Announcement

Collapse
No announcement yet.

creating child OU's in default domain controller OU

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • creating child OU's in default domain controller OU

    Hi,

    I'm currently implementing WSUS on a couple of my windows 2000 domains. I have multiple DC's in the default domain controllers OU. I want to apply automatic updates to the DC's that do not contain the FSMO roles and leave the FSMO role DC on manual install.

    My approach was to create 2 sub OU's in the default domain controllers OU, add the servers and apply the policies as appropriate.

    I have since heard that Microsoft do not support this approach (creating child OU's in default deomain controller OU) and there may have been problems with people who have tried this. Is anyone aware of any specific issues with this method and if so is there an alternate way of implementing 2 different (confilicting) GPO's on the default domain controllers OU.

    Thanks in advance.

    Mike
    Last edited by Mike1324; 18th July 2008, 13:22. Reason: left out key fact

  • #2
    Re: creating child OU's in default domain controller OU

    although it is not Microsoft best practice , but there is no problem moving the DCs to a sub OU as long as the Default Domain Controller Policy apply on that OU.
    I got the same configuration of sub OUs for DCs and it past the MS AD health check engineer (was approved), even though the ADST are giving me
    a big red warning on that, it is still fine as long as the Default Domain Controller Policy applies on the DCs.
    Last edited by Akila; 18th July 2008, 13:28.

    Comment


    • #3
      Re: creating child OU's in default domain controller OU

      Thanks,

      I've left the default policy untouched on the default domain controller and simply applied the new poilicy to the child OU (and ensured there is no block on the inheritance from parent to child).

      Your comments have laid my mind at rest, but just out of interest - how do microsoft suggest applying conflicting policies to different DC's?

      Comment


      • #4
        Re: creating child OU's in default domain controller OU

        You can set a GPO to only apply to certain machines using the "Apply Group Policy" tick box.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: creating child OU's in default domain controller OU

          I am familiar with amendments to the 'security settings' to control the user groups the policy applies to, but I was not aware you could control which computer in a ou received the policy.

          where is the 'apply group policy' checkbox located? I've checked through the options on the group policy tab of the ou. there is only those option that follows

          new
          add
          edit
          options
          delete
          propterties

          I've drilled into each of the options, but cannot locate the checkbox mentioned. Am I looking in the wrong place (it is Friday after all)

          Comment


          • #6
            Re: creating child OU's in default domain controller OU

            In the Properties then Security tab.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: creating child OU's in default domain controller OU

              cool,

              so it's properties\security\add.

              presumably the policy is applied implicity as the server is not currently selected.

              As a best practice should I select both servers (so they are visible to other admins) as follows:

              Server 1 Permissions - Apply Group Policy - Tick
              Server 2 Permissions - Apply Group Policy - Untick

              Is 'apply group policy' the only setting that's relevent i.e. is 'read' not required?

              Comment


              • #8
                Re: creating child OU's in default domain controller OU

                Or delegation / Advanced if using GPMC (forgot to add that bit).

                Untick the Authenticated users apply and then add in a group or individual machines and click the apply permission.
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: creating child OU's in default domain controller OU

                  I have an idea here, Let the DC's be in default OU.
                  1. Create one more additional GPO with WUS settings and link the GPO to OU.
                  2. Create a new group and add all DC's except FSMO in to the group
                  3. Under Security Filtering of newly created GPO, remove autneticated users group and add only new group (which contains all the DC's)

                  Cheers, Bala

                  Comment


                  • #10
                    Re: creating child OU's in default domain controller OU

                    I think that is what I said.

                    Authenticated Users is how it applies at the moment. You can add in a group or individual accounts and use them specifically if Auth Users isn't selected.
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment


                    • #11
                      Re: creating child OU's in default domain controller OU

                      Originally posted by balasat View Post
                      Create a new group and add all DC's except FSMO in to the group
                      Note that if you create new group and add DCs computer accounts to it, the DCs will pick up the group membership change only after reboot (the new group will be added to security token of the DC's computer account only upon reboot)
                      Guy Teverovsky
                      "Smith & Wesson - the original point and click interface"

                      Comment


                      • #12
                        Re: creating child OU's in default domain controller OU

                        this is a common issue to solve in large global deployments of domains and the biggest issue people face is not updating the GPO's if they explicitly assign the DC computer object against on the security filter and they then decommission the DC and add a new one.
                        the easiest way around this does of course depend on your global naming standard.
                        Using WMI filters in GPMC you can create a WMI filter that will only ensure that the GPO you assign will only apply to computers that start with a specific WMI filter.
                        ie root\CIMv2 Select * from Win32_ComputerSystem WHRE Name like 'SITE-A%'
                        assign this to the GPO on the domain controllers OU that specifies SITE A's wsus server. hence you keep them all in one OU and therefore supported.

                        Comment


                        • #13
                          Re: creating child OU's in default domain controller OU

                          Another option can be linking the GPOs to site + WMI filter to filter out the non-DCs, which will eliminate the naming convention dependency (assuming you do not have pre-XP or pre-W2K3 computers that can not handle WMI filters)
                          Guy Teverovsky
                          "Smith & Wesson - the original point and click interface"

                          Comment

                          Working...
                          X