want to use 2012 R2 GPO´s in 2008 domain

Hi Experts,

I have a RDS collection installed with WIN 2012 R2.
My Domain is still in 2008.
My policies are not working on the new RDS servers.
I have installed one new DC 2012 R2.
But the new DC cannot read the old GPO´s.

What can I do ?
Eprs_AdminSystem ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VB ITSSpecialist ConsultantCommented:
OK firstly you didn't need to install a new 2012 R2 DC just to manage GPOs for the 2012 R2 RDS collection. This could have been achieved by creating the 'Central Store' for Group Policy where you can then download the 2012 R2 .ADMX files and place them in the Central Store.

Instructions to create the Central Store: http://support.microsoft.com/kb/929841
Download link for Window 2012 R2 Group Policies: http://www.microsoft.com/en-au/download/details.aspx?id=41193

Now do you want to troubleshoot your issue with the 2012 R2 DC having issues reading the GPOs or do you want to try the above first then see how you go?
"the new DC cannot read the old GPO´s" - what should that mean? Of course it can. The other way round would make some sense. Please explain.
Eprs_AdminSystem ArchitectAuthor Commented:
Your link is for VISTA.
But my Servers are 2008.
Can I use your link ?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Eprs_AdminSystem ArchitectAuthor Commented:
ok do I have problems when the DC´s installed in german and the RDS in english ?
Eprs_AdminSystem ArchitectAuthor Commented:
Next , my DC is WIN 2008.

My RDS servers are 2012R2.
When I put my RDS server to same OU like my old TS, the GPO´s are not working on the new RDS.

What I have to do ?
Please address my question as well, thanks.
Eprs_AdminSystem ArchitectAuthor Commented:

look, we have installed the new ADMX files for 2012R2 into the folder Policy Definitions on the SYSVOL.
Now I open my GroupPolicyManagement and then I get a lot of errors.
Don´t forget, my DC is WIN2008 ! NOT R2.

One Error is, error with FileRevocation.admx.

My investigation was, in 2008 the FileRevocation.admx file is not present in 2008.
It comes with the new ADMX files of 2012R2.

Now always when I open the GropuPolicyManagement, I have to click a lot of errors....
Why this happens ?
Ok, you DID confuse us by writing "I have installed one new DC 2012 R2" and "the new DC cannot read the old GPO". Now you say, the 2008 cannot read them, that makes sense.

The problem is easily solved by simply using RSAT from win8.1. Do you have access to an 8.1 pro/enterprise workstation or VM?
VB ITSSpecialist ConsultantCommented:
My apologies, you can have a look at this article if you still want to implement the Group Policy Central Store, as it makes GPO management easier (in my opinion): http://deployhappiness.com/creating-the-group-policy-central-store-updated-for-windows-8-12012r2/

With that being said, the above article will not resolve your issue after you clarified things in your most recent post. Sorry, I was confused, like McKnife, when you said you "installed one new DC 2012 R2". As McKnife has stated above, you can install the RSAT tools on a Windows 8.1 Pro machine that's joined to your domain.

Alternatively you can also just install the Group Policy Management Console on one of your 2012 R2 RDS hosts to manage the GPOs for these servers: http://technet.microsoft.com/en-us/library/dn265969.aspx
Eprs_AdminSystem ArchitectAuthor Commented:
OK, when I understand I can install also a new VM with a new DC 2012 R2 in my domain, right ?
I don't think you understood.
The easiest way to solve this little problem is to use RSAT. Google RSAT, read what it's all about. It enables you to use the latest GPOs on 2008 servers as well.
RSAT will need to be installed on 8.1 or on a 2012 member server. Those can be VMs, right.
Eprs_AdminSystem ArchitectAuthor Commented:
I know, I don´t a win8 machine.
I have a 3rd DC with 2012 R2.
Eprs_AdminSystem ArchitectAuthor Commented:
...and my Group Policy Management COnsole is installed on the 3rd DC.
Right. Do you have another 2012 R2 server that is not a DC?
Eprs_AdminSystem ArchitectAuthor Commented:
yes. How to install the RSAT ?
Eprs_AdminSystem ArchitectAuthor Commented:
Ok, it is a feature.
Do I need the whole feature set with 40 selections ?
Do I have to install RSAT completely ?
It does not hurt and it's very small.
Eprs_AdminSystem ArchitectAuthor Commented:
Ok I have installed all 40 items of the RSAT.

What is the next step ?
How to open now my GroupPolicyManagementConsole ?
It can be found below "administrative tools" now.
Eprs_AdminSystem ArchitectAuthor Commented:
Ok, I have checked my GPO´s.
But I still have a lot of errors after installing the new ADMX files.

See here:
ADMX Errors
Eprs_AdminSystem ArchitectAuthor Commented:
for example, the file access12.admx, this file is present in the folder.
When I check the date, it is an old file.

