<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

How to Use Windows 2012 GPO's and GPO settings in a Windows 2003 Active Directory Domain

Published on
5,329 Points
2,129 Views
2 Endorsements
Last Modified:
Let me start with a history of how I came to find this information. This history should provide a good example of why this process may be necessary for you.

My organization is part of a state-wide Active Directory system. As a sysadmin for a single, smallish county among 58 counties, my clout to have the state upgrade its system is non-existent. My powers are limited to being an Organizational Unit administrator for my county's OU.

Our county's web security service (a series of proxies run by Cisco) recently disabled support for all versions of SSL and TLS 1.0. 200 users were suddenly unable to use the web. Active Directory 2003 doesn't have the necessary GPO settings to enable TLS 1.1 and 1.2. I had to be tenacious with Microsoft Support that there MUST be a way to get these GPO settings in my 2003 environment. It took escalation to a Tier III Microsoft support engineer to find this information.

If you're still running a Windows 2003 Domain Controller, then you won't have the proper options in that GPO. Here is the way to get Windows Server 2012 GPO's and GPO options in a Windows 2003 Domain:

1.      Have a Windows Server 2012 member server.*
2.      Use the Server Manager to “Add Roles and Features”
3.      Add the Active Directory Domain Services feature, and restart.
4.      Copy all of the files inside your Windows Server 2012’s C:\WINDOWS\PolicyDefinitions\ folder to a Windows 2003 Domain Controller’s C:\WINDOWS\SYSVOL\domain\Policies\PolicyDefinitions\ folder.
5.      Launch the Group Policy Management Console on the Windows 2012 server.
6.      Right-click your domain, and select, “Change Domain Controller”. **
7.      Select “This Domain Controller:”, and click on the domain controller that you copied the Policy Definition files to. Click OK. **
8.      You will now be able to configure all Windows 2012 Group Policy Objects from your Windows 2012 Member Server, and your domain will push those policies to the appropriate users and/or computers.

* Windows 8.0 or 8.1 will also work, but before step 2, you have to install Microsoft’s Remote System Administration Toolkit (RSAT). Also, with Windows 8.x the “Add Roles and Features” option is in the Control Panel/Programs and Features. Click “Turn Windows features on or off” in the upper left quadrant of the window.

RSAT for Windows 8.0: http://www.microsoft.com/en-us/download/details.aspx?id=28972

RSAT for Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296

** The policy definitions will eventually replicate to your other domain controllers eliminating the need for steps 6 & 7. Those two steps are only to get you going as soon as possible before replication occurs.

For more information on the concept of the Group Policy Central Store, you may refer to this article.
2
  • 11
  • 10
21 Comments
LVL 46

Expert Comment

by:Mahesh
Hello,
Why you need to copy 2012 policydefinations folder on 2003 server?
2003 server doesn't understand policydefinations folder (ADMX files), it only understands ADM files, as a fact, you will not be able to view admin templates in admx format on 2003 server
2003 server stores ADM files in each GPO and not in Policydefinations folder
All you need to do is to just introduce 2012 \ 2012 R2 \ win 8 \ win 8.1 machine in domain as member, add GPMC feature on that and from there start managing GPOs
GPO will 1st look for GPO central store and if do not found, it will simply load admx files under Policydefinations folder on local machine.
It will not go to Policydefinations folder on 2003 server
You may connect to any local \ nearest domain controller through GPMC, whatever changes you will make in GPO, it will written into GPT file and registry.pol file underneath that group policy folder on that specific domain controller and then it will get replicated to all DCs including PDC and eventually get applied on clients as well.
No need to copy Policydefinations folder on 2003 server
0
LVL 5

Author Comment

by:R. Toby Richards
That is a good question. The fact is that it was the missing step that I couldn't figure out on my own. That's the gap that the tier 3 guy filled in. When I get to work tomorrow I will see if I can dig through my email to figure it out.
0
LVL 46

Expert Comment

by:Mahesh
This is not a question.
This is fact,
Even you will not find any Policydefinations folder on 2003 server out of the box.
Policydefinations folder was came in picture from Vista onwards where MS has replaced conventional adm files with admx files to save from sysvol bloat
admx files has reduced sysvol size drastically
In 2003 domain, if you have 100 plain GPOs without any executables \ scripts, you will be having almost 500 MB data under sysvol \ polices folder due to adm files
with 2008 and above DCs for 100 plain GPOs it will take hardly 10-15 MB provided that if this is brand new installation and not upgrade from 2003 server, otherwise adm files will be carry forwarded from 2003 DC to 2008 DC also

2008 and above GPMC console will always look for GPO central store and if not found fall back to local policydefinations folder
Check below article on adm files
http://support2.microsoft.com/kb/816662

The article in earlier link will give you Group Policy central store
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

LVL 5

Author Comment

by:R. Toby Richards
I believe the member server pulls the policy definitions from the DC, so it doesn't matter that the DC can't understand admx, it is the member server reading them.
0
LVL 46

Expert Comment

by:Mahesh
This is 3rd time I am repeating, with 2008 and above servers, it will either look for group Policy central store or use local policydefinations folder
2008 member server will never pull the admx files from domain controller unless group policy central Store is deployed

The purpose of this commentary, you could make corrections to your article and publish correct information.
If you don't believe me, you can request moderator review
0
LVL 5

Author Comment

by:R. Toby Richards
Try it. Build a small domain, don't copy the policy definition files, and try to set the following policy with the setting below it:

POLICY
Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Advanced Page/Turn off encryption support

