Solved

Win Server 2012 R2 and Domain/Local Security Policy

Posted on 2014-11-10
7
122 Views
Last Modified: 2016-06-20
Hello, I am upgrading a Windows domain from Win2003 to Win2012 R2. Win2003 has "Default Domain Security Policy" and "Domain Controller Security Policy". These consoles don't seem to exist in 2012 R2. Am I supposed to deploy domain security settings via GPO? Does GPO include "domain controller" settings? Do I have to manually remove the legacy Domain & Domain Controller settings before demoting/retiring the Win2003 DCs? If both a GPO and a Domain Security Policy exist, which one applies first? Thanks. :-)
0
Comment
Question by:criskrit
  • 2
  • 2
7 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
Server 2012 does have a default domain policy AND a default domain controller policy.
0
 

Author Comment

by:criskrit
Comment Utility
Hello David, would it be possible to elaborate a bit? Where/How do I find those? Should I use those as opposed to GPO? Thx!
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
Do note the MS upgrade guide https://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003.
The GPO is still used to push down as you can find the changes stated in https://technet.microsoft.com/en-us/library/dn265973.aspx
There are those new improved GPO changes and include
Prior to Windows Server 2012, you would have to remote to a specific computer and run gpupdate.exe from the command-line. In Windows Server 2012 you can update Group Policy for all computers in a specific OU and the OUs that it contains.
As to the default Domain and DC secpol they should still exist. You need to have the AD DS installed and there are functional level is incorporating those prev version too https://technet.microsoft.com/library/understanding-active-directory-functional-levels(WS.10).aspx

In case, you are thinking the difference btw local/Default Domain/Default DC GPO, this gives a good overview even though it is stated Win2K
Local Group Policy Objects (LGPOs) are processed first, followed by the domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, the Local Group Policy Object is applied.
Account policies (password, lockout, Kerberos) are defined for the entire domain in the default domain GPO. Local policies (audit, user rights, and security options) for DCs are defined in the default Domain Controllers GPO. For DCs, settings defined in the default DC GPO have higher precedence than settings defined in the default Domain GPO. Thus, if a user privilege (for example, Add workstations to domain) were to be configured in the default Domain GPO, it would have no impact on the DCs in that domain.
https://technet.microsoft.com/en-us/library/dd277394.aspx
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
As for the viewing, you can see this posting as well
If you have upgraded but don't see the new Windows Server 2012 R2 Group Policy settings, then most likely you have configured a central policy store which would not have been updated. A central policy store is located in the SYSVOL share of all domain controllers (DCs) in a domain, enabling a consistent set of policy definitions to be used throughout the domain.

You can check which policy definitions the Group Policy Management Editor is using by viewing the full detail of Administrative Templates section
http://windowsitpro.com/windows-server-2012/view-new-group-policy-options-after-upgrading-active-directory

in fact, this can happened as in Win2K8 as shared
Also i cannot find the Domain Controller Security Policy , nor the Domain Security Policy
First check sysvol share exists on the domain controller %systemroot%\sysvol. If the sysvol is missing then you need to follow http://support.microsoft.com/kb/947022 and troublshoot the issue
Once you made sysvol is present then you need to search for folder with GUID  "{31B2" in the sysvol folder . That GUID Belongs to Default domain policy
ALso you need to check for GUID "{6AC1" , This belongs to Default domain controller policy.
If anyone of these GUID's are missing then I would recommend you to set burflag D2 on the probelmatic DC and restore these sysvol from healthy DC.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/7dbf1eec-5702-4e78-9ab4-18d3d497c0cc/local-security-policy-on-my-ad-dc-everything-is-disabled
0
 

Author Comment

by:criskrit
Comment Utility
Hello and thanks for all the great info. I will look into it in more detail and report back. Thanks!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now