Announcement

Collapse
No announcement yet.

GPMC on 2012 mbr to 2008R2 Sysvol

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPMC on 2012 mbr to 2008R2 Sysvol

    Got one for the real geeks out there:

    Standing up a new system, and have been having problems with GP settings. Have finally tracked down the root problem, but don't understand what's causing it. Searches haven't turned up an answer so far.

    Physical Environment: 4 servers as Srvr 2012 Datacenter with Hyper-V roles, in 2 clusters (Prime & Replica), with SANs duplicated at each cluster. 1 additional hardware server at each cluster as remote admin, also 2012, but Stnd, with AD, DFS, etc admin remote tools installed. All other servers, including DCs, are VMs in Primary cluster (yeah, it does work with 2012 Hyper-V.)

    Logical Environment:
    *-Forest root with 1 child domain (at present.) Call it 'parent.local'. Contains DC01 as Forest roles holder, root CA and forest KMS server (no other member servers this level). Forest funct lvl is 2008R2.
    *-Child domain 'child.parent.local' has DC02 (domain roles holder, subordinate CA) and DC03. Both DCs are DNS, DHCP in addition to AD. Domain funct lvl is 2008R2. Forest and domain preps were run from 2012 media prior to adding 2012 members to domain.

    What we see is this: changes to GP made thru either domain-level DC are applied, and replicated, as expected. Viewing of GP thru the remote admin server shows all changes/status allowing for replication times. Changing of GP thru the same remote admin server apply changes to AD, but don't apply changes to the Sysvol share, so we end up with version mismatches between the 2. And so we have inconsistent policy application to clients. Makes no difference what account we log into the remote admin server with (God acct included), either. But I can add folders/files to any location in the sysvol share from this remote admin server without incident.

    We can't use a 2012-OS for the DCs, for reasons I can't go into. DCDiag, netdiag results show every line as 'PASSED'. Event logs on DCs show no issues with replication, etc. Anybody have any idea why I can't change GP from a 2012 member server to a 2008R2 DC, but I can apparently view/access all resources without limitation?
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

  • #2
    Re: GPMC on 2012 mbr to 2008R2 Sysvol

    Disregard, I've sorted it. To those who've dealt with this kind of mixed environment, this will make you smile. My previous system was all 1 level of OS install, (Srver 2003R2 and XP), so this never came up.

    I installed the ADMX files for Win8/Server 2012 onto the Central Store of Sysvol, and now updates apply equally to AD and Sysvol from both levels of OS/GPMC.

    It only occurred to me as part of an unrelated discussion.

    Would I be cheeky to give myself rep points??
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: GPMC on 2012 mbr to 2008R2 Sysvol

      I don't know if its contrary to the spirit of rep, but Ill give you points for returning with the solution instead of leaving it at "nevermind, I figured it out"
      Rules of life:
      1. Never do anything that requires thinking after 2:30 PM
      2. Simplicity is godliness
      3. Scale with extreme prejudice


      I occasionally post using a savantphone, so please don't laugh too hard at the typos...

      Comment


      • #4
        Re: GPMC on 2012 mbr to 2008R2 Sysvol

        Many thanks!
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          Re: GPMC on 2012 mbr to 2008R2 Sysvol

          I was thinking about this last night when I read it and thought it may have been that but wanted to test.

          Well done for figuring out and getting back to us with an answer and solution.

          Comment


          • #6
            Re: GPMC on 2012 mbr to 2008R2 Sysvol

            The plot thickens: it's not fixed.

            There are mismatches between AD and SYSVOL versions per policy, depending on whether I've updated an Admin Template setting vs a setting in another area; biggest problem area appears to be with 'Windows Firewall with Advanced Security.' And since that's what appears to be breaking my system development, I'm getting desperate. My tests yesterday when I thought I'd fixed it were inconsequential settings in an admin template, which worked. But I neglected to test non-admin template settings.

            Settings that are available thru the 2012 version of GPMC don't necessarily have direct correlations with the 2008 version. Example: Under the Firewall settings, there's a Remote Desktop group pre-defined on both versions. Under 2008, that group has 1 pre-determined rule, for TCP-3389. In the 2012 version, there are 2 rules, for UDP- and TCP-3389. If I enable the rules thru 2012, the 2008 GPMC can't read the values correctly on the Settings tab in the Policy.

