Migrating GPOs Across Domains

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Taking a GPO in a given domain and creating a new GPO that contains the same set of policies in a different domain is a central function of GPMC.

Although the collection of settings in a GPO is logically a single entity, the data for a single GPO is stored in multiple locations and in a variety of formats; some data is contained in Active Directory and other data (of various types) is stored on the Sysvol file share on the domain controllers. This means that copying GPOs is not as simple as taking a directory and copying it from one computer to another.

In addition to the complex way in which GPO data is stored, certain policy data may be valid in one domain but be invalid in the domain that the GPO is being copied to. For example, Security Identifiers (SIDs) stored in security policy settings are often domain specific. In addition, Universal Naming Convention (UNC) paths for folder redirection or software installation policies may not work properly if the data in the GPO is copied without modification to a different domain.

Migration Tables

The solution is to modify these references in the GPO that are domain-specific, during the import or copy operation, so that the settings in the destination GPO are written with the appropriate information for the destination domain. GPMC supports this capability using migration tables.

A migration table is a file that maps references to users, groups, computers, and UNC paths in the source GPO to new values in the destination GPO. A migration table consists of one or more mapping entries. Each mapping entry consists of a type, source reference, and destination reference. If you specify a migration table when performing an import or copy, each reference to the source entry will be replaced with the destination entry when writing the settings into the destination GPO.

The migration table will apply to any references in the settings within a GPO, whether you are performing an import or copy operation. In addition, during a copy operation, if you choose the option to preserve the discretionary access control list (DACL) on the GPO, the migration table will also apply to both the DACL on the GPO and the DACLs on any software installation settings in the GPO.

Migration tables store the mapping information as XML, and have their own file name extension, .migtable. You can create migration tables using the Migration Table Editor (MTE). The MTE is a convenient tool for viewing and editing migration tables without having to work in, or be familiar with, XML. The MTE is associated with the .migtable extension so that when you double click a migration table, it opens in the MTE. The MTE is installed with GPMC. You can also create and edit migration tables using any XML editor or using the GPMC scripting interfaces.

GPMC as the Solution for Migrating GPOs

There are four operations that GPMC provides to allow for archival and recovery of GPOs, and for migrating GPOs from one environment to another:

  • Copy. A copy operation allows you to transfer settings from an existing GPO in Active Directory directly into a new GPO. The new GPO created during the copy operation is given a new GUID and is unlinked. You can use a copy operation to transfer settings to a new GPO in the same domain, another domain in the same forest, or a domain in another forest. Because a copy operation uses an existing GPO in Active Directory as its source, trust is required between the source and destination domains. Copy operations are suited for moving Group Policy between production environments, and for migrating Group Policy that has been tested in a test domain or forest to a production environment, as long as there is trust between the source and destination domains.

  • Backup. Backing up a GPO copies the data in the GPO to the file system. The backup function also serves as the export capability for GPOs. A GPO backup can be used to restore the GPO to the backed-up state, or to import the settings in the backup to another GPO.

  • Import. The Import operation transfers settings into an existing GPO in Active Directory using a backed-up GPO in the file system location as its source. Import operations can be used to transfer settings from one GPO to another GPO within the same domain, to a GPO in another domain in the same forest, or to a GPO in a domain in a different forest. The import operation always places the backed-up settings into an existing GPO. It erases any pre-existing settings in the destination GPO. Import does not require trust between the source domain and destination domain. Therefore it is useful for transferring settings across forests and domains that don't have trust. Importing settings into a GPO does not affect its DACL, links on sites domains or organizational units to that GPO, or a link to a WMI filter.

  • Restore. Restoring a GPO re-creates the GPO from the data in the backup. A restore operation can be used in both of the following cases: the GPO was backed up but has since been deleted, or the GPO is live and you want to roll back to a known previous state.

Each of these operations can be performed through the GPMC user interface, or through the GPMC scripting model.

For more information, see the following resources: