There is number of distributed DCs and AD sites in my environment. DCs are mostly 2008 (not R2) and FRS replication still exists.
AGPM server is installed on a W2k8R2 member server that is placed in a different AD site that PDC emulator.
When I try to create a new or edit an existing Controlled GPO everything goes smoothly till I try to edit some specific - that came with W2k8 and later group of settings - Windows Advanced Firewall and Advanced Auditing. As I've noticed so far editing these settings is not an "offline" process like AGPM is used to be treated. A temporary GPO is created and settings question are being edited in that "shadow" GPO.
But unfortunately the settings are edited by an external, I think .Net mechanism that DOES NOT USE a domain controller choosen by GPMC that hosts AGPM. We face a strange situation that a part of a GPO is edited on SYSVOL on a PDC and part on a different DC. First of all I have to wait till the "shadow" GPO is created and replicated from PDC to the DC that AGPM server uses after GPO is Checked Out. If I wait for too short period of time there is a .Net error that an object does not exist. If I wait for a certain time and can edit e.g. Windows Advanced Firewall settings I still can't save them correctly. They seem to vanish after the GPO is opened again for edition (after checking in and checking out again).
Has someone faced the same issue ? I thought about forcing AGPM server to use PDC as its DC or editing GPOs that have problematic settings in production and importing them to AGPM after being changed (I lost the workflow and offline edition advantage then).
Many thanks for any suggestions ...
Mariusz