Solved

want to use 2012 R2 GPO´s in 2008 domain

Posted on 2014-10-27
45
219 Views
Last Modified: 2014-11-27
Hi Experts,

I have a RDS collection installed with WIN 2012 R2.
My Domain is still in 2008.
My policies are not working on the new RDS servers.
I have installed one new DC 2012 R2.
But the new DC cannot read the old GPO´s.

What can I do ?
0
Comment
Question by:Eprs_Admin
  • 23
  • 14
  • 8
45 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40406248
OK firstly you didn't need to install a new 2012 R2 DC just to manage GPOs for the 2012 R2 RDS collection. This could have been achieved by creating the 'Central Store' for Group Policy where you can then download the 2012 R2 .ADMX files and place them in the Central Store.

Instructions to create the Central Store: http://support.microsoft.com/kb/929841
Download link for Window 2012 R2 Group Policies: http://www.microsoft.com/en-au/download/details.aspx?id=41193

Now do you want to troubleshoot your issue with the 2012 R2 DC having issues reading the GPOs or do you want to try the above first then see how you go?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40407362
"the new DC cannot read the old GPO´s" - what should that mean? Of course it can. The other way round would make some sense. Please explain.
0
 

Author Comment

by:Eprs_Admin
ID: 40407876
Hi VB IT,
Your link is for VISTA.
But my Servers are 2008.
Can I use your link ?
0
 

Author Comment

by:Eprs_Admin
ID: 40407888
ok do I have problems when the DC´s installed in german and the RDS in english ?
0
 

Author Comment

by:Eprs_Admin
ID: 40407893
Next , my DC is WIN 2008.

My RDS servers are 2012R2.
When I put my RDS server to same OU like my old TS, the GPO´s are not working on the new RDS.

What I have to do ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40407915
Please address my question as well, thanks.
0
 

Author Comment

by:Eprs_Admin
ID: 40408179
Hi MCKNIFE,

look, we have installed the new ADMX files for 2012R2 into the folder Policy Definitions on the SYSVOL.
Now I open my GroupPolicyManagement and then I get a lot of errors.
Don´t forget, my DC is WIN2008 ! NOT R2.

One Error is, error with FileRevocation.admx.

My investigation was, in 2008 the FileRevocation.admx file is not present in 2008.
It comes with the new ADMX files of 2012R2.

Now always when I open the GropuPolicyManagement, I have to click a lot of errors....
Why this happens ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40408239
Ok, you DID confuse us by writing "I have installed one new DC 2012 R2" and "the new DC cannot read the old GPO". Now you say, the 2008 cannot read them, that makes sense.

The problem is easily solved by simply using RSAT from win8.1. Do you have access to an 8.1 pro/enterprise workstation or VM?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40409571
My apologies, you can have a look at this article if you still want to implement the Group Policy Central Store, as it makes GPO management easier (in my opinion): http://deployhappiness.com/creating-the-group-policy-central-store-updated-for-windows-8-12012r2/

With that being said, the above article will not resolve your issue after you clarified things in your most recent post. Sorry, I was confused, like McKnife, when you said you "installed one new DC 2012 R2". As McKnife has stated above, you can install the RSAT tools on a Windows 8.1 Pro machine that's joined to your domain.

Alternatively you can also just install the Group Policy Management Console on one of your 2012 R2 RDS hosts to manage the GPOs for these servers: http://technet.microsoft.com/en-us/library/dn265969.aspx
0
 

Author Comment

by:Eprs_Admin
ID: 40410103
OK, when I understand I can install also a new VM with a new DC 2012 R2 in my domain, right ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40410105
I don't think you understood.
The easiest way to solve this little problem is to use RSAT. Google RSAT, read what it's all about. It enables you to use the latest GPOs on 2008 servers as well.
RSAT will need to be installed on 8.1 or on a 2012 member server. Those can be VMs, right.
0
 

Author Comment

by:Eprs_Admin
ID: 40410107
I know, I don´t a win8 machine.
I have a 3rd DC with 2012 R2.
0
 

Author Comment

by:Eprs_Admin
ID: 40410109
...and my Group Policy Management COnsole is installed on the 3rd DC.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40410111
Right. Do you have another 2012 R2 server that is not a DC?
0
 

Author Comment

by:Eprs_Admin
ID: 40410113
yes. How to install the RSAT ?
0
 

Author Comment

by:Eprs_Admin
ID: 40410122
Ok, it is a feature.
Do I need the whole feature set with 40 selections ?
Do I have to install RSAT completely ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40410128
It does not hurt and it's very small.
0
 

Author Comment

by:Eprs_Admin
ID: 40410134
Ok I have installed all 40 items of the RSAT.

What is the next step ?
How to open now my GroupPolicyManagementConsole ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40410139
It can be found below "administrative tools" now.
0
 

Author Comment

by:Eprs_Admin
ID: 40410151
Ok, I have checked my GPO´s.
But I still have a lot of errors after installing the new ADMX files.

See here:
ADMX Errors
0
 

Author Comment

by:Eprs_Admin
ID: 40410153
for example, the file access12.admx, this file is present in the folder.
When I check the date, it is an old file.