What can I do to solve the admx errors ?
To solve this, understand RSAT, first.
RSAT works like this: it takes the admx files of the computer where RSAT is running on - NOT those from the server. So if you run it on 8.1 or 2012 R2, you have all their ADMX files, no need for a central store at all. If however you want office 2013 administrative templates to work through RSAT, you need to install those ADMX files locally on the RSAT machine OR install office 2013 on the RSAT machine.
We do this - NO errors at all.
Eprs_AdminSystem ArchitectAuthor Commented:
When I understand correctly,

I delete the new ADMX files from my central store.
Then I install the new ADMX files on my member server with RSAT
And from where I configure now my GPO´s ?
"I delete the new ADMX files from my central store.
Then I install the new ADMX files on my member server with RSAT" - correct.
You configure your GPOs using the GPMC on the RSAT machine.
Eprs_AdminSystem ArchitectAuthor Commented:
From my 2012R2 member server where I have installed RSAT, I open the GPMC.
When I open an old policy for 2008 Terminal users I have the same errors:
ADMX User 2008

When I open the new policy for 2012 Terminal users I also have errors.
ADMX User 2012
But all old files present on the central store.
And you are able to open those ADMX files? With the same account you are starting the GPMC with?
Eprs_AdminSystem ArchitectAuthor Commented:
Yes I can open it with notepad.
The GPMC is started with the administrator and the admx file too.

When I open the GPMC on my 2008 DC and select the different policies, I have no errors.
The 2008 policies have no errors.

And the 2012 policies have no errors, how it works ?
Because the new ADMX files for 2012 are deleted from the central store.
"And the 2012 policies have no errors, how it works ?" - the policies are just hosted by the 2008 server, he has them on a file share as xml files. But whenever you would want to modify a policy with settings for 2012/win8.x, those settings would be invisible on the 2008 server and you would have to use RSAT.

Sorry, I don't know the reason for your current error, but I would assume you create a new policy and then the settings and resource files will be found for sure.
Eprs_AdminSystem ArchitectAuthor Commented:
ok let me check this...
VB ITSSpecialist ConsultantCommented:
Eprs_Admin2014-10-29 at 20:29:50ID: 40410273
From my 2012R2 member server where I have installed RSAT, I open the GPMC.
When I open an old policy for 2008 Terminal users I have the same errors:

When I open the new policy for 2012 Terminal users I also have errors.

But all old files present on the central store.
Did you also copy over the .ADML files to the your Central Store when you created it? When you downloaded the GPO Templates, you should have seen a bunch of subfolders with the names of all the locales, such as en-us, bg-bg, cs-cz, etc.

The errors you are seeing above is most likely due to the fact that these .ADML files are missing. The .ADMX files require these .ADML files as they provide the description for each of the policy settings. I've highlighted this in red below to give you a better idea of what they do:
I believe the fix would be to just copy over the entire relevant locale folder (in this case I believe it is the en-us folder) to the \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions folder.

Please let me know how you go once you have done this.
Eprs_AdminSystem ArchitectAuthor Commented:
from the beginning I also copied the whole content of the admx file.
Feedback for all, please.
Eprs_AdminSystem ArchitectAuthor Commented:
still the same.
when I open the GPMC from my dc WIN2008 -> no errors in the GPMC.

when I open the GPMC from my dc WIN2012R2 -> again errors in the GPMC.
VB ITSSpecialist ConsultantCommented:
I suspect you may have copied over the language files from you 2008 R2 DC to the GP Central Store, but you copied over the actual .admx files from your 2012 R2 DC.

Try this:
On your Windows 2012 R2 Domain Controller, copy the en-us folder from C:\Windows\PolicyDefinitions to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions

Open GPMC on both your 2008 R2 and 2012 R2 DCs, hopefully the error messages will now be gone.
Eprs_AdminSystem ArchitectAuthor Commented:
The GP central store is on my DC WIN2008. This one is working since 5 years.

When I copy the new ADMX files into the folder PolicyDefinitions on my WIN2008 DC, then I get the errors.
So I have restored to the old status.
Ok, take the old "status", use RSAT, problem solved.
VB ITSSpecialist ConsultantCommented:
I keep forgetting that you have a 2008 non R2 DC, my apologies.

So what is the status now with GPMC on your servers? Does it work OK on your 2008 server or are you getting errors on both servers? If you are getting errors, please post a screenshot (unless they are the same errors that you posted previously)
Eprs_AdminSystem ArchitectAuthor Commented:
you are right my servers are 2008 non R2 !!

I have added one DC WIN2012R2 to the 2008 domain.
I have installed the new admx files.
And I have the same errors with the new admx files.
VB ITSSpecialist ConsultantCommented:
I'll make sure I don't forget that you are using 2008 non R2 from now on, don't worry :)

Where are the errors appearing? When you open GPMC on 2012 R2 DC or on your 2008 DC?
Eprs_AdminSystem ArchitectAuthor Commented:
when I install the new admx files on the win2008 server, then the files in the PolicyDefinition folder are updated and overwritten. Then I have all my errors.
VB ITSSpecialist ConsultantCommented:
So are you copying the new 2012 R2 ADMX files directly to C:\Windows\PolicyDefinitions folder on your 2008 server?
Eprs_AdminSystem ArchitectAuthor Commented:
Yes I did it.
VB ITSSpecialist ConsultantCommented:
Well then, there's your problem - your Server 2008 DC doesn't understand the Server 2012 R2 ADMX files.

To make things easier, why not leave the 2008 server as it is (i.e. don't replace the ADMX files in C:\Windows\PolicyDefinitions on your 2008 server) and just use GPMC on the 2012 R2 server instead to manage your GPOs going forward? Your 2012 R2 server can still manage your 2008 servers without any issues.

Also remove the entire PolicyDefinitions folder from \\your.domain.com\SYSVOL\your.domain.com\Policies if you set up the GPO Central Store as it is obviously not working for you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eprs_AdminSystem ArchitectAuthor Commented:
Ok then I bring back my old admx files to the WIN2008 server.
In this status my GPO Central Store is working.

Let me test the GPO´s when I open it from 2012R2 server.....
May I ask in what way this accepted solution differs from using RSAT?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.