Deployment Examples

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The following two examples illustrate deploying GPOs from staging to production environments. In the first example, the staging domain is located in the same forest as the production domain. In the second example, the staging domain is in a separate forest that is not trusted by the production domain. If you use a separate staging forest that is trusted by the production domain, the steps are the same as in the first example, where the staging domain is part of the production forest.

Staging to a Production Domain in a Single Forest or from a Trusted Staging Forest

When the staging domain is part of your production forest or you have a separate staging forest that is trusted by your production domain, your deployment method depends on whether the GPO is new or changed. If the GPO is new and does not exist in the production domain, use the copy method to deploy the new GPO. If you are deploying an update to an existing GPO, then you must to use the import method to update the production GPO’s settings with those from the backup staging GPO.

In this example, you will deploy a new GPO named Sales OU Workstation Security Policy from the staging domain to the production domain by using GPMC. Figure 3.10 illustrates the staging and production domain configuration and shows the accompanying migration table.

Figure 3.10   Migration from Staging to Production Domain

Migration from Staging to Production Domain

Before beginning the deployment load both the source and destination domains in GPMC. If you are copying from a separate trusted forest, open both forests in GPMC.

To deploy a new GPO using the copy method

  1. In GPMC, in the staging domain, right-click the GPO that you plan to migrate and choose Copy from the menu.

  2. In GPMC, in the production domain, right-click Group Policy Objects and choose Paste from the menu or drag-and-drop the source GPO onto the Group Policy Objects node of the destination domain. The Cross-Domain Copying Wizard starts.

  3. On the Cross-Domain Copying Wizard page, click Next, select the option to Preserve or migrate the permissions from the original GPOs, and then click Next.

    If you choose the first option, Use the default permissions for new GPOs, this GPO will receive the default permissions that would be applied to any new GPO in the production domain. For this example, you want to use the second option, Preserve or migrate the permissions from the original GPOs, because that option lets you use a migration table to map the DACL on the staging GPO to its production equivalents.

    The wizard scans the source GPO to determine any security principal or UNC path mapping requirements. After these are found you can advance the wizard to the next step.

  4. On the Migrating References page of the Cross-Domain Copying Wizard, select the option to either copy the security principals exactly as they exist in the source GPO to the destination or to use a migration table to map references and click Next.

    The wizard gives you two choices for performing the migration. The first choice, Copying them identically from the source, leaves all security principals and UNC paths in the new GPO exactly as they are in the source. Because you are migrating a new GPO from the staging environment to the production environment, you need to choose Using this migration table to map them to new values in the new GPOs instead. This option lets you choose a migration table to use as part of the deployment. You further have the option to Use migration table exclusively… If you check this option the wizard will attempt to map all security principals and UNC paths using the migration table you specify. If a security principal or UNC path that exists in the source GPO is not present in the migration table, then the entire migration fails. This is useful to ensure you have accounted for all security principals and UNC paths in your migration table. After you make your choice move to the next step in the wizard, which is the summary screen prior to migration.

  5. On the Completing the Cross-Domain Copying Wizard page, you can see your chosen migrations options prior to performing the actual migration. This page shows the source GPO you have chosen, the option you chose for migrating permissions and the migration table (if any) that you will be using. If you need to change an option, you can select Back to go back through the wizard and change your choices.

  6. When you click Finish, the migration of the staging GPO begins. Keep in mind that the new GPO is being created in the production domain but will not yet be linked to any container objects.

  7. When the wizard completes the copy operation, right-click the Active Directory site, domain, or OU to which you want to link the copied GPO, and then select Link an Existing GPO from the menu. In the Select GPO dialog box, select the GPO you just copied.

    After you link the new GPO, and replication is complete, the GPO is live in the production domain.

Using a Script to Perform a Copy Deployment

You can also perform a copy deployment by using the script CopyGPO.wsf, which is installed in the Scripts folder in the GPMC installation folder. This script copies a GPO between staging and production domains in a single command. To perform the same copy operation as in the foregoing procedure, use the following command:

Cscript CopyGPO.wsf "Sales OU Workstation Security Policy" "Sales OU Workstation Security Policy" /SourceDomain:staging.contoso.com /TargetDomain:contoso.com /SourceDC:staging-dc1 /TargetDC:prod-DC1 /migrationtable:c:\migtables\SalestoProd.migtable /CopyACL

The first two arguments in this command specify the same name for both the source and target GPO. The next four arguments specify the source and target domain names and a domain controller in each domain. The /migrationtable argument specifies the migration table to use and the /CopyACL argument is used to preserve the DACL from the source GPO and use the specified migration table to map the source DACLs to their production domain equivalents.

