IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
With Windows Server 2012, there are tools, features and functions that are available from the first member server (or Win8 PC with the RSAT pack – http://www.microsoft.com/en-us/download/details.aspx?id=28972).
** You don't need a schema extension, you don't need to deploy any 2012 Domain Controllers, you don't need to flip the bit to Domain or Forest Functional Levels. All you need to do is install the OS and install/enable the Remote Server Administration Tools.
********** EDIT ************
While you don't need the WS 2012 or newer schema extensions, my lab has met a few minimum AD/OS milestones:
- Single domain AD Forest with a 2003 R2 SP2 DC and a 2008 non-R2 SP2 DC
- Domain and Forest Functional Levels of Windows Server 2003 or later
- Windows Server 2008 ADRPREP schema extensions or later – forestprep, domainprep and gpprep
Otherwise, you may get an error on the Infrastructure Status tab of the UI stating that "A processing error occurred collecting data using this base domain controller. Please change the base domain controller and try again."
******* END EDIT *********
In this post, I'll show you some things in the updated "Group Policy Management Console" (GPMC).
Before I show off some of the coolness of the new GPMC, hop on the 'way-back' machine and recall the joys of GPO editing circa Windows 2000….anyone remember doing that?
The GPMC is one of those rare IT gems – free, easy to use without too much ramp-up or massive whitepapers to pour through before you're able to make use of the tool and get some work done.
We got it right with that tool….and it has some great improvements in 2012.
Group Policy Infrastructure Status
When you open the GPMC, there is now a 'Status' tab. This shows 'at-a-glance' replication status of the Group Policy elements across your DCs.
- Repeating: You don't need any WS 2012 DCs to see this data – GPMC can get the information from W2k3 and newer DCs.
This first screen shot shows that "Infrastructure Status" data has not been gathered yet for this domain and that DC01 is the current "baseline domain controller" (which can be changed).
Click "Detect Now" at the bottom of the tab to initiate the data gathering and comparison against the baseline DC.
** WARNING ** This can take some time in a large AD environment, as it has to check multiple items on EACH DC in the domain.
Click the circle-arrow buttons to see more detail … currently showing that all four GPOs in the domain are in full sync between my baseline DC and my one other DC.
Refresh the console to see how the DCs drift from full sync as GPOs are edited and replication occurs…
If you click the "GPO version" link under "Active Directory" or "SysVol", a dialog displays which shows the version numbers for the GPO(s) not yet in sync…
Refresh the console again to see the replication status settle back into full sync against the baseline DC…
Here's a screenshot of the same process with the "baseline domain controller" being a 2003 R2 DC which also hosts all 5 FSMOs in my lab domain/forest.
And the Domain/Forest functional levels are still at 2003
Remote GP Update
Next up is remote GP Update – yes ladies and gentlemen, you can select an OU and choose to initiate a GPUpdate /FORCE on the computers within that OU.
Two computers are found in the target OU (and any sub-OUs)…
The update fails against one. We can "Save" the log to a CSV file for documentation, historical tracking or further troubleshooting work.
I opened the appropriate firewall ports via the "Group Policy Remote Update Firewall Ports" Starter GPOs which are part of WS 2012, too. I was then able to update the failing system.
The way this works, is it creates a Scheduled Task to run GPUPDATE /FORCE on each system in the OU for both USER and COMPUTER portions of the GPO(s).
- This only works on Vista/2008 and newer OS instances
- Uses a random offset of 0-10 minutes for each system, so they don't all jump at once
- A command-prompt window will display when the Task executes on the target machine(s) if a user is logged in – beware possible end-user confusion and possible help-desk calls when this happens
The UI is an 'all-or nothing' situation. It will refresh GPOs on all systems within the OU – if you need some granularity, you need some (surprise!) Powershell via…
The "Invoke-GPUPDATE" cmdlet – http://technet.microsoft.com/library/hh967455.aspx
- Allows you to target one or more specific computers (instead of all in an OU/subOU)
- Allows you to set specific time offset/delay (instead of 0-10 minutes)
- Allows you to restart the target PC or log off any logged on user (if you need to ensure that Policy settings that require a restart or log-off/on get refreshed)
- Other flexible options
Example: Invoke-gpudate –computer DHCP01 –randomdelayminutes 1 –force
- Does a GPUPDATE /FORCE for user and computer Policies on a computer named DHCP01 with a 1 minute delay
While you're browsing Powershell as it relates to GPOs, please take a quick look at the "Backup-GPO" cmdlet
- You can learn this in a morning and be backing up all GPOs by lunch – that's the POWER of Powershell
Wrapping up this post, have a look at the GP Reporting improvements (both in Results and Modeling):
A few items of note here:
- Displays visually, right at the top of the report, if/when inheritance is blocked – an immediate flag in terms of troubleshooting
- Displays visually, right at the top of the report, if/when a GPO is Enforced– an immediate flag in terms of troubleshooting
- Whether or not a fast link was detected.
- When Policy was last refreshed and how long it took
- Active links for recent GPO Event Log data on the target machine
Broken record repeat – important note – the updated GPMC tool is ready to go as soon as you deploy your first WS 2012 or Win8 member system w/ RSAT tools installed and enabled (but PLEASE see the edit towards the top of the post).
- No [EDIT – 2012] ADPREP needed
- No WS 2012 DCs required
- No [EDIT – 2012] domain functional levels required
- You can be up and running with this tool by this afternoon
More info about Group Policy (GPMC and beyond) in WS 2012: http://technet.microsoft.com/en-us/library/jj574108.aspx
If you combine the above information with the information from a similar post from Ned Pyle during the beta-days of Windows 8/2012 Server, you'll be well on your way to GPMC Superhero status!
Until next time…