Solved

Moving servers to another OU in Windows server 2008 Active Directory

Posted on 2012-03-18
17
347 Views
Last Modified: 2012-03-20
Hello,

We plan to move some servers into a server OU in our WIN2K8 AD to apply an important WSUS group policy.  The servers includes Exchange 2003, 2010, SQL 2005, IIS, file and print running on platform from WIN2K, WIN2K3 & WIN2K8.  

Do you think moving servers into another OU will present issues with what are running on the servers?  

Any experience from yours is greatly appreciated.  I am also wondering if there is some good kb about things need to pay attention when doing think kind of thing.

Many thanks.
0
Comment
Question by:nav2567
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 450 total points
ID: 37734765
Just dont Move domain controllers.
Make sure your not loosing group policies that are already applied to the OU they are in now.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
ID: 37734768
The main thing you have to worry about when moving a computer or user to a new OU are the group policies applied.

Nice thing is you can use group policy modeling to see what the GPOs/settings will be in the new OU.

Good video of group policy modeling here   http://www.youtube.com/watch?v=Yj7LwG0kafM

Thanks

Mike
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734770
Also consider WHY you feel you need to move all these servers to get the updates applied?
Can you explain?
0
 

Author Comment

by:nav2567
ID: 37734811
Thanks Mkline71.  Thanks Neilsr.  

Neilsr, to answer your question, we plan to use our intranet wsus to push updates to the servers.  I think it makes sense to separate the servers into different OU as not all of them need the same group of updates.  For example, a SQL server does not need Exchange updates.  

What do you think?  Do you have other suggestion(s)?

Thanks.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734841
If you are using WSUS then distribution of updates to different groups should be managed by WSUS and not by OU's in active directory. Thats what WSUS groups and containers are for.

SQL Server will NEVER get updates for exchange applied, wsus is clever like that :D
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734853
0
 

Author Comment

by:nav2567
ID: 37734865
I know.  But the thing here is that, I need to deliver the windows updates settings to a lot of servers.  (computer configuration>policies>windows settings>administrative templates>windows components>windows updates).  I think a quick way to do this is through GPO, right?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734869
Do you NOT use WSUS for EVERY machine on your domain? Do you not push out WSUS settings to ALL devices?
0
 

Author Comment

by:nav2567
ID: 37734877
correct.  We do not use wsus for every machine on our domain.  Not every machine has the wsus settings.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37734883
Is there a reason you dont update your computers with wsus?
0
 

Author Comment

by:nav2567
ID: 37734890
I think we should use wsus.  That's why we are trying to use group policy to update the wsus settings on the servers.  There are important servers we do not want to update the wsus settings but apply the patches manually.  Such as the domain controller servers.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37735247
Yes gpos are the way to configure windows update and set machines to use a wsus server...that part is correct.

We also have machines that are updated manually, exchange/BES in our case.
0
 

Author Comment

by:nav2567
ID: 37735675
Thanks.  

I just want to confirm your view of my original question.  Do you think creating separate server OU(s) is the only way to deliver the wsus settings to the servers?  Please forgive me, but I just want to be sure that moving the server to another OU will not cause any problem.  Assuming the original server group policies are kept.  

Thanks again.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37737572
Moving will not cause a problem so long as ANY GPO's you already apply to servers and rely on are also applied to the NEW OU.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37737605
If you want separate WSUS policies then yes.  By the way creating an OU for servers is very common.  It is not like you are doing something out of the norm here.

Thanks

Mike
0
 
LVL 6

Expert Comment

by:comnuts
ID: 37737747
This is how I do it in my organisation. Create different GPO for different needs of your servers. For example, create OUs under the Server OU; "Servers-WSUS-Auto" will apply updates automatically at regular intervals that you define; "Servers-WSUS-Manual" to apply updates with intervention but still check for updates at regular intervals. Next create GPO for each of these OUs with the settings and apply to each respectively. This way will allow some servers with automatic updates and some to require manual intervention. Remember to use client-side targeting also.


*.com
|--Servers
|--- Servers-WSUS-Auto <-- Apply automatic updates GPO
|--- Servers-WSUS-Manual <-- Apply manual update GPO
|--- Servers-No-WSUS <-- Disable WSUS
0
 

Author Closing Comment

by:nav2567
ID: 37741685
Guys, thank you very much for your comments.  I really appreciate for your help.
0

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now