Deployment Precautions

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To ensure uninterrupted service to your users, it is a good idea to observe some precautions when migrating staged GPOs to your production environment. Although migrating new GPOs is typically a quick process that does not adversely impact production users or computers, it is prudent to avoid making such a change until the least possible number of users will be affected. Typically this might be during off hours, when users are not active on the network.

Remember that when a GPO is updated, the update is performed first against the Domain Controller that is currently targeted by GPMC for a particular domain. If you are using GPMC to perform the migration, you can click the Domains item in the console tree to see which DC is currently being used for each domain under management. To change the DC, right-click the domain name and choose the Change Domain Controller from the menu before migrating your changes.

GPO Replication

Keep in mind that GPO changes propagate according to your Active Directory replication and Sysvol File Replication service topologies, and therefore might take an extended period of time to replicate to all locations in a worldwide Active Directory deployment. Also keep in mind that a GPO is composed of two parts — the portion that is stored and replicates as part of Active Directory, and the portion that is stored and replicates as part of Sysvol. Because these are two separate objects that need to replicate across your network, both need to be synchronized before the new GPO is applied.

You can view the replication status on a given DC by using GPMC. From the Group Policy Objects node in GPMC, click a GPO to check, and then select the Details tab in the details pane. If the GPO is synchronized on that DC, the Active Directory and Sysvol version numbers will be identical for user and computer configuration. However, the user version numbers do not need to match the computer version numbers.

Requirements for Performing the Deployment

The primary requirement to keep in mind as you prepare to deploy your staged GPOs to your production environment is whether you have sufficient permissions on the destination GPOs. You typically need only read access to the source domain to complete a deployment. Depending on the configuration of your staging environment, you might need to take some specific steps prior to migration. If you are performing a copy operation, you will need to have sufficient permissions to create a new GPO in the destination domain. If you are importing a backup GPO, you will need to be able to read the backup files, wherever they might be located, and then have sufficient permissions to modify an existing GPO in the destination domain that is the target of the import operation. Finally, you should ensure that the migration table that you created for each GPO that requires one is stored where it is accessible to you while performing the migration. The following checklist summarizes the items to verify before running the migration:.

  • For a copy operation: ensure that the destination domain is trusted by the source domain and that you have GPO Creation permissions on the destination domain.

    You can confirm GPO Create permissions on a domain by using GPMC. Click the Group Policy Objects node and, in the details pane, select the Delegation tab to see which users or groups can create new GPOs in the domain.

  • For an import operation: ensure that you have access to the backup GPO files and that you have GPO Edit Settings permission on the destination GPO.

  • If you are using a migration table (.migtable): ensure that you have access to the file from GPMC.