Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

GPO's win2k3-win2k8r2

Posted on 2011-03-23
9
Medium Priority
?
841 Views
Last Modified: 2012-06-21
Are there any procedures that one should go through in order to verify that GPO's created on Win2k3 will work correctly if the DC's are all upgraded to Win2k8R2?
0
Comment
Question by:Ben Hart
  • 4
  • 3
  • 2
9 Comments
 
LVL 12

Accepted Solution

by:
Navdeep earned 500 total points
ID: 35201592
In ideal situation they will work as expected however there are not always a ideal situation.
you need to test in the lap environment first or add a pilot dc first and then test it out
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35201790
Ahh so no tool, or wizard or something that can be used in a situation like this?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35201837
If you have custom ADMs you want to convert you can use this converter   http://www.microsoft.com/downloads/en/details.aspx?FamilyId=0F1EEC3D-10C4-4B5F-9625-97C2F731090C&displaylang=en

but v-2 has it right they should work fine.  Once you start creating in 2008/7 try to use those boxes as your management workstation for group policy.

Thanks

Mike
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 14

Author Comment

by:Ben Hart
ID: 35207112
Hmm, I posted this question because for example yesterday I modified a new GPO on my workstation (Win7 sp1 64bit w/rsat) I opened the same GPO on the server and noticed a couple entries listed under "Extra Registry Settings" telling me "Display names for some settings cannot be found.  You might be able to resolve this issue by updating the ADM files used by Group Policy"

So with that and some free time in hand, I Googled for a while and found: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=16f69ffe-d51b-4e02-9d02-3e57f3ccd490
Updated ADMX templates for 2k8 R2 and Win7., so I installed that on one of the DC's, then followed the directions to create a Central Policy store, copied the files into the folder.  I re-opened GP Management then edited the GPO in question only to be given the same display names thing.

I guess I'm unsure of the standard procedure in managing GPOs.. is the normal way to create/edit GPO's in a 2k8 R2 domain to use the admins workstation?  Is there anything to worry about with the server not being able to read or recognize all the options in any particular GPO?
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35210531
Server 2003 will not be able to read new GPO from W2K8. Admin Workstation is used just for the security purpose. If you have win7, use rsat tools, otherwise you can manage the gpo's from server 2k8 as well.

Although you may not be able to see those from server 2003 but gpo do exist and they will get applied.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35210572
Oh no.. you misunderstand maybe.  We no longer have any Win2k3 DC's, both are 2k8 R2 and the issue I'm getting reading a GPO created by Win7 is on one of the 2k8 DC's.

Roger that about the admin workstation.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 500 total points
ID: 35210588
Server 2003 will be able to read a policy created in 2008.  The problem is you won't be able to edit "new" settings that apply to 7/2008.

...but for example create a policy on a 2008 box and configure password settings.  (those have been around forever)

You can certainly open and edit that on a 2003/xp box.

What does happen when you use an older box to view the new GPO is that the ADM gets created which increases the size by 3 MB.

I'd stick to the newer machines but you can read.

Thanks

Mike
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35210606
Ok so creating GPO's using my Win7 admin workstation is totally fine, and I should not worry about the fact that there are parts of these GPO's that are apparently unreadable by a Win2k8R2 domain controller because the setting will still be applied.  Is that correct?
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35211013
Yes
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question