SETTING
Use TLS 1.0, TLS 1.1, and TLS 1.2

I guarantee you that setting will not be available unless you copy the admx files. That was the magic step that made it work for me. Quote all the documentation you want. The fact is that the setting won't be there without copying the files.
0
LVL 46

Expert Comment

by:Mahesh
The setting is not available in 2003 server
Instead of copying Policydefinations folder on 2003, just bring up win 8 \ 8.1 \ 2012 \2012 R2 machine in domain, install GPMC and open any GPO from there, you will find that setting, you can apply that setting right away

I am deploying \ administering \ handling complex AD migration projects since last 5 years
I never copied Policydefinations folder from any 2008 \ 2012 servers to 2003, I can simply bring in latest OS machine (say win 8.1) in domain, install GPMC and all new ADMX files on that machines will be automatically available for me

If you are deploying GPO central store, then you need to copy entire policydefinations folder under \\domain\sysvol\Policies so that all GPMC console will connect to that ADMX store, note that once you created GPO Central Store, you should use GPMC on Vista \ 2008 and above OS only, because 2003 server don't understand ADMX files and will require ADM files only to show administrative templates
0
LVL 5

Author Comment

by:R. Toby Richards
I did that. The setting STILL was not available until after I copied the files. I double-dog dare you to try it.
0
LVL 5

Author Comment

by:R. Toby Richards
Other 2012 policies and settings were available without copying the ADMX files. That particular one was not.
0
LVL 5

Author Comment

by:R. Toby Richards
Here is a screenshot if you don't believe me:

GPO.png
0
LVL 46

Expert Comment

by:Mahesh
Can you please tell me from which OS you are trying to enable this settings
AND
Where and what you copied?
I can see this setting on my 2012 R2 workgroup server under gpedit.msc directly, I havn't copied any files any where
0
LVL 5

Author Comment

by:R. Toby Richards
See the screenshot? It says Windows Server 2012, yet TLS 1.1 and 1.2 options are not available. They became available upon copying the ADMX files that were installed on the 2012 server in question to the 2003 DC exactly as I described in Step #4.
0
LVL 5

Author Comment

by:R. Toby Richards
The screenshot above is before Step #4. Here is a screenshot of after:

after.png
0
LVL 46

Expert Comment

by:Mahesh
OK
This screenshot from which OS now?
I believer this screen shot is taken from 2012 R2 server GPMC
0
LVL 5

Author Comment

by:R. Toby Richards
Both screenshots are from the very same 2012 server GPMC. The first is before Step #4. The second is after Step #4.
0
LVL 46

Expert Comment

by:Mahesh
Encryption Support
The image is taken from 2012 R2 workgroup server gpedit.msc console
I don't have any 2003 server to copy \ paste any files

It might be possible that all settings are not available on 2012 server and may be available on 2012 R2 server
Right now I don't have any 2012 server to check
In any case no need to copy any files on 2003 server
0
LVL 5

Author Comment

by:R. Toby Richards
If you don't have a Windows 2003 server then you are in a 2008 or 2012 domain. The process is not necessary in that case.
0
LVL 46

Expert Comment

by:Mahesh
OK
I read your article steps again
It means you have GPO central store installed and your administrative templates are loaded from central store
You can open any GPO and look administrative templates, it will show you connected to central store
admin templates location
In this case still you need some update in article according to my understanding:
Please incorporate GPO central Store concept in article because what you have done is actually Group Policy Central Store, its not reflecting any where (my earlier comment gives you link for that)
Also no need to change domain controller in GPMC because Policydefinations folder will get copied to all domain controllers as part of sysvol replication and no matter from where you access GPMC, it will get connected to central store only
Steps 6 and 7 are not required
U can check all domain controllers for policydefinations folder by navigating to below path:
\\localhost\SYSVOL\domain.com\Policies\PolicyDefinitions

GPO central store is not a very simple concept for big organizations having 200 to 300 GPOs and it need careful planning to deploy that
Hence I suggest you to please add GPO central store concept
http://blogs.technet.com/b/askpfeplat/archive/2011/12/12/how-to-implement-the-central-store-for-group-policy-admin-templates-completely-hint-remove-those-adm-files.aspx

Now there is no confusion
Thank You
0
LVL 46

Expert Comment

by:Mahesh
Also in order to get win 8.1 \ 2012 r2 admx files in GPO from 2012 server GPMC, you need to add admx files from 2012 R2 \ 8.1 to your central store policydefinations folder, otherwise tomorrow any new admx files available on 2012 R2 \ 8.1 will not be available from GPMC
because now all of your GPMC console will point to central store location only and if any templates are not available there it will not show up in group policy even if you are running GPMC from 2012 r2 \ 8.1

This information also should get incorporated to article to make it complete wrt topic, this is my suggestion only
0
LVL 5

Author Comment

by:R. Toby Richards
Actually, Steps 6 and 7 are only required if you're going to work in the GPMC immediately (before replication occurs). I'll update the article with that; however, the article is not intended as an in-depth look at the concept of the GPO central store. Perhaps that's an idea for an article that you could write. Meanwhile, I will add your link to the article.
0
LVL 46

Expert Comment

by:Mahesh
Just wanted to highlight that You have not faced problem due to 2003 DC server, but it is due to GPO central store already deployed in your domain.
As a result Domain controllers start connecting to central store and since required admx files are not copied there, you got a problem.
If GPO central store is not deployed already, admx files would get loaded from 2012 server local policydefinations folder and you even never noticed this issue as well as mentioned in my very 1st comment
0

Featured Post

Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month