[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

demote domain controllers / editing group policy

Hi,

So, if you are doing a domain upgrade.  It is true to say that should demote old domain controllers within a short period of time?  like within a couple of months?

Doing so will allow you to raise the domain and forest functional levels to avail of the new features.  One example when upgrading from server 2003 would be DFS-R for sysvol.

When you are upgrading from server 2008 / 2008 R2 to server 2012 / 2012 R2, the benefits are elsewhere.

So when it comes to editing Group Policy, the advice is always to edit group policy using the latest version of the GPMC.  So if you were to introduce server 2012 / 2012 R2 member servers, you would need to use one of the member servers as your management station.  The downside here is that people could continue to use the Server 2008 / 2008 R2 GPMC and cause possible corruption of GPOs.  So if there is no technical reason to keep the old domain controllers, they should be demoted.  Users would the edit group policy from the new domain controllers only.
0
cmatchett
Asked:
cmatchett
2 Solutions
 
Cliff GaliherCommented:
That is probably over-generalizing things quite a bit. Perhaps in a very small environment that is true in some cases. But in large environments, it is rare that all DCs are upgraded simultaneously. Like workstations, they are on a rolling upgrade cycle. So you will usually have a mix of versions.

It is a commonly accepted axiom that you can't solve all personnel problems with technology solutions. If you don't have strong access policies on who and how group policies are changed then solution isn't just making sure all DCs are new to avoid corruption. That addresses a symptom, but not the problem.

Conversely, if you have a documented process for making such cha goes, which should include a peer and management t review BEFORE implementation, and the process is rigorously followed, you'll avoid the symptom anyways, because admins aren't logging into older DCs. Or, ideally, into DCs at all (pass the hash mitigation.)

At the very least, I recommend grabbing a small easy-to-read book called the E-Myth revisited. Very applicable to the IT Pro industry.
0
 
cmatchettAuthor Commented:
so if i had 10 domain controllers across 10 sites for example.  Say if i had identified DFS-R for sysvol to solve all my issues, i would aim to upgrade all my domain controllers as quickly as possible to then allow me to gain access to this feature.

I could understand taking longer to upgrade the domain controllers if u were in no rush to avail of any of the new features.

Say i was migrating to 2012 R2 and i wanted to manage the group policy settings of these member servers and also windows 8.1 clients.  My preference would be to update the domain controllers and use the new gpmc from the domain controllers.  To avoid any issues with corrupt GPOs, i would again aim to upgrade the 10 domain controllers as quickly as possible.
0
 
David Johnson, CD, MVPOwnerCommented:
Say i was migrating to 2012 R2 and i wanted to manage the group policy settings of these member servers and also windows 8.1 clients.  My preference would be to update the domain controllers and use the new gpmc from the domain controllers.  To avoid any issues with corrupt GPOs, i would again aim to upgrade the 10 domain controllers as quickly as possible.

remove the group policy editor rsat tool from all but the 2012 domain controllers
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Cliff GaliherCommented:
If you wanted DFS-R for replication then yes, you'd need to upgrade your 2003 DCs. 2003 R2 and above already support DFS-R. So that is an example of a rolling upgrade. You'd only need to upgrade your oldest DCs.

As for editing group policies. All you need is am 8.1 workstation with RSAT. I see no reason to rush and upgrade all ten DCs for this scenario.
0
 
Mohammed KhawajaCommented:
I agree.  It is not common or best practice to be logging on to the server to manage things such as DHCP, DNS, GPMC, etc., all you need is RSAT tools installed on a workstation.  I manage a large environment and I rarely logon to the servers to perform management tasks.
0
 
cmatchettAuthor Commented:
excellent
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now