Solved

Active Directory Group Policy Central Store

Posted on 2015-02-09
8
559 Views
Last Modified: 2015-04-08
Hi Guys,
I hope you are all well and can assist.
We currently run a 2003 server mixed mode domain, with 2003, 2008 and 2012 domain controllers.
What I would like to understand, is how many of you are using a group policy central store?
What are the pros and cons of using a central store?
Why switch to a central store?
Is it complicated to do?
Any help greatly appreciated.
Thank you.
0
Comment
Question by:Simon336697
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 11

Accepted Solution

by:
Maclean earned 220 total points
ID: 40599741
1] You will not have as much bloat on the sysvol store. Instead of each policy replicating to each sysvol on all the DC's at approx 4mb each, creating lets say for 100 policies 400MB of "wasted" storage consumption, you could have all your bits in one centralized store using ADMX templates.

2] Domain Replication will improve, as it does not need to replicate all policies to each DC, which can be a pain on busy/slow networks

Consequence is that if you remove the Central Store, all Windows 7 & up plus Server 2008 R2 & up will loose their local ADMX files, and they won't be able to report properly to the AD,

It might be best described in this article on the subject from 2009. It describes more or less the same as I am trying to convey, but also offers an alternate suggestion.

http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx
0
 
LVL 1

Author Comment

by:Simon336697
ID: 40599752
HI Maclean, thanks so much mate for that overview, much appreciated.
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 190 total points
ID: 40600035
I wouldn't use a Group Policy Central store in your scenario.  While Maclean has nicely outlined the benefits of the Central Store, it's really bested suited in a scenario where all of your Domain Controllers are running the same versions of Windows Server.

In order to set up the Central Store, you need to copy over the .ADMX files from a given server into the Central Store location. The problem is if you pick to copy the .ADMX files from your 2008 DC then you won't be able to use the new GPOs introduced for Windows 8/Server 2012 to manage them.

If you copy the .ADMX files from your 2012 DCs then you won't be able to launch the Group Policy Management Console on any of your 2008 DCs, it'll just give you an error each time you launch it. You'll have to stick to modifying your Group Policies from your 2012 DCs or a Windows 8 PC with RSAT installed going forward.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 13

Assisted Solution

by:Rizzle
Rizzle earned 90 total points
ID: 40601132
I would advise on a Central Store, but copy the policy definitions folder from your 2008 DC to Sysvol\policies

But doing it this way wont give you the GP Templates which would be used to create policies for Win 8 clients etc etc

What you could which is something we're doing is, copy the policy definitions folder from your 2008 DC to Sysvol and then any other additional ADMX templates you need (IE Office 2013 or Win8) then copy these to the policy definitions folder as well.

New Operating system templates are backwards compatible so you'll get the 2012 settings and you'll get to keep the 2008/2008 R2 settings as well.

Just to let you know in my experience it isn't enough to just have the templates In the Central store but you would need to open GPMC from a Ws2012 or Win 8 client as VB ITS stated.

Could you tell us if you have any Windows 8/8.1 clients?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40602303
Just to let you know in my experience it isn't enough to just have the templates In the Central store but you would need to open GPMC from a Ws2012 or Win 8 client as VB ITS stated.
If you have the 2008 ADMX files in the Central Store then managing the policies from a 2012 or Windows 8 machine won't make a difference as it'll still be looking at the 2008 ADMX version in the Central Store. You'll need to replace the existing .ADMX files in the Central Store with the 2012 ADMX files in order to properly manage Server 2012 and Windows 8 machines.
0
 
LVL 11

Expert Comment

by:Maclean
ID: 40602571
VB ITS does have a valid point. With your DC's all mixed in versions I would also have to suggest not centralizing anything until you upgraded your other two DC's to e.g 2012. But the info is there if you need it at some point.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 40711742
Thanks guys.
0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 40713661
Thanks everyone.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question