Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Win Server 2012 R2 and Domain/Local Security Policy

Posted on 2014-11-10
Medium Priority
Last Modified: 2016-06-20
Hello, I am upgrading a Windows domain from Win2003 to Win2012 R2. Win2003 has "Default Domain Security Policy" and "Domain Controller Security Policy". These consoles don't seem to exist in 2012 R2. Am I supposed to deploy domain security settings via GPO? Does GPO include "domain controller" settings? Do I have to manually remove the legacy Domain & Domain Controller settings before demoting/retiring the Win2003 DCs? If both a GPO and a Domain Security Policy exist, which one applies first? Thanks. :-)
Question by:criskrit
  • 2
  • 2
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40434260
Server 2012 does have a default domain policy AND a default domain controller policy.

Author Comment

ID: 40435771
Hello David, would it be possible to elaborate a bit? Where/How do I find those? Should I use those as opposed to GPO? Thx!
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40618699
Do note the MS upgrade guide https://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003.
The GPO is still used to push down as you can find the changes stated in https://technet.microsoft.com/en-us/library/dn265973.aspx
There are those new improved GPO changes and include
Prior to Windows Server 2012, you would have to remote to a specific computer and run gpupdate.exe from the command-line. In Windows Server 2012 you can update Group Policy for all computers in a specific OU and the OUs that it contains.
As to the default Domain and DC secpol they should still exist. You need to have the AD DS installed and there are functional level is incorporating those prev version too https://technet.microsoft.com/library/understanding-active-directory-functional-levels(WS.10).aspx

In case, you are thinking the difference btw local/Default Domain/Default DC GPO, this gives a good overview even though it is stated Win2K
Local Group Policy Objects (LGPOs) are processed first, followed by the domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, the Local Group Policy Object is applied.
Account policies (password, lockout, Kerberos) are defined for the entire domain in the default domain GPO. Local policies (audit, user rights, and security options) for DCs are defined in the default Domain Controllers GPO. For DCs, settings defined in the default DC GPO have higher precedence than settings defined in the default Domain GPO. Thus, if a user privilege (for example, Add workstations to domain) were to be configured in the default Domain GPO, it would have no impact on the DCs in that domain.
LVL 65

Assisted Solution

btan earned 2000 total points
ID: 40618705
As for the viewing, you can see this posting as well
If you have upgraded but don't see the new Windows Server 2012 R2 Group Policy settings, then most likely you have configured a central policy store which would not have been updated. A central policy store is located in the SYSVOL share of all domain controllers (DCs) in a domain, enabling a consistent set of policy definitions to be used throughout the domain.

You can check which policy definitions the Group Policy Management Editor is using by viewing the full detail of Administrative Templates section

in fact, this can happened as in Win2K8 as shared
Also i cannot find the Domain Controller Security Policy , nor the Domain Security Policy
First check sysvol share exists on the domain controller %systemroot%\sysvol. If the sysvol is missing then you need to follow http://support.microsoft.com/kb/947022 and troublshoot the issue
Once you made sysvol is present then you need to search for folder with GUID  "{31B2" in the sysvol folder . That GUID Belongs to Default domain policy
ALso you need to check for GUID "{6AC1" , This belongs to Default domain controller policy.
If anyone of these GUID's are missing then I would recommend you to set burflag D2 on the probelmatic DC and restore these sysvol from healthy DC.

Author Comment

ID: 40637412
Hello and thanks for all the great info. I will look into it in more detail and report back. Thanks!

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question