How to Use Windows 2012 GPO's and GPO settings in a Windows 2003 Active Directory Domain

R. Toby RichardsNetwork Administrator
Published:
Updated:
Let me start with a history of how I came to find this information. This history should provide a good example of why this process may be necessary for you.

My organization is part of a state-wide Active Directory system. As a sysadmin for a single, smallish county among 58 counties, my clout to have the state upgrade its system is non-existent. My powers are limited to being an Organizational Unit administrator for my county's OU.

Our county's web security service (a series of proxies run by Cisco) recently disabled support for all versions of SSL and TLS 1.0. 200 users were suddenly unable to use the web. Active Directory 2003 doesn't have the necessary GPO settings to enable TLS 1.1 and 1.2. I had to be tenacious with Microsoft Support that there MUST be a way to get these GPO settings in my 2003 environment. It took escalation to a Tier III Microsoft support engineer to find this information.

If you're still running a Windows 2003 Domain Controller, then you won't have the proper options in that GPO. Here is the way to get Windows Server 2012 GPO's and GPO options in a Windows 2003 Domain:

1.      Have a Windows Server 2012 member server.*
2.      Use the Server Manager to “Add Roles and Features”
3.      Add the Active Directory Domain Services feature, and restart.
4.      Copy all of the files inside your Windows Server 2012’s C:\WINDOWS\PolicyDefinitions\ folder to a Windows 2003 Domain Controller’s C:\WINDOWS\SYSVOL\domain\Policies\PolicyDefinitions\ folder.
5.      Launch the Group Policy Management Console on the Windows 2012 server.
6.      Right-click your domain, and select, “Change Domain Controller”. **
7.      Select “This Domain Controller:”, and click on the domain controller that you copied the Policy Definition files to. Click OK. **
8.      You will now be able to configure all Windows 2012 Group Policy Objects from your Windows 2012 Member Server, and your domain will push those policies to the appropriate users and/or computers.

* Windows 8.0 or 8.1 will also work, but before step 2, you have to install Microsoft’s Remote System Administration Toolkit (RSAT). Also, with Windows 8.x the “Add Roles and Features” option is in the Control Panel/Programs and Features. Click “Turn Windows features on or off” in the upper left quadrant of the window.

RSAT for Windows 8.0: http://www.microsoft.com/en-us/download/details.aspx?id=28972

RSAT for Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296

** The policy definitions will eventually replicate to your other domain controllers eliminating the need for steps 6 & 7. Those two steps are only to get you going as soon as possible before replication occurs.

For more information on the concept of the Group Policy Central Store, you may refer to this article.
2
2,509 Views
R. Toby RichardsNetwork Administrator

Comments (21)

R. Toby RichardsNetwork Administrator

Author

Commented:
If you don't have a Windows 2003 server then you are in a 2008 or 2012 domain. The process is not necessary in that case.
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
OK
I read your article steps again
It means you have GPO central store installed and your administrative templates are loaded from central store
You can open any GPO and look administrative templates, it will show you connected to central store
admin templates location
In this case still you need some update in article according to my understanding:
Please incorporate GPO central Store concept in article because what you have done is actually Group Policy Central Store, its not reflecting any where (my earlier comment gives you link for that)
Also no need to change domain controller in GPMC because Policydefinations folder will get copied to all domain controllers as part of sysvol replication and no matter from where you access GPMC, it will get connected to central store only
Steps 6 and 7 are not required
U can check all domain controllers for policydefinations folder by navigating to below path:
\\localhost\SYSVOL\domain.com\Policies\PolicyDefinitions

GPO central store is not a very simple concept for big organizations having 200 to 300 GPOs and it need careful planning to deploy that
Hence I suggest you to please add GPO central store concept
http://blogs.technet.com/b/askpfeplat/archive/2011/12/12/how-to-implement-the-central-store-for-group-policy-admin-templates-completely-hint-remove-those-adm-files.aspx

Now there is no confusion
Thank You
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Also in order to get win 8.1 \ 2012 r2 admx files in GPO from 2012 server GPMC, you need to add admx files from 2012 R2 \ 8.1 to your central store policydefinations folder, otherwise tomorrow any new admx files available on 2012 R2 \ 8.1 will not be available from GPMC
because now all of your GPMC console will point to central store location only and if any templates are not available there it will not show up in group policy even if you are running GPMC from 2012 r2 \ 8.1

This information also should get incorporated to article to make it complete wrt topic, this is my suggestion only
R. Toby RichardsNetwork Administrator

Author

Commented:
Actually, Steps 6 and 7 are only required if you're going to work in the GPMC immediately (before replication occurs). I'll update the article with that; however, the article is not intended as an in-depth look at the concept of the GPO central store. Perhaps that's an idea for an article that you could write. Meanwhile, I will add your link to the article.
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Just wanted to highlight that You have not faced problem due to 2003 DC server, but it is due to GPO central store already deployed in your domain.
As a result Domain controllers start connecting to central store and since required admx files are not copied there, you got a problem.
If GPO central store is not deployed already, admx files would get loaded from 2012 server local policydefinations folder and you even never noticed this issue as well as mentioned in my very 1st comment

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community