Deploying to a Production Domain from an Untrusted Staging Forest

If you are deploying a GPO from a staging forest that is not trusted by the production forest, the only choice for deployment is an import operation. You can also use an import to deploy an update to an existing GPO in the production domain even if a trust relationship exists between the staging and production domains.

Import Operation Prerequisites

Before performing the deployment in this example, there are some prerequisites that you should be aware of:

  • If you are deploying a new GPO by using GPMC, you need to create a new, empty GPO in your production domain that can act as a target for the import operation. Remember that the GPMC import operation works by importing the settings from a backup GPO into an existing destination GPO. However, you can also use the script ImportGPO.wsf to create a new GPO automatically, as part of the import process.

  • Before beginning the import, make sure you back up the GPOs from your staging domain that you plan to deploy to production. This is necessary because the import operation uses backup GPOs rather than live GPOs.

  • If you are using the GPMC UI rather than a script to perform the import, you have the opportunity to back up the current production GPO before completing the import. You should always back up an existing production GPO before deploying a new version in case there are problems with the deployment. In that event, you can perform a restore operation from GPMC to restore the previous version of the GPO.

When these prerequisites have been satisfied , you are ready to deploy a new GPO into the production environment using the import method.

To deploy a new GPO to the production domain using the Import method

  1. In GPMC, in the production domain, right-click the GPO to be updated and select Import Settings from the menu.

    The Import Settings Wizard starts.

  2. In the Import Settings Wizard on the Backup GPO page, select Backup to back up the existing production GPO prior to performing the import, and then click Next. When you select the Backup button, you’re given the option of choosing a location to store your backup and a name to reference it by. Select the Backup button to start the backup process.

    Once the wizard finishes backing up your production GPO, from the Backup location page, you need to choose the folder that contains the backup of the staging GPO that you want to import. You must have access to the folder where you backed up your staging GPOs. If your backups were made on a server in your staging forest, you might need to map a drive to that folder from the workstation where you are running the import operation, using credentials from the staging forest.

  3. After you select the backup folder, choose Next to present the Source GPO page. This page presents a the list of backup GPOs, from which you can choose the staging GPO you want to import. Once you make the choice, click Next.

  4. On the Migrating References page, you will see the same options for migrating security principals as in the Cross-Domain Copying Wizard used in the previous copy method. You can choose to either use the existing security principal information contained in the staging GPO or apply a migration table against it. Because you are deploying a GPO from staging domain that does not have a trust relationship with the production domain, you must use a migration table to migrate security principal and UNC path information. Otherwise, the security principals and UNC paths referenced in the untrusted forest cannot be resolved by the production domain. To select a migration table to use, choose the Using this migration table to map them in the destination GPO option and then select a path to the migration table you created for this migration. You can select the Use migration table exclusively… option to only import the GPO if all security principals found in the backed up version are accounted for in the migration table.

  5. Select Next to view the Completing the Import Settings Wizard page which presents a summary of your chosen migration options. You can select Back if you need to go back to change some of the options prior to the import. Select Finish to start the import operation.

    If you created the production GPO from scratch to perform this import, you will need to link the new GPO to the appropriate container object. To link the GPO, in GPMC, in the production domain, right click the Active Directory site, domain, or OU to which you want to link the imported GPO and choose Link an Existing GPO from the menu. Once you link the new GPO and replication is complete, the GPO is live in the production domain.

Using a Script to Perform an Import Deployment

You can also perform an import deployment by using the script ImportGPO.wsf, which is installed in the Scripts folder in the GPMC installation folder. This script lets you import a backup GPO into your production domain. If the target GPO does not yet exist, the script also lets you create a new GPO to receive the import as part of the process. To perform the same import operation as described in the previous procedure, type the following command:

Cscript ImportGPO.wsf c:\gpobacks "Sales OU Workstation Security Policy" "Sales OU Workstation Security Policy" /CreateIfNeeded /MigrationTable:c:\migtables\salesprod.migtable /Domain:contoso.com

The first argument in this command specifies the location of the backup GPO files. The second argument specifies the name of the backed up GPO to import from (you can instead provide the Backup ID, which is a 128-bit GUID value generated by the backup utility to uniquely identify the backup). The third argument specifies the name of the destination GPO to import into. The /CreateIfNeeded argument indicates that if the destination GPO does not yet exist, it should be created before performing the import. The /MigrationTable argument specifies the path and name of the migration table file. The /Domain argument provides the DNS name of the destination domain.

Rollback

In the event that you have a problem with a GPO after you deploy it from the staging environment to the production environment, the best way to roll back the deployment is to use the backup GPO you created in the previous deployment steps to restore the original GPO. You can also use the RestoreGPO.wsf script to perform the restore process. As part of your deployment, it is a good idea to create a set of scripts that can perform an automated rollback of all of your changes using RestoreGPO.wsf. In the event that you need to perform a rollback, the script is ready and available to use with minimal user disruption.