Solved

Active Directory Group Policy Central Store

Posted on 2015-02-09
8
544 Views
Last Modified: 2015-04-08
Hi Guys,
I hope you are all well and can assist.
We currently run a 2003 server mixed mode domain, with 2003, 2008 and 2012 domain controllers.
What I would like to understand, is how many of you are using a group policy central store?
What are the pros and cons of using a central store?
Why switch to a central store?
Is it complicated to do?
Any help greatly appreciated.
Thank you.
0
Comment
Question by:Simon336697
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 11

Accepted Solution

by:
TS4B earned 220 total points
ID: 40599741
1] You will not have as much bloat on the sysvol store. Instead of each policy replicating to each sysvol on all the DC's at approx 4mb each, creating lets say for 100 policies 400MB of "wasted" storage consumption, you could have all your bits in one centralized store using ADMX templates.

2] Domain Replication will improve, as it does not need to replicate all policies to each DC, which can be a pain on busy/slow networks

Consequence is that if you remove the Central Store, all Windows 7 & up plus Server 2008 R2 & up will loose their local ADMX files, and they won't be able to report properly to the AD,

It might be best described in this article on the subject from 2009. It describes more or less the same as I am trying to convey, but also offers an alternate suggestion.

http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx
0
 
LVL 1

Author Comment

by:Simon336697
ID: 40599752
HI Maclean, thanks so much mate for that overview, much appreciated.
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 190 total points
ID: 40600035
I wouldn't use a Group Policy Central store in your scenario.  While Maclean has nicely outlined the benefits of the Central Store, it's really bested suited in a scenario where all of your Domain Controllers are running the same versions of Windows Server.

In order to set up the Central Store, you need to copy over the .ADMX files from a given server into the Central Store location. The problem is if you pick to copy the .ADMX files from your 2008 DC then you won't be able to use the new GPOs introduced for Windows 8/Server 2012 to manage them.

If you copy the .ADMX files from your 2012 DCs then you won't be able to launch the Group Policy Management Console on any of your 2008 DCs, it'll just give you an error each time you launch it. You'll have to stick to modifying your Group Policies from your 2012 DCs or a Windows 8 PC with RSAT installed going forward.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 13

Assisted Solution

by:Rizzle
Rizzle earned 90 total points
ID: 40601132
I would advise on a Central Store, but copy the policy definitions folder from your 2008 DC to Sysvol\policies

But doing it this way wont give you the GP Templates which would be used to create policies for Win 8 clients etc etc

What you could which is something we're doing is, copy the policy definitions folder from your 2008 DC to Sysvol and then any other additional ADMX templates you need (IE Office 2013 or Win8) then copy these to the policy definitions folder as well.

New Operating system templates are backwards compatible so you'll get the 2012 settings and you'll get to keep the 2008/2008 R2 settings as well.

Just to let you know in my experience it isn't enough to just have the templates In the Central store but you would need to open GPMC from a Ws2012 or Win 8 client as VB ITS stated.

Could you tell us if you have any Windows 8/8.1 clients?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40602303
Just to let you know in my experience it isn't enough to just have the templates In the Central store but you would need to open GPMC from a Ws2012 or Win 8 client as VB ITS stated.
If you have the 2008 ADMX files in the Central Store then managing the policies from a 2012 or Windows 8 machine won't make a difference as it'll still be looking at the 2008 ADMX version in the Central Store. You'll need to replace the existing .ADMX files in the Central Store with the 2012 ADMX files in order to properly manage Server 2012 and Windows 8 machines.
0
 
LVL 11

Expert Comment

by:TS4B
ID: 40602571
VB ITS does have a valid point. With your DC's all mixed in versions I would also have to suggest not centralizing anything until you upgraded your other two DC's to e.g 2012. But the info is there if you need it at some point.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 40711742
Thanks guys.
0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 40713661
Thanks everyone.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question