Win Server 2012 R2 and Domain/Local Security Policy

Posted on 2014-11-10
Medium Priority
Last Modified: 2016-06-20
Hello, I am upgrading a Windows domain from Win2003 to Win2012 R2. Win2003 has "Default Domain Security Policy" and "Domain Controller Security Policy". These consoles don't seem to exist in 2012 R2. Am I supposed to deploy domain security settings via GPO? Does GPO include "domain controller" settings? Do I have to manually remove the legacy Domain & Domain Controller settings before demoting/retiring the Win2003 DCs? If both a GPO and a Domain Security Policy exist, which one applies first? Thanks. :-)
Question by:criskrit
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40434260
Server 2012 does have a default domain policy AND a default domain controller policy.

Author Comment

ID: 40435771
Hello David, would it be possible to elaborate a bit? Where/How do I find those? Should I use those as opposed to GPO? Thx!
LVL 64

Accepted Solution

btan earned 2000 total points
ID: 40618699
Do note the MS upgrade guide https://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003.
The GPO is still used to push down as you can find the changes stated in https://technet.microsoft.com/en-us/library/dn265973.aspx
There are those new improved GPO changes and include
Prior to Windows Server 2012, you would have to remote to a specific computer and run gpupdate.exe from the command-line. In Windows Server 2012 you can update Group Policy for all computers in a specific OU and the OUs that it contains.
As to the default Domain and DC secpol they should still exist. You need to have the AD DS installed and there are functional level is incorporating those prev version too https://technet.microsoft.com/library/understanding-active-directory-functional-levels(WS.10).aspx

In case, you are thinking the difference btw local/Default Domain/Default DC GPO, this gives a good overview even though it is stated Win2K
Local Group Policy Objects (LGPOs) are processed first, followed by the domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, the Local Group Policy Object is applied.
Account policies (password, lockout, Kerberos) are defined for the entire domain in the default domain GPO. Local policies (audit, user rights, and security options) for DCs are defined in the default Domain Controllers GPO. For DCs, settings defined in the default DC GPO have higher precedence than settings defined in the default Domain GPO. Thus, if a user privilege (for example, Add workstations to domain) were to be configured in the default Domain GPO, it would have no impact on the DCs in that domain.
LVL 64

Assisted Solution

btan earned 2000 total points
ID: 40618705
As for the viewing, you can see this posting as well
If you have upgraded but don't see the new Windows Server 2012 R2 Group Policy settings, then most likely you have configured a central policy store which would not have been updated. A central policy store is located in the SYSVOL share of all domain controllers (DCs) in a domain, enabling a consistent set of policy definitions to be used throughout the domain.

You can check which policy definitions the Group Policy Management Editor is using by viewing the full detail of Administrative Templates section

in fact, this can happened as in Win2K8 as shared
Also i cannot find the Domain Controller Security Policy , nor the Domain Security Policy
First check sysvol share exists on the domain controller %systemroot%\sysvol. If the sysvol is missing then you need to follow http://support.microsoft.com/kb/947022 and troublshoot the issue
Once you made sysvol is present then you need to search for folder with GUID  "{31B2" in the sysvol folder . That GUID Belongs to Default domain policy
ALso you need to check for GUID "{6AC1" , This belongs to Default domain controller policy.
If anyone of these GUID's are missing then I would recommend you to set burflag D2 on the probelmatic DC and restore these sysvol from healthy DC.

Author Comment

ID: 40637412
Hello and thanks for all the great info. I will look into it in more detail and report back. Thanks!

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question