Win Server 2012 R2 and Domain/Local Security Policy

Posted on 2014-11-10
Last Modified: 2016-06-20
Hello, I am upgrading a Windows domain from Win2003 to Win2012 R2. Win2003 has "Default Domain Security Policy" and "Domain Controller Security Policy". These consoles don't seem to exist in 2012 R2. Am I supposed to deploy domain security settings via GPO? Does GPO include "domain controller" settings? Do I have to manually remove the legacy Domain & Domain Controller settings before demoting/retiring the Win2003 DCs? If both a GPO and a Domain Security Policy exist, which one applies first? Thanks. :-)
Question by:criskrit
  • 2
  • 2
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40434260
Server 2012 does have a default domain policy AND a default domain controller policy.

Author Comment

ID: 40435771
Hello David, would it be possible to elaborate a bit? Where/How do I find those? Should I use those as opposed to GPO? Thx!
LVL 62

Accepted Solution

btan earned 500 total points
ID: 40618699
Do note the MS upgrade guide
You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003.
The GPO is still used to push down as you can find the changes stated in
There are those new improved GPO changes and include
Prior to Windows Server 2012, you would have to remote to a specific computer and run gpupdate.exe from the command-line. In Windows Server 2012 you can update Group Policy for all computers in a specific OU and the OUs that it contains.
As to the default Domain and DC secpol they should still exist. You need to have the AD DS installed and there are functional level is incorporating those prev version too

In case, you are thinking the difference btw local/Default Domain/Default DC GPO, this gives a good overview even though it is stated Win2K
Local Group Policy Objects (LGPOs) are processed first, followed by the domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, the Local Group Policy Object is applied.
Account policies (password, lockout, Kerberos) are defined for the entire domain in the default domain GPO. Local policies (audit, user rights, and security options) for DCs are defined in the default Domain Controllers GPO. For DCs, settings defined in the default DC GPO have higher precedence than settings defined in the default Domain GPO. Thus, if a user privilege (for example, Add workstations to domain) were to be configured in the default Domain GPO, it would have no impact on the DCs in that domain.
LVL 62

Assisted Solution

btan earned 500 total points
ID: 40618705
As for the viewing, you can see this posting as well
If you have upgraded but don't see the new Windows Server 2012 R2 Group Policy settings, then most likely you have configured a central policy store which would not have been updated. A central policy store is located in the SYSVOL share of all domain controllers (DCs) in a domain, enabling a consistent set of policy definitions to be used throughout the domain.

You can check which policy definitions the Group Policy Management Editor is using by viewing the full detail of Administrative Templates section

in fact, this can happened as in Win2K8 as shared
Also i cannot find the Domain Controller Security Policy , nor the Domain Security Policy
First check sysvol share exists on the domain controller %systemroot%\sysvol. If the sysvol is missing then you need to follow and troublshoot the issue
Once you made sysvol is present then you need to search for folder with GUID  "{31B2" in the sysvol folder . That GUID Belongs to Default domain policy
ALso you need to check for GUID "{6AC1" , This belongs to Default domain controller policy.
If anyone of these GUID's are missing then I would recommend you to set burflag D2 on the probelmatic DC and restore these sysvol from healthy DC.

Author Comment

ID: 40637412
Hello and thanks for all the great info. I will look into it in more detail and report back. Thanks!

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question