What can I do to solve the admx errors ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40410159
To solve this, understand RSAT, first.
RSAT works like this: it takes the admx files of the computer where RSAT is running on - NOT those from the server. So if you run it on 8.1 or 2012 R2, you have all their ADMX files, no need for a central store at all. If however you want office 2013 administrative templates to work through RSAT, you need to install those ADMX files locally on the RSAT machine OR install office 2013 on the RSAT machine.
We do this - NO errors at all.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Author Comment

by:Eprs_Admin
ID: 40410163
When I understand correctly,

I delete the new ADMX files from my central store.
Then I install the new ADMX files on my member server with RSAT
And from where I configure now my GPO´s ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40410170
"I delete the new ADMX files from my central store.
Then I install the new ADMX files on my member server with RSAT" - correct.
You configure your GPOs using the GPMC on the RSAT machine.
0
 

Author Comment

by:Eprs_Admin
ID: 40410273
From my 2012R2 member server where I have installed RSAT, I open the GPMC.
When I open an old policy for 2008 Terminal users I have the same errors:
ADMX User 2008

When I open the new policy for 2012 Terminal users I also have errors.
ADMX User 2012
But all old files present on the central store.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40410320
And you are able to open those ADMX files? With the same account you are starting the GPMC with?
0
 

Author Comment

by:Eprs_Admin
ID: 40410341
Yes I can open it with notepad.
The GPMC is started with the administrator and the admx file too.

When I open the GPMC on my 2008 DC and select the different policies, I have no errors.
The 2008 policies have no errors.

And the 2012 policies have no errors, how it works ?
Because the new ADMX files for 2012 are deleted from the central store.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40410448
"And the 2012 policies have no errors, how it works ?" - the policies are just hosted by the 2008 server, he has them on a file share as xml files. But whenever you would want to modify a policy with settings for 2012/win8.x, those settings would be invisible on the 2008 server and you would have to use RSAT.

Sorry, I don't know the reason for your current error, but I would assume you create a new policy and then the settings and resource files will be found for sure.
0
 

Author Comment

by:Eprs_Admin
ID: 40410632
ok let me check this...
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40412250
Eprs_Admin2014-10-29 at 20:29:50ID: 40410273
From my 2012R2 member server where I have installed RSAT, I open the GPMC.
When I open an old policy for 2008 Terminal users I have the same errors:

When I open the new policy for 2012 Terminal users I also have errors.

But all old files present on the central store.
Did you also copy over the .ADML files to the your Central Store when you created it? When you downloaded the GPO Templates, you should have seen a bunch of subfolders with the names of all the locales, such as en-us, bg-bg, cs-cz, etc.

The errors you are seeing above is most likely due to the fact that these .ADML files are missing. The .ADMX files require these .ADML files as they provide the description for each of the policy settings. I've highlighted this in red below to give you a better idea of what they do:
GPO.png
I believe the fix would be to just copy over the entire relevant locale folder (in this case I believe it is the en-us folder) to the \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions folder.

Please let me know how you go once you have done this.
0
 

Author Comment

by:Eprs_Admin
ID: 40415353
from the beginning I also copied the whole content of the admx file.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40415436
Feedback for all, please.
0
 

Author Comment

by:Eprs_Admin
ID: 40425730
still the same.
when I open the GPMC from my dc WIN2008 -> no errors in the GPMC.

when I open the GPMC from my dc WIN2012R2 -> again errors in the GPMC.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40425805
I suspect you may have copied over the language files from you 2008 R2 DC to the GP Central Store, but you copied over the actual .admx files from your 2012 R2 DC.

Try this:
On your Windows 2012 R2 Domain Controller, copy the en-us folder from C:\Windows\PolicyDefinitions to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions

Open GPMC on both your 2008 R2 and 2012 R2 DCs, hopefully the error messages will now be gone.
0
 

Author Comment

by:Eprs_Admin
ID: 40425816
The GP central store is on my DC WIN2008. This one is working since 5 years.

When I copy the new ADMX files into the folder PolicyDefinitions on my WIN2008 DC, then I get the errors.
So I have restored to the old status.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40425868
Ok, take the old "status", use RSAT, problem solved.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40425879
I keep forgetting that you have a 2008 non R2 DC, my apologies.

So what is the status now with GPMC on your servers? Does it work OK on your 2008 server or are you getting errors on both servers? If you are getting errors, please post a screenshot (unless they are the same errors that you posted previously)
0
 

Author Comment

by:Eprs_Admin
ID: 40425891
you are right my servers are 2008 non R2 !!

I have added one DC WIN2012R2 to the 2008 domain.
I have installed the new admx files.
And I have the same errors with the new admx files.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40425894
I'll make sure I don't forget that you are using 2008 non R2 from now on, don't worry :)

Where are the errors appearing? When you open GPMC on 2012 R2 DC or on your 2008 DC?
0
 

Author Comment

by:Eprs_Admin
ID: 40425902
when I install the new admx files on the win2008 server, then the files in the PolicyDefinition folder are updated and overwritten. Then I have all my errors.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40425912
So are you copying the new 2012 R2 ADMX files directly to C:\Windows\PolicyDefinitions folder on your 2008 server?
0
 

Author Comment

by:Eprs_Admin
ID: 40432089
Yes I did it.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40432432
Well then, there's your problem - your Server 2008 DC doesn't understand the Server 2012 R2 ADMX files.

To make things easier, why not leave the 2008 server as it is (i.e. don't replace the ADMX files in C:\Windows\PolicyDefinitions on your 2008 server) and just use GPMC on the 2012 R2 server instead to manage your GPOs going forward? Your 2012 R2 server can still manage your 2008 servers without any issues.

Also remove the entire PolicyDefinitions folder from \\your.domain.com\SYSVOL\your.domain.com\Policies if you set up the GPO Central Store as it is obviously not working for you.
0
 

Author Comment

by:Eprs_Admin
ID: 40442356
Ok then I bring back my old admx files to the WIN2008 server.
In this status my GPO Central Store is working.

Let me test the GPO´s when I open it from 2012R2 server.....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40468820
May I ask in what way this accepted solution differs from using RSAT?
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now