[gptalk] Re: Default Domain and Default DC GPO migration

  • From: "SCOTT KLASSEN" <klas9574@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 18 Jun 2008 19:23:04 -0500

Sorry, poor verbiage on my part.  Basically I'm in the throws of getting rid of 
all of the ADM files in my Sysvol.

Scott Klassen


From: Alan & Margaret 
Sent: Wednesday, June 18, 2008 4:33 PM
To: gptalk@xxxxxxxxxxxxx 
Subject: [gptalk] Re: Default Domain and Default DC GPO migration


Hi Scott,

 

I am a little confused by your question "will the GPO's be recreated as ADMX or 
ADM". I may be missing something, but there is no such thing as an ADMX GPO or 
an ADM GPO.

 

Basically a GPO holds the Administrative Template Settings in the Registry.POL 
File.

 

If you use a Windows 2000 workstation to view or modify these settings in GPMC 
it will load the ADM files present in the GPO to interpret the settings. If 
there is no ADM file for those settings, the setting will not be exposed for 
you to change. 

 

If you use a Vista machine to view or modify these settings in GPMC it will 
load the ADMX files (stored if PolicyDefinitions) and the ADM files present in 
the GPO to interpret the settings. This would suggest that if an ADM file and 
an ADMX file were present for the same setting you would see both. However 
there is a "Supersedes" setting in an ADMX file which effectively says "please 
ignore a particular ADM file if it exists". The default Microsoft ADMX files 
have settings to Supersede all of the Microsoft ADM files. However it is still 
possible to add an ADM file to a Policy and it will be used by both the VISTA 
and WINDOWS machines.

 

Now I haven't tested what you are doing, nor do I fully understand the process 
as to why you need to run GPOfix /IgnoreSchema. By reading 
http://support.microsoft.com/kb/932445  it suggests that the parameter is used 
when you are restoring a GPO with an old schema. But I don't see how the SCHEMA 
used will affect adm and ADMX files. Maybe Darren can explain!

 

Having said all of that I would strongly recommend that you test it all first 
just to confirm what it does in your environment. In fact I would test a 
migration and fallback... There is nothing worse than having no AD after a 
problem with the conversion especially if your only defense is "It should have 
worked".

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

 

 

 

 


--------------------------------------------------------------------------------

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of SCOTT KLASSEN
Sent: Wednesday, 18 June 2008 1:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Default Domain and Default DC GPO migration

 

Here's a question for either those more knowledgeable or with a more robust 
testing infrastructure.

 

I'm at the start of migrating my environment to Server 2008.  Although not 
necessary, I've spent some time converting most of my GPOs to the ADMX format 
for the decrease in space usage and bandwidth usage during replication.  I now 
only have the default domain and default dc GPOs left.  I know that after the 
migration, these two will remain as ADM files.  Here's my question:  After I 
have my DC's upgraded to 2008, if I then run dcgpofix /ignoreschema, will the 
GPO's be recreated as ADMX or ADM?  My other idea was to create a temporary 
test domain with a single 2008 VM DC, just to back up these two in ADMX format, 
then delete the original ADM ones from my production domain, restoring the ADMX 
ones from the test domain.  If anyone has a better plan for switching these 
without messing up the special properties associated with them, I'm open to 
suggestions.

 

Scott Klassen

Other related posts: