Solved

Moving servers to another OU in Windows server 2008 Active Directory

Posted on 2012-03-18
17
394 Views
Last Modified: 2012-03-20
Hello,

We plan to move some servers into a server OU in our WIN2K8 AD to apply an important WSUS group policy.  The servers includes Exchange 2003, 2010, SQL 2005, IIS, file and print running on platform from WIN2K, WIN2K3 & WIN2K8.  

Do you think moving servers into another OU will present issues with what are running on the servers?  

Any experience from yours is greatly appreciated.  I am also wondering if there is some good kb about things need to pay attention when doing think kind of thing.

Many thanks.
0
Comment
Question by:nav2567
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 450 total points
ID: 37734765
Just dont Move domain controllers.
Make sure your not loosing group policies that are already applied to the OU they are in now.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
ID: 37734768
The main thing you have to worry about when moving a computer or user to a new OU are the group policies applied.

Nice thing is you can use group policy modeling to see what the GPOs/settings will be in the new OU.

Good video of group policy modeling here   http://www.youtube.com/watch?v=Yj7LwG0kafM

Thanks

Mike
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734770
Also consider WHY you feel you need to move all these servers to get the updates applied?
Can you explain?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:nav2567
ID: 37734811
Thanks Mkline71.  Thanks Neilsr.  

Neilsr, to answer your question, we plan to use our intranet wsus to push updates to the servers.  I think it makes sense to separate the servers into different OU as not all of them need the same group of updates.  For example, a SQL server does not need Exchange updates.  

What do you think?  Do you have other suggestion(s)?

Thanks.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734841
If you are using WSUS then distribution of updates to different groups should be managed by WSUS and not by OU's in active directory. Thats what WSUS groups and containers are for.

SQL Server will NEVER get updates for exchange applied, wsus is clever like that :D
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734853
0
 

Author Comment

by:nav2567
ID: 37734865
I know.  But the thing here is that, I need to deliver the windows updates settings to a lot of servers.  (computer configuration>policies>windows settings>administrative templates>windows components>windows updates).  I think a quick way to do this is through GPO, right?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734869
Do you NOT use WSUS for EVERY machine on your domain? Do you not push out WSUS settings to ALL devices?
0
 

Author Comment

by:nav2567
ID: 37734877
correct.  We do not use wsus for every machine on our domain.  Not every machine has the wsus settings.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734883
Is there a reason you dont update your computers with wsus?
0
 

Author Comment

by:nav2567
ID: 37734890
I think we should use wsus.  That's why we are trying to use group policy to update the wsus settings on the servers.  There are important servers we do not want to update the wsus settings but apply the patches manually.  Such as the domain controller servers.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37735247
Yes gpos are the way to configure windows update and set machines to use a wsus server...that part is correct.

We also have machines that are updated manually, exchange/BES in our case.
0
 

Author Comment

by:nav2567
ID: 37735675
Thanks.  

I just want to confirm your view of my original question.  Do you think creating separate server OU(s) is the only way to deliver the wsus settings to the servers?  Please forgive me, but I just want to be sure that moving the server to another OU will not cause any problem.  Assuming the original server group policies are kept.  

Thanks again.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37737572
Moving will not cause a problem so long as ANY GPO's you already apply to servers and rely on are also applied to the NEW OU.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37737605
If you want separate WSUS policies then yes.  By the way creating an OU for servers is very common.  It is not like you are doing something out of the norm here.

Thanks

Mike
0
 
LVL 6

Expert Comment

by:comnuts
ID: 37737747
This is how I do it in my organisation. Create different GPO for different needs of your servers. For example, create OUs under the Server OU; "Servers-WSUS-Auto" will apply updates automatically at regular intervals that you define; "Servers-WSUS-Manual" to apply updates with intervention but still check for updates at regular intervals. Next create GPO for each of these OUs with the settings and apply to each respectively. This way will allow some servers with automatic updates and some to require manual intervention. Remember to use client-side targeting also.


*.com
|--Servers
|--- Servers-WSUS-Auto <-- Apply automatic updates GPO
|--- Servers-WSUS-Manual <-- Apply manual update GPO
|--- Servers-No-WSUS <-- Disable WSUS
0
 

Author Closing Comment

by:nav2567
ID: 37741685
Guys, thank you very much for your comments.  I really appreciate for your help.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question