[gptalk] Re: Default Domain and Default DC GPO migration
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 18 Jun 2008 17:45:49 -0700
Yep, that should do it then Scott. A
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of SCOTT KLASSEN
Sent: Wednesday, June 18, 2008 5:28 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain and Default DC GPO migration
Correct Darren. My wording wasn't so great. Great suggestion about just
deleting the ADM directory. I think that'll do the trick. No custom ADMs
in the DDP or DDCP (or elsewhere for that matter, I've converted them all to
GPP) Just wanted to bounce this off the experts.
Thanks,
Scott Klassen
From: Darren Mar-Elia <mailto:darren@xxxxxxxxxx>
Sent: Wednesday, June 18, 2008 4:43 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain and Default DC GPO migration
Yea, I must admit that I didn't really have time to read that email
yesterday but now that I look at it and Alan's response, I agree with Alan.
I think what you are trying to do Scott is "convert" the DDP and DDCP GPOs
to ADMX. But really there is nothing much to do to do that. All you would do
is delete the ADM folder within SYSVOL for both of those GPOs and start
editing those two GPOs exclusively from Vista or Server 2008. You won't lose
any settings, because as Alan notes, the settings are not stored in the ADMs
but in the Registry.Pol file. And, the ADMXs are a superset of the settings
that are in the 5 default ADMs that MS provides. That being said, the one
caveat is if you've defined any custom ADMs in those two GPOs. In that case,
you don't want to delete those but probably want to leave them in place.
Hope that helps.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Wednesday, June 18, 2008 2:34 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain and Default DC GPO migration
Hi Scott,
I am a little confused by your question "will the GPO's be recreated as ADMX
or ADM". I may be missing something, but there is no such thing as an ADMX
GPO or an ADM GPO.
Basically a GPO holds the Administrative Template Settings in the
Registry.POL File.
If you use a Windows 2000 workstation to view or modify these settings in
GPMC it will load the ADM files present in the GPO to interpret the
settings. If there is no ADM file for those settings, the setting will not
be exposed for you to change.
If you use a Vista machine to view or modify these settings in GPMC it will
load the ADMX files (stored if PolicyDefinitions) and the ADM files present
in the GPO to interpret the settings. This would suggest that if an ADM file
and an ADMX file were present for the same setting you would see both.
However there is a "Supersedes" setting in an ADMX file which effectively
says "please ignore a particular ADM file if it exists". The default
Microsoft ADMX files have settings to Supersede all of the Microsoft ADM
files. However it is still possible to add an ADM file to a Policy and it
will be used by both the VISTA and WINDOWS machines.
Now I haven't tested what you are doing, nor do I fully understand the
process as to why you need to run GPOfix /IgnoreSchema. By reading
http://support.microsoft.com/kb/932445 it suggests that the parameter is
used when you are restoring a GPO with an old schema. But I don't see how
the SCHEMA used will affect adm and ADMX files. Maybe Darren can explain!
Having said all of that I would strongly recommend that you test it all
first just to confirm what it does in your environment. In fact I would test
a migration and fallback... There is nothing worse than having no AD after a
problem with the conversion especially if your only defense is "It should
have worked".
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of SCOTT KLASSEN
Sent: Wednesday, 18 June 2008 1:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Default Domain and Default DC GPO migration
Here's a question for either those more knowledgeable or with a more robust
testing infrastructure.
I'm at the start of migrating my environment to Server 2008. Although not
necessary, I've spent some time converting most of my GPOs to the ADMX
format for the decrease in space usage and bandwidth usage during
replication. I now only have the default domain and default dc GPOs left.
I know that after the migration, these two will remain as ADM files. Here's
my question: After I have my DC's upgraded to 2008, if I then run dcgpofix
/ignoreschema, will the GPO's be recreated as ADMX or ADM? My other idea
was to create a temporary test domain with a single 2008 VM DC, just to back
up these two in ADMX format, then delete the original ADM ones from my
production domain, restoring the ADMX ones from the test domain. If anyone
has a better plan for switching these without messing up the special
properties associated with them, I'm open to suggestions.
Scott Klassen
Other related posts:
