Solved

Win Server 2012 R2 and Domain/Local Security Policy

Posted on 2014-11-10
7
455 Views
Last Modified: 2016-06-20
Hello, I am upgrading a Windows domain from Win2003 to Win2012 R2. Win2003 has "Default Domain Security Policy" and "Domain Controller Security Policy". These consoles don't seem to exist in 2012 R2. Am I supposed to deploy domain security settings via GPO? Does GPO include "domain controller" settings? Do I have to manually remove the legacy Domain & Domain Controller settings before demoting/retiring the Win2003 DCs? If both a GPO and a Domain Security Policy exist, which one applies first? Thanks. :-)
0
Comment
Question by:criskrit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40434260
Server 2012 does have a default domain policy AND a default domain controller policy.
0
 

Author Comment

by:criskrit
ID: 40435771
Hello David, would it be possible to elaborate a bit? Where/How do I find those? Should I use those as opposed to GPO? Thx!
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40618699
Do note the MS upgrade guide https://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003.
The GPO is still used to push down as you can find the changes stated in https://technet.microsoft.com/en-us/library/dn265973.aspx
There are those new improved GPO changes and include
Prior to Windows Server 2012, you would have to remote to a specific computer and run gpupdate.exe from the command-line. In Windows Server 2012 you can update Group Policy for all computers in a specific OU and the OUs that it contains.
As to the default Domain and DC secpol they should still exist. You need to have the AD DS installed and there are functional level is incorporating those prev version too https://technet.microsoft.com/library/understanding-active-directory-functional-levels(WS.10).aspx

In case, you are thinking the difference btw local/Default Domain/Default DC GPO, this gives a good overview even though it is stated Win2K
Local Group Policy Objects (LGPOs) are processed first, followed by the domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, the Local Group Policy Object is applied.
Account policies (password, lockout, Kerberos) are defined for the entire domain in the default domain GPO. Local policies (audit, user rights, and security options) for DCs are defined in the default Domain Controllers GPO. For DCs, settings defined in the default DC GPO have higher precedence than settings defined in the default Domain GPO. Thus, if a user privilege (for example, Add workstations to domain) were to be configured in the default Domain GPO, it would have no impact on the DCs in that domain.
https://technet.microsoft.com/en-us/library/dd277394.aspx
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 40618705
As for the viewing, you can see this posting as well
If you have upgraded but don't see the new Windows Server 2012 R2 Group Policy settings, then most likely you have configured a central policy store which would not have been updated. A central policy store is located in the SYSVOL share of all domain controllers (DCs) in a domain, enabling a consistent set of policy definitions to be used throughout the domain.

You can check which policy definitions the Group Policy Management Editor is using by viewing the full detail of Administrative Templates section
http://windowsitpro.com/windows-server-2012/view-new-group-policy-options-after-upgrading-active-directory

in fact, this can happened as in Win2K8 as shared
Also i cannot find the Domain Controller Security Policy , nor the Domain Security Policy
First check sysvol share exists on the domain controller %systemroot%\sysvol. If the sysvol is missing then you need to follow http://support.microsoft.com/kb/947022 and troublshoot the issue
Once you made sysvol is present then you need to search for folder with GUID  "{31B2" in the sysvol folder . That GUID Belongs to Default domain policy
ALso you need to check for GUID "{6AC1" , This belongs to Default domain controller policy.
If anyone of these GUID's are missing then I would recommend you to set burflag D2 on the probelmatic DC and restore these sysvol from healthy DC.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/7dbf1eec-5702-4e78-9ab4-18d3d497c0cc/local-security-policy-on-my-ad-dc-everything-is-disabled
0
 

Author Comment

by:criskrit
ID: 40637412
Hello and thanks for all the great info. I will look into it in more detail and report back. Thanks!
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question