Asked by:
[MS-GPSO] 6.2.1.3 Site SOM Search and Response

Question
-
For GPO analysis, because a GPO can be linked with a site, I'm trying to determine what is the algorithm to determine the client site.
[MS-GPSO] 6.2.1.3 Site SOM Search and Response specifies:
After the GP Client has determined its Domain SOM, it then determines the site that the computer belongs to. The site to which the Client computer belongs (the SiteName) is detailed in [MS-DISO] section 4.3.1.1. Because the site can change based on the GP client's location, this step must occur as part of policy processing
Then [MS-DISO] 4.3.1.1 Client Data Model specifies:
SiteName (Public): The client can retain the site that it has determined either through administrative configuration or dynamic discovery. Preserving the site name allows the client to use the site in the process of finding a "near" domain controller (DC) during the location process. However, for clients that are mobile and may shift sites frequently (for example, a business traveler using a laptop), preserving the site may not help, or may require additional information such as network awareness that are outside the scope of this document. Client implementations SHOULD incorporate site awareness and preserve the name of the site.
In short, the algorithm to determine a site is not written and is up to the client implementation.
However I'm trying to get the answer to the following questions:
- If there are many sites which has the same network definition, what site is chosen ?
- If a computer belong to 2 different sites, which one is chosen ? The subnet having the shortest prefix, or if a site has a DC and not the other one ?
- Are there a priority to use subnet, if ipv4 or ipv6 give different sites ?
- Are the default site chosen if there is no subnet matching the ip address ?
- Are there an exception for DC because their server object is defined in the site object (or its children) itself ?
In short, it is possible to have more insight on how the Windows client behave ?
Thanks in advance
Sunday, August 4, 2019 9:11 PM
All replies
-
Hello Vincent,
Thank you for posting this question. Let me review this and follow-up.Regards,
EdgarMonday, August 5, 2019 3:41 AM -
Hello Vincent,
Please consult the following references. It appears you are using old documents that have been archived now for quite some time.
DsrGetSiteName should also be useful in a general sense. For your specific implementation questions, I will try to give some pointers, which may not be normative, hopefully you find it useful to make your implementation choices.
If many sites have the same network definition, I’d expect to pick the closest site.
If the computer belongs to two different sites, based on a search of its IP address, there should be a matched subnet and a corresponding site.
I don’t think it gives priority to IPv4 or IPv6. If both addresses are present, it will look for subnets for both types of addresses, and pick whichever matches first.
[MS-GPOD] 2.1.3.1.3 Site SOM Search and Response
[MS-GPOL] 3.2.5.1.4 Site Search
This procedure is skipped if Machine Role is equal to DsRole_RoleStandaloneWorkstation or DsRole_RoleStandaloneServer.
The site to which the client computer belongs (the SiteName) is determined by invoking the DsrGetSiteName method (as specified in section ) locally with the following parameters:
. . .
[MS-GPOL] 2.2.3 Site Search
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/c2ce6870-c863-40b0-94c1-73cf53b6e634
[MS-NRPC] 3.5.4.3.6 DsrGetSiteName (Opnum 28)
Thanks,
Edgar
Thursday, August 8, 2019 4:55 AM -
Excellent !!!
There is just one additional point I need to clarify.
If in a forest, a site is configured for domainA.
But someone from domainB match the ip address defined in the site.
So it got a gplink defined from domainA. Will it be applied by domainB ? (if we make the hypothesis that the user/computer has the right to read the settings)
If i'm reading this, this should be applied:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/bf1f9c51-6674-4b74-b0d7-635f1121aeec
br
Vincent
Thursday, August 8, 2019 7:00 AM -
Vincent,
My understanding is that it would be applied.
For a GPO linked to a site, the gplink is replicated Forest-wide (Configuration partition).
For a GPO linked to a domain or OU, gplink is replicated domain-wide (Domain partition).
Thanks,
Edgar- Proposed as answer by vletoux2 Thursday, August 8, 2019 7:25 PM
Thursday, August 8, 2019 5:56 PM