hemtech
asked on
Moving Group Policy to another server
I am looking for the cleanest process to move my Group Policies from one server to another. My environment has three servers:
1 PDC: W2K Server SP4;
1 BDC: W2K3;
1 Member Server (Apps) W2K3.
The BDC is new to the environment. Group Policy has been on the member server for over a year now, and contains a good amount of active policies. I would like to move those policies to the BDC, and eventually promote the BDC.
Two problems:
1. I am receiving the following event ID errors on the BDC - 1030 / 1058. I've seen these before, and was unable to resolve them after extensive work. I am hoping that these errors have something to do with the fact that Group Policy is currently not on a domain controller.
2. I am not a fan of backing up and restoring individual policies. I have not had good experiences with this.
Where do I begin?
Question: will installing a fresh copy of Group Policy on my BDC have an adverse affect on my current setup?
1 PDC: W2K Server SP4;
1 BDC: W2K3;
1 Member Server (Apps) W2K3.
The BDC is new to the environment. Group Policy has been on the member server for over a year now, and contains a good amount of active policies. I would like to move those policies to the BDC, and eventually promote the BDC.
Two problems:
1. I am receiving the following event ID errors on the BDC - 1030 / 1058. I've seen these before, and was unable to resolve them after extensive work. I am hoping that these errors have something to do with the fact that Group Policy is currently not on a domain controller.
2. I am not a fan of backing up and restoring individual policies. I have not had good experiences with this.
Where do I begin?
Question: will installing a fresh copy of Group Policy on my BDC have an adverse affect on my current setup?
ASKER
Thank you for the response. To clarify: I have no intention of making the member server, which currently stores all of my group policies, a domain controller. Should I expect Group Policy to replicate from the member server to my W2K3 server (what I was refering to as the BDC) once I install Group Policy?
I guess I am not understanding -
With windows 2k and windows 2k there is no such thing as a backup domain controller. A windows 2k machine that runs group policy must run active directory which means its a domain controller.
IE you cant have a member server that runs domain operations such as group policies without it being a domain controller.
Here is what I would do - again I assume your win2k machine is running active directory and if so its a domain controller. I would take the second cd from the w2k3 cd set put it in the windows 2k machine. Run adprep. This will prep the schema for win2k3.
Make the win2k3 machine a domain controller. Now you have 2 domain controllers which means group policy will replicate between both machines. It also provides redundancy in case one server goes down.
Next transfer the fsmo roles to the w2k3 machine
http://www.petri.co.il/transferring_fsmo_roles.htm
Finally make the win2k3 machine a global catalog server
http://support.microsoft.com/kb/313994
Make sure in TCP IP properties of the lan connection that the first DNS server is set to itself and the secod is another internal DNS server - NOT an ISP DNS
Make the win2k3 machine a DNS server and make sure you create forwarders
http://support.microsoft.com/kb/323380
Now what this means - if the old server (win2k) goes down your clients will still be able to authenticate log ons, DNS requests will still work and network operations will remain stable.
http://www.petri.co.il/how_to_install_active_directory_replica_on_windows_2003.htm
With windows 2k and windows 2k there is no such thing as a backup domain controller. A windows 2k machine that runs group policy must run active directory which means its a domain controller.
IE you cant have a member server that runs domain operations such as group policies without it being a domain controller.
Here is what I would do - again I assume your win2k machine is running active directory and if so its a domain controller. I would take the second cd from the w2k3 cd set put it in the windows 2k machine. Run adprep. This will prep the schema for win2k3.
Make the win2k3 machine a domain controller. Now you have 2 domain controllers which means group policy will replicate between both machines. It also provides redundancy in case one server goes down.
Next transfer the fsmo roles to the w2k3 machine
http://www.petri.co.il/transferring_fsmo_roles.htm
Finally make the win2k3 machine a global catalog server
http://support.microsoft.com/kb/313994
Make sure in TCP IP properties of the lan connection that the first DNS server is set to itself and the secod is another internal DNS server - NOT an ISP DNS
Make the win2k3 machine a DNS server and make sure you create forwarders
http://support.microsoft.com/kb/323380
Now what this means - if the old server (win2k) goes down your clients will still be able to authenticate log ons, DNS requests will still work and network operations will remain stable.
http://www.petri.co.il/how_to_install_active_directory_replica_on_windows_2003.htm
ASKER
Thanks again. Other than seizing the FSMO roles, everything that you described above has been done on the W2K3 domain controll. Site replication between my W2K and W2K3 DCs is working fine; however, I am, without a doubt, successfully running Group Policy from a non-domain controller (the W2K3 member server in my environment). This server is not a DNS or DHCP server, it is simply a member server.
OK - so it sounds like I'm out in unknown territory now. In your opinion, if I install GroupPolicy on the new W2K3 Domain Controller, should my policies replicate over? If I understand you correctly, in a normal environment - where Group Policy was on a DC instead of a memeber server - it would, correct?
OK - so it sounds like I'm out in unknown territory now. In your opinion, if I install GroupPolicy on the new W2K3 Domain Controller, should my policies replicate over? If I understand you correctly, in a normal environment - where Group Policy was on a DC instead of a memeber server - it would, correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was confused between the Group Policy console (gpmc.msi) and the policies themselves. The Sysvol folder was not replicating correctly until I resolved a JRNL Wrapper error on the 2000 server with a registry fix, but now everything is working correctly. Thank you.
ASKER
Thanks ryansoto
You dont transfer group policy to another server they replicate automatically. Once you make the second machine a domain controller the group policies will automatically replicate between the two. This replication will occure between the two until you remove one of the domain controllers.