Active Directory Group Policy Central Store

Posted on 2015-02-09
Last Modified: 2015-04-08
Hi Guys,
I hope you are all well and can assist.
We currently run a 2003 server mixed mode domain, with 2003, 2008 and 2012 domain controllers.
What I would like to understand, is how many of you are using a group policy central store?
What are the pros and cons of using a central store?
Why switch to a central store?
Is it complicated to do?
Any help greatly appreciated.
Thank you.
Question by:Simon336697
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 11

Accepted Solution

Maclean earned 220 total points
ID: 40599741
1] You will not have as much bloat on the sysvol store. Instead of each policy replicating to each sysvol on all the DC's at approx 4mb each, creating lets say for 100 policies 400MB of "wasted" storage consumption, you could have all your bits in one centralized store using ADMX templates.

2] Domain Replication will improve, as it does not need to replicate all policies to each DC, which can be a pain on busy/slow networks

Consequence is that if you remove the Central Store, all Windows 7 & up plus Server 2008 R2 & up will loose their local ADMX files, and they won't be able to report properly to the AD,

It might be best described in this article on the subject from 2009. It describes more or less the same as I am trying to convey, but also offers an alternate suggestion.

Author Comment

ID: 40599752
HI Maclean, thanks so much mate for that overview, much appreciated.
LVL 24

Assisted Solution

VB ITS earned 190 total points
ID: 40600035
I wouldn't use a Group Policy Central store in your scenario.  While Maclean has nicely outlined the benefits of the Central Store, it's really bested suited in a scenario where all of your Domain Controllers are running the same versions of Windows Server.

In order to set up the Central Store, you need to copy over the .ADMX files from a given server into the Central Store location. The problem is if you pick to copy the .ADMX files from your 2008 DC then you won't be able to use the new GPOs introduced for Windows 8/Server 2012 to manage them.

If you copy the .ADMX files from your 2012 DCs then you won't be able to launch the Group Policy Management Console on any of your 2008 DCs, it'll just give you an error each time you launch it. You'll have to stick to modifying your Group Policies from your 2012 DCs or a Windows 8 PC with RSAT installed going forward.
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

LVL 13

Assisted Solution

Rizzle earned 90 total points
ID: 40601132
I would advise on a Central Store, but copy the policy definitions folder from your 2008 DC to Sysvol\policies

But doing it this way wont give you the GP Templates which would be used to create policies for Win 8 clients etc etc

What you could which is something we're doing is, copy the policy definitions folder from your 2008 DC to Sysvol and then any other additional ADMX templates you need (IE Office 2013 or Win8) then copy these to the policy definitions folder as well.

New Operating system templates are backwards compatible so you'll get the 2012 settings and you'll get to keep the 2008/2008 R2 settings as well.

Just to let you know in my experience it isn't enough to just have the templates In the Central store but you would need to open GPMC from a Ws2012 or Win 8 client as VB ITS stated.

Could you tell us if you have any Windows 8/8.1 clients?
LVL 24

Expert Comment

ID: 40602303
Just to let you know in my experience it isn't enough to just have the templates In the Central store but you would need to open GPMC from a Ws2012 or Win 8 client as VB ITS stated.
If you have the 2008 ADMX files in the Central Store then managing the policies from a 2012 or Windows 8 machine won't make a difference as it'll still be looking at the 2008 ADMX version in the Central Store. You'll need to replace the existing .ADMX files in the Central Store with the 2012 ADMX files in order to properly manage Server 2012 and Windows 8 machines.
LVL 11

Expert Comment

ID: 40602571
VB ITS does have a valid point. With your DC's all mixed in versions I would also have to suggest not centralizing anything until you upgraded your other two DC's to e.g 2012. But the info is there if you need it at some point.

Author Comment

ID: 40711742
Thanks guys.

Author Closing Comment

ID: 40713661
Thanks everyone.

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question