            Anyone know how to push a 2012 GPMC manually onto a 2008R2 DC? Searches only take me to pages which tell you how to use the Roles/Features installs for the version you're using, which don't help. Don't believe perms for the remote server vs the sysvol share are an issue, 'cause updates to admin template settings work flawlessly under the same session. And all sessions are done using the same God-acount on the domain.
            *RicklesP*
            MSCA (2003/XP), Security+, CCNA

            ** Remember: credit where credit is due, and reputation points as appropriate **

            Comment


            • #7
              Re: GPMC on 2012 mbr to 2008R2 Sysvol

              Originally posted by RicklesP View Post
              The plot thickens: it's not fixed.

              There are mismatches between AD and SYSVOL versions per policy, depending on whether I've updated an Admin Template setting vs a setting in another area; biggest problem area appears to be with 'Windows Firewall with Advanced Security.' And since that's what appears to be breaking my system development, I'm getting desperate. My tests yesterday when I thought I'd fixed it were inconsequential settings in an admin template, which worked. But I neglected to test non-admin template settings.

              Settings that are available thru the 2012 version of GPMC don't necessarily have direct correlations with the 2008 version. Example: Under the Firewall settings, there's a Remote Desktop group pre-defined on both versions. Under 2008, that group has 1 pre-determined rule, for TCP-3389. In the 2012 version, there are 2 rules, for UDP- and TCP-3389. If I enable the rules thru 2012, the 2008 GPMC can't read the values correctly on the Settings tab in the Policy.

              Anyone know how to push a 2012 GPMC manually onto a 2008R2 DC? Searches only take me to pages which tell you how to use the Roles/Features installs for the version you're using, which don't help. Don't believe perms for the remote server vs the sysvol share are an issue, 'cause updates to admin template settings work flawlessly under the same session. And all sessions are done using the same God-acount on the domain.
              Where are you storing your new 2012 GPO's?

              To create a central store you need to create a PolicyDefinitions folder in SYSVOL\Policies

              http://www.petri.com/creating-group-...tral-store.htm

              Comment


              • #8
                Re: GPMC on 2012 mbr to 2008R2 Sysvol

                We're already using the Central stores template storage under Sysvol. That's where I'd originally placed the Win7/2008 amdx files, and just yesterday added the Win8/2012 files. The same names were over-written as expected, so the same templates have been updated. Any unique templates remained, such as our Office 2010 templates.

                It appears that not all the settings available in the GPMC come from the Admin Templates themselves, as far as I can tell. It looks to me like they're internal to the tool being used, part of the DLL set installed.

                Is it possible to install the 2012 RSAT on a 2008 box? And a 2008 DC at that? I haven't found a stand-alone install method for same, thus far.
                *RicklesP*
                MSCA (2003/XP), Security+, CCNA

                ** Remember: credit where credit is due, and reputation points as appropriate **

                Comment


                • #9
                  Re: GPMC on 2012 mbr to 2008R2 Sysvol

                  Originally posted by RicklesP View Post
                  We're already using the Central stores template storage under Sysvol. That's where I'd originally placed the Win7/2008 amdx files, and just yesterday added the Win8/2012 files. The same names were over-written as expected, so the same templates have been updated. Any unique templates remained, such as our Office 2010 templates.

                  It appears that not all the settings available in the GPMC come from the Admin Templates themselves, as far as I can tell. It looks to me like they're internal to the tool being used, part of the DLL set installed.

                  Is it possible to install the 2012 RSAT on a 2008 box? And a 2008 DC at that? I haven't found a stand-alone install method for same, thus far.
                  I'll have a play around in my home lab over the weekend and see if I can replicate.

                  Comment


                  • #10
                    Re: GPMC on 2012 mbr to 2008R2 Sysvol

                    Found an article here in Petri about the RSAT install question. I'm trying it now, will let you know. Taking a snapshot of the DC first as insurance.
                    *RicklesP*
                    MSCA (2003/XP), Security+, CCNA

                    ** Remember: credit where credit is due, and reputation points as appropriate **

                    Comment


                    • #11
                      Re: GPMC on 2012 mbr to 2008R2 Sysvol

                      Applied prerequisites to 2008R2 DC per this petri KB article: http://www.petri.com/remote-server-a...ad-install.htm, then downloaded and attempted to install the Win8/2012 RSAT tool to the same box. And it won't install due to version mismatch (not x86 vs x64, but Windows versions.)

