Moving servers to another OU in Windows server 2008 Active Directory

Hello,

We plan to move some servers into a server OU in our WIN2K8 AD to apply an important WSUS group policy.  The servers includes Exchange 2003, 2010, SQL 2005, IIS, file and print running on platform from WIN2K, WIN2K3 & WIN2K8.  

Do you think moving servers into another OU will present issues with what are running on the servers?  

Any experience from yours is greatly appreciated.  I am also wondering if there is some good kb about things need to pay attention when doing think kind of thing.

Many thanks.
nav2567Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Neil RussellConnect With a Mentor Technical Development LeadCommented:
Just dont Move domain controllers.
Make sure your not loosing group policies that are already applied to the OU they are in now.
0
 
Mike KlineConnect With a Mentor Commented:
The main thing you have to worry about when moving a computer or user to a new OU are the group policies applied.

Nice thing is you can use group policy modeling to see what the GPOs/settings will be in the new OU.

Good video of group policy modeling here   http://www.youtube.com/watch?v=Yj7LwG0kafM

Thanks

Mike
0
 
Neil RussellTechnical Development LeadCommented:
Also consider WHY you feel you need to move all these servers to get the updates applied?
Can you explain?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
nav2567Author Commented:
Thanks Mkline71.  Thanks Neilsr.  

Neilsr, to answer your question, we plan to use our intranet wsus to push updates to the servers.  I think it makes sense to separate the servers into different OU as not all of them need the same group of updates.  For example, a SQL server does not need Exchange updates.  

What do you think?  Do you have other suggestion(s)?

Thanks.
0
 
Neil RussellTechnical Development LeadCommented:
If you are using WSUS then distribution of updates to different groups should be managed by WSUS and not by OU's in active directory. Thats what WSUS groups and containers are for.

SQL Server will NEVER get updates for exchange applied, wsus is clever like that :D
0
 
Neil RussellTechnical Development LeadCommented:
0
 
nav2567Author Commented:
I know.  But the thing here is that, I need to deliver the windows updates settings to a lot of servers.  (computer configuration>policies>windows settings>administrative templates>windows components>windows updates).  I think a quick way to do this is through GPO, right?
0
 
Neil RussellTechnical Development LeadCommented:
Do you NOT use WSUS for EVERY machine on your domain? Do you not push out WSUS settings to ALL devices?
0
 
nav2567Author Commented:
correct.  We do not use wsus for every machine on our domain.  Not every machine has the wsus settings.
0
 
Neil RussellTechnical Development LeadCommented:
Is there a reason you dont update your computers with wsus?
0
 
nav2567Author Commented:
I think we should use wsus.  That's why we are trying to use group policy to update the wsus settings on the servers.  There are important servers we do not want to update the wsus settings but apply the patches manually.  Such as the domain controller servers.
0
 
Mike KlineCommented:
Yes gpos are the way to configure windows update and set machines to use a wsus server...that part is correct.

We also have machines that are updated manually, exchange/BES in our case.
0
 
nav2567Author Commented:
Thanks.  

I just want to confirm your view of my original question.  Do you think creating separate server OU(s) is the only way to deliver the wsus settings to the servers?  Please forgive me, but I just want to be sure that moving the server to another OU will not cause any problem.  Assuming the original server group policies are kept.  

Thanks again.
0
 
Neil RussellTechnical Development LeadCommented:
Moving will not cause a problem so long as ANY GPO's you already apply to servers and rely on are also applied to the NEW OU.
0
 
Mike KlineCommented:
If you want separate WSUS policies then yes.  By the way creating an OU for servers is very common.  It is not like you are doing something out of the norm here.

Thanks

Mike
0
 
comnutsCommented:
This is how I do it in my organisation. Create different GPO for different needs of your servers. For example, create OUs under the Server OU; "Servers-WSUS-Auto" will apply updates automatically at regular intervals that you define; "Servers-WSUS-Manual" to apply updates with intervention but still check for updates at regular intervals. Next create GPO for each of these OUs with the settings and apply to each respectively. This way will allow some servers with automatic updates and some to require manual intervention. Remember to use client-side targeting also.


*.com
|--Servers
|--- Servers-WSUS-Auto <-- Apply automatic updates GPO
|--- Servers-WSUS-Manual <-- Apply manual update GPO
|--- Servers-No-WSUS <-- Disable WSUS
0
 
nav2567Author Commented:
Guys, thank you very much for your comments.  I really appreciate for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.