Group Policy Client Engine Domain Controller Selection


  • Hi guys, I'm using some DC isolation techniques ( /32 subnets linked to an isolated site and DNSAvoidRegisterRecords netlogon parameter and everything is working well. Windows clients are not finding my isolated DCs for authentication/secure channel etc. However, they are finding them for group policy i.e. during GP application I see them connecting to my isolated DCs. How does the GP engine slect a DC? Does it not use the DC locator process? It seems like it might just using the A records for the FQDN of the domain which would just be returned in the order that DNS is set up to return them i.e. netmaks ordering etc. 
    Monday, June 20, 2016 7:45 PM

All replies

  • Logon server selection and dfs target selection (for SysVol and netlogon share) are two independent processes. See "How Target Selection Works" in How Dfs Works for more info.


    Tuesday, June 21, 2016 8:27 AM
  • Hi Shocko,

    Thanks for your post.

    How does the GP engine slect a DC? Does it not use the DC locator process?

    >>> The Group Policy engine is a framework that handles client-side extension (CSE) processing and interacts with other elements of Group Policy.

    For more information, you could refer to the article below.

    How Core Group Policy Works

    The DC locator process select dc. For more information about the process, you could refer to the article below.

    Domain Controller Locator

    Best Regards,


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact

    Tuesday, June 21, 2016 1:05 PM
  • Thanks Gleb, I read the info and it would appear that my clients should be connecting to the sysvol in their local site but they are not. What would cause this?
    Tuesday, June 21, 2016 1:14 PM
  • Anyone?
    Sunday, August 07, 2016 10:12 PM