODC member server in the same domain. You may know where this is going... we got cascading test failures because the data we created on the PDC hadn't yet replicated. The solution? We had to create a mechanism to effectively 'WaitOnReplication' in our scripts/automation, before proceeding with validation.

 

Consider the following script:

##############WaitOnReplication.ps1##############

$ErrorActionPreference = "SilentlyContinue"

###Create the source GPO on the PDC

New-GPO -Name "TestingIsFun" -Domain myTestDomain.com -Server ServerA.myTestDomain.com

###Quick check to verify it exists before trying to do the RODC read

$srcGPO = (Get-GPO -Name "TestingIsFun" -Domain myTestDomain.com -Server ServerA.myTestDomain.com)

if($srcGPO)

{

       ###Write success to console

       $srcGPOExists

       

       $iCtr=0

       $myGPO;

       ###While RODC-based GPO is null, retry

       while(!$myGPO)

       {

           $iCtr++

            

           $myGPO = (Get-GPO -Name "TestingIsFun" -Domain myTestDomain.com -Server ServerB.myTestDomain.com)

 

           ###Adjust the interval to reduce console noise, or use a timer

           if(($iCtr%50) -eq (0)){ $iCtr }

           ###Print out RODC-read GPO details after populated (meaning, replication took place)

           if($myGPO)

           {

              ""

              $myGPO

           }

       }

      

       ###Once out of the loop we are successful!

       $targetReadSuccess = "Target read Successfully! Replication has taken place"

       $targetReadSuccess

}

#################################################

[Output]

PS D:test> D:testWaitOnReplication.ps1

DisplayName : TestingIsFun

DomainName : myTestDomain.com

Owner : myTestDomainDomain Admins

Id : fea7672e-ba81-4588-82c6-dcb30c7eb81e

GpoStatus : AllSettingsEnabled

Description :

CreationTime : 2/19/2009 10:14:38 AM

ModificationTime : 2/19/2009 10:14:38 AM

UserVersion : AD Version: 0, SysVol Version: 0

ComputerVersion : AD Version: 0, SysVol Version: 0

WmiFilter :

50

... ...

950

DisplayName : TestingIsFun

DomainName : myTestDomain.com

Owner : myTestDomainDomain Admins

Id : fea7672e-ba81-4588-82c6-dcb30c7eb81e

GpoStatus : AllSettingsEnabled

Description :

CreationTime : 2/19/2009 10:14:38 AM

ModificationTime : 2/19/2009 10:14:52 AM

UserVersion : AD Version: 0, SysVol Version: 0

ComputerVersion : AD Version: 0, SysVol Version: 0

WmiFilter :

Target read successfully! Replication has taken place

 

... now, at this point we know for certain that replication has taken place (at least, for the specified -Server) before proceeding with any other operation. What I'm trying to say is, there is a PowerShell-based method for determining whether or not replication has taken place, and the API granularity that is needed to accomplish that is provided for by the -Server parameter (also known by its alias ' -DC').

Cheers,
Bryan

Software Design Engineer in Test, Group Policy