Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

Moving servers to another OU in Windows server 2008 Active Directory

Hello,

We plan to move some servers into a server OU in our WIN2K8 AD to apply an important WSUS group policy.  The servers includes Exchange 2003, 2010, SQL 2005, IIS, file and print running on platform from WIN2K, WIN2K3 & WIN2K8.  

Do you think moving servers into another OU will present issues with what are running on the servers?  

Any experience from yours is greatly appreciated.  I am also wondering if there is some good kb about things need to pay attention when doing think kind of thing.

Many thanks.
0
nav2567
Asked:
nav2567
  • 7
  • 6
  • 3
  • +1
2 Solutions
 
Neil RussellTechnical Development LeadCommented:
Just dont Move domain controllers.
Make sure your not loosing group policies that are already applied to the OU they are in now.
0
 
Mike KlineCommented:
The main thing you have to worry about when moving a computer or user to a new OU are the group policies applied.

Nice thing is you can use group policy modeling to see what the GPOs/settings will be in the new OU.

Good video of group policy modeling here   http://www.youtube.com/watch?v=Yj7LwG0kafM

Thanks

Mike
0
 
Neil RussellTechnical Development LeadCommented:
Also consider WHY you feel you need to move all these servers to get the updates applied?
Can you explain?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
nav2567Author Commented:
Thanks Mkline71.  Thanks Neilsr.  

Neilsr, to answer your question, we plan to use our intranet wsus to push updates to the servers.  I think it makes sense to separate the servers into different OU as not all of them need the same group of updates.  For example, a SQL server does not need Exchange updates.  

What do you think?  Do you have other suggestion(s)?

Thanks.
0
 
Neil RussellTechnical Development LeadCommented:
If you are using WSUS then distribution of updates to different groups should be managed by WSUS and not by OU's in active directory. Thats what WSUS groups and containers are for.

SQL Server will NEVER get updates for exchange applied, wsus is clever like that :D
0
 
Neil RussellTechnical Development LeadCommented:
0
 
nav2567Author Commented:
I know.  But the thing here is that, I need to deliver the windows updates settings to a lot of servers.  (computer configuration>policies>windows settings>administrative templates>windows components>windows updates).  I think a quick way to do this is through GPO, right?
0
 
Neil RussellTechnical Development LeadCommented:
Do you NOT use WSUS for EVERY machine on your domain? Do you not push out WSUS settings to ALL devices?
0
 
nav2567Author Commented:
correct.  We do not use wsus for every machine on our domain.  Not every machine has the wsus settings.
0
 
Neil RussellTechnical Development LeadCommented:
Is there a reason you dont update your computers with wsus?
0
 
nav2567Author Commented:
I think we should use wsus.  That's why we are trying to use group policy to update the wsus settings on the servers.  There are important servers we do not want to update the wsus settings but apply the patches manually.  Such as the domain controller servers.
0
 
Mike KlineCommented:
Yes gpos are the way to configure windows update and set machines to use a wsus server...that part is correct.

We also have machines that are updated manually, exchange/BES in our case.
0
 
nav2567Author Commented:
Thanks.  

I just want to confirm your view of my original question.  Do you think creating separate server OU(s) is the only way to deliver the wsus settings to the servers?  Please forgive me, but I just want to be sure that moving the server to another OU will not cause any problem.  Assuming the original server group policies are kept.  

Thanks again.
0
 
Neil RussellTechnical Development LeadCommented:
Moving will not cause a problem so long as ANY GPO's you already apply to servers and rely on are also applied to the NEW OU.
0
 
Mike KlineCommented:
If you want separate WSUS policies then yes.  By the way creating an OU for servers is very common.  It is not like you are doing something out of the norm here.

Thanks

Mike
0
 
comnutsCommented:
This is how I do it in my organisation. Create different GPO for different needs of your servers. For example, create OUs under the Server OU; "Servers-WSUS-Auto" will apply updates automatically at regular intervals that you define; "Servers-WSUS-Manual" to apply updates with intervention but still check for updates at regular intervals. Next create GPO for each of these OUs with the settings and apply to each respectively. This way will allow some servers with automatic updates and some to require manual intervention. Remember to use client-side targeting also.


*.com
|--Servers
|--- Servers-WSUS-Auto <-- Apply automatic updates GPO
|--- Servers-WSUS-Manual <-- Apply manual update GPO
|--- Servers-No-WSUS <-- Disable WSUS
0
 
nav2567Author Commented:
Guys, thank you very much for your comments.  I really appreciate for your help.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 7
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now