                      So now I'm back to my earlier issue: anyone got a better idea than simply DON'T manipulate GP from the 2012 remote admin server? Do it only from one of the 2 DCs?
                      *RicklesP*
                      MSCA (2003/XP), Security+, CCNA

                      ** Remember: credit where credit is due, and reputation points as appropriate **

                      Comment


                      • #12
                        Re: GPMC on 2012 mbr to 2008R2 Sysvol

                        Finally found a solution that works throughout: DFS config. AD was setup before DFS was in place, and AD was set to replicate using DFS rather than FRS. But no Sysvol replication group was ever set up in DFS, so we had sysvol mismatch issues galore.

                        Once the needed replication group was set up in DFS, all settled down. All versions of GP management agree on version numbers of GP objects, regardless of where they were set from, and policy looks to be applying correctly, throughout.

                        Looks like you should initially set your AD replication to use the old way (FRS), then set up DFS, then change AD replication to use DFS. Chicken and egg logic, but I had no idea 'cause I hadn't used DFS before now.
                        *RicklesP*
                        MSCA (2003/XP), Security+, CCNA

                        ** Remember: credit where credit is due, and reputation points as appropriate **

                        Comment


                        • #13
                          Re: GPMC on 2012 mbr to 2008R2 Sysvol

                          I'm not sure I follow what you did with DFS. In 2000 and 2003 AD used FRS. With 2008 it uses DFSR for replication if it's a new domain at the 2008 domain functional level. If you've migrated from a 2003 or older domain to the 2008 functional level then you'll need to go through the conversion:
                          http://blogs.technet.com/b/qzaidi/ar...s-to-dfsr.aspx
                          http://technet.microsoft.com/en-us/l...(v=ws.10).aspx

                          You shouldn't use the normal DFS utilites to manage AD DFSR. If things are workng then that's good but I don't know what consequences there will be if the DFSR migration wasn't performed according to the steps outlined by MS. (maybe you did use those steps )
                          Regards,
                          Jeremy

                          Network Consultant/Engineer
                          Baltimore - Washington area and beyond
                          www.gma-cpa.com

                          Comment


                          • #14
                            Re: GPMC on 2012 mbr to 2008R2 Sysvol

                            I didn't set up the DFS duplication grp for our sysvol share, someone else did. As normal, when I set the new domain up from scratch at the 2008R2 FL, I let the AD replication take care of itself. And it's never been right, but we spent quite a bit of time chasing just DNS. We thought we had it, then began setting up Group Policy and we went down the rabbit hole again. And then we began with DFS as well, so it was just another headache. Because AD itself worked all the time, we didn't look at replication.

                            A company colleague with more system-setup experience came to our client's site while I was away and set up the DFS replication group for our SYSVOL. And now it appears much more stable than it has been. All of the GP issues have disappeared, for a start. DFSR logs from one of our 2 VM DCs shows intermittent DFSR failures, but we can relate the vast majority to a shutdown of 1 of the DCs to take a snapshot prior to making a major change.

                            If we still have other issues to sort out before going live and migrating existing users to the new system in about 2 months' time, and said fix requires starting over yet again (this is complete build #3 so far), I quit.
                            *RicklesP*
                            MSCA (2003/XP), Security+, CCNA

                            ** Remember: credit where credit is due, and reputation points as appropriate **

                            Comment


                            • #15
                              Re: GPMC on 2012 mbr to 2008R2 Sysvol

                              Um wow! I assume that this is a fresh domain that is being built then. Is there heavy modifications to the AD environment?

                              On a new domain setup you shouldn't have to mess with DFSR at all! If you get some more information on what they're doing to the environment then let us know and maybe it will shed some light on things...

                              Hopefully whatever they did to get things working will stay working but I'm skeptical from what you described.
                              Regards,
                              Jeremy

                              Network Consultant/Engineer
                              Baltimore - Washington area and beyond
                              www.gma-cpa.com

                              Comment

                              Working...
                              X