demote domain controllers / editing group policy

Hi,

So, if you are doing a domain upgrade.  It is true to say that should demote old domain controllers within a short period of time?  like within a couple of months?

Doing so will allow you to raise the domain and forest functional levels to avail of the new features.  One example when upgrading from server 2003 would be DFS-R for sysvol.

When you are upgrading from server 2008 / 2008 R2 to server 2012 / 2012 R2, the benefits are elsewhere.

So when it comes to editing Group Policy, the advice is always to edit group policy using the latest version of the GPMC.  So if you were to introduce server 2012 / 2012 R2 member servers, you would need to use one of the member servers as your management station.  The downside here is that people could continue to use the Server 2008 / 2008 R2 GPMC and cause possible corruption of GPOs.  So if there is no technical reason to keep the old domain controllers, they should be demoted.  Users would the edit group policy from the new domain controllers only.
cmatchettAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
That is probably over-generalizing things quite a bit. Perhaps in a very small environment that is true in some cases. But in large environments, it is rare that all DCs are upgraded simultaneously. Like workstations, they are on a rolling upgrade cycle. So you will usually have a mix of versions.

It is a commonly accepted axiom that you can't solve all personnel problems with technology solutions. If you don't have strong access policies on who and how group policies are changed then solution isn't just making sure all DCs are new to avoid corruption. That addresses a symptom, but not the problem.

Conversely, if you have a documented process for making such cha goes, which should include a peer and management t review BEFORE implementation, and the process is rigorously followed, you'll avoid the symptom anyways, because admins aren't logging into older DCs. Or, ideally, into DCs at all (pass the hash mitigation.)

At the very least, I recommend grabbing a small easy-to-read book called the E-Myth revisited. Very applicable to the IT Pro industry.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cmatchettAuthor Commented:
so if i had 10 domain controllers across 10 sites for example.  Say if i had identified DFS-R for sysvol to solve all my issues, i would aim to upgrade all my domain controllers as quickly as possible to then allow me to gain access to this feature.

I could understand taking longer to upgrade the domain controllers if u were in no rush to avail of any of the new features.

Say i was migrating to 2012 R2 and i wanted to manage the group policy settings of these member servers and also windows 8.1 clients.  My preference would be to update the domain controllers and use the new gpmc from the domain controllers.  To avoid any issues with corrupt GPOs, i would again aim to upgrade the 10 domain controllers as quickly as possible.
0
David Johnson, CD, MVPOwnerCommented:
Say i was migrating to 2012 R2 and i wanted to manage the group policy settings of these member servers and also windows 8.1 clients.  My preference would be to update the domain controllers and use the new gpmc from the domain controllers.  To avoid any issues with corrupt GPOs, i would again aim to upgrade the 10 domain controllers as quickly as possible.

remove the group policy editor rsat tool from all but the 2012 domain controllers
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Cliff GaliherCommented:
If you wanted DFS-R for replication then yes, you'd need to upgrade your 2003 DCs. 2003 R2 and above already support DFS-R. So that is an example of a rolling upgrade. You'd only need to upgrade your oldest DCs.

As for editing group policies. All you need is am 8.1 workstation with RSAT. I see no reason to rush and upgrade all ten DCs for this scenario.
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
I agree.  It is not common or best practice to be logging on to the server to manage things such as DHCP, DNS, GPMC, etc., all you need is RSAT tools installed on a workstation.  I manage a large environment and I rarely logon to the servers to perform management tasks.
0
cmatchettAuthor Commented:
excellent
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.