Active Directory Group Policy Central Store

Posted on 2015-02-09
Medium Priority
Last Modified: 2015-04-08
Hi Guys,
I hope you are all well and can assist.
We currently run a 2003 server mixed mode domain, with 2003, 2008 and 2012 domain controllers.
What I would like to understand, is how many of you are using a group policy central store?
What are the pros and cons of using a central store?
Why switch to a central store?
Is it complicated to do?
Any help greatly appreciated.
Thank you.
Question by:Simon336697
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 11

Accepted Solution

Maclean earned 880 total points
ID: 40599741
1] You will not have as much bloat on the sysvol store. Instead of each policy replicating to each sysvol on all the DC's at approx 4mb each, creating lets say for 100 policies 400MB of "wasted" storage consumption, you could have all your bits in one centralized store using ADMX templates.

2] Domain Replication will improve, as it does not need to replicate all policies to each DC, which can be a pain on busy/slow networks

Consequence is that if you remove the Central Store, all Windows 7 & up plus Server 2008 R2 & up will loose their local ADMX files, and they won't be able to report properly to the AD,

It might be best described in this article on the subject from 2009. It describes more or less the same as I am trying to convey, but also offers an alternate suggestion.


Author Comment

ID: 40599752
HI Maclean, thanks so much mate for that overview, much appreciated.
LVL 24

Assisted Solution

VB ITS earned 760 total points
ID: 40600035
I wouldn't use a Group Policy Central store in your scenario.  While Maclean has nicely outlined the benefits of the Central Store, it's really bested suited in a scenario where all of your Domain Controllers are running the same versions of Windows Server.

In order to set up the Central Store, you need to copy over the .ADMX files from a given server into the Central Store location. The problem is if you pick to copy the .ADMX files from your 2008 DC then you won't be able to use the new GPOs introduced for Windows 8/Server 2012 to manage them.

If you copy the .ADMX files from your 2012 DCs then you won't be able to launch the Group Policy Management Console on any of your 2008 DCs, it'll just give you an error each time you launch it. You'll have to stick to modifying your Group Policies from your 2012 DCs or a Windows 8 PC with RSAT installed going forward.
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 13

Assisted Solution

Rizzle earned 360 total points
ID: 40601132
I would advise on a Central Store, but copy the policy definitions folder from your 2008 DC to Sysvol\policies

But doing it this way wont give you the GP Templates which would be used to create policies for Win 8 clients etc etc

What you could which is something we're doing is, copy the policy definitions folder from your 2008 DC to Sysvol and then any other additional ADMX templates you need (IE Office 2013 or Win8) then copy these to the policy definitions folder as well.

New Operating system templates are backwards compatible so you'll get the 2012 settings and you'll get to keep the 2008/2008 R2 settings as well.

Just to let you know in my experience it isn't enough to just have the templates In the Central store but you would need to open GPMC from a Ws2012 or Win 8 client as VB ITS stated.

Could you tell us if you have any Windows 8/8.1 clients?
LVL 24

Expert Comment

ID: 40602303
Just to let you know in my experience it isn't enough to just have the templates In the Central store but you would need to open GPMC from a Ws2012 or Win 8 client as VB ITS stated.
If you have the 2008 ADMX files in the Central Store then managing the policies from a 2012 or Windows 8 machine won't make a difference as it'll still be looking at the 2008 ADMX version in the Central Store. You'll need to replace the existing .ADMX files in the Central Store with the 2012 ADMX files in order to properly manage Server 2012 and Windows 8 machines.
LVL 11

Expert Comment

ID: 40602571
VB ITS does have a valid point. With your DC's all mixed in versions I would also have to suggest not centralizing anything until you upgraded your other two DC's to e.g 2012. But the info is there if you need it at some point.

Author Comment

ID: 40711742
Thanks guys.

Author Closing Comment

ID: 40713661
Thanks everyone.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses
Course of the Month10 days, 19 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question