With Windows Server 2012, there are tools, features and functions that are available from the first member server (or Win8 PC with the RSAT pack - http://www.microsoft.com/en-us/download/details.aspx?id=28972).
** You don't need a schema extension, you don't need to deploy any 2012 Domain Controllers, you don't need to flip the bit to Domain or Forest Functional Levels. All you need to do is install the OS and install/enable the Remote Server Administration Tools.
In this post, I'll show you some things in the updated "Group Policy Management Console" (GPMC).
Before I show off some of the coolness of the new GPMC, hop on the 'way-back' machine and recall the joys of GPO editing circa Windows 2000….anyone remember doing that?
The GPMC is one of those rare IT gems – free, easy to use without too much ramp-up or massive whitepapers to pour through before you're able to make use of the tool and get some work done.
We got it right with that tool….and it has some great improvements in 2012.
When you open the GPMC, there is now a 'Status' tab. This shows 'at-a-glance' replication status of the Group Policy elements across your DCs.
This first screen shot shows that "Infrastructure Status" data has not been gathered yet for this domain and that DC01 is the current "baseline domain controller" (which can be changed).
Click "Detect Now" at the bottom of the tab to initiate the data gathering and comparison against the baseline DC.
** WARNING ** This can take some time in a large AD environment, as it has to check multiple items on EACH DC in the domain.
Click the circle-arrow buttons to see more detail … currently showing that all four GPOs in the domain are in full sync between my baseline DC and my one other DC.
Refresh the console to see how the DCs drift from full sync as GPOs are edited and replication occurs…
If you click the "GPO version" link under "Active Directory" or "SysVol", a dialog displays which shows the version numbers for the GPO(s) not yet in sync…
Refresh the console again to see the replication status settle back into full sync against the baseline DC…
Here's a screenshot of the same process with the "baseline domain controller" being a 2003 R2 DC which also hosts all 5 FSMOs in my lab domain/forest.
And the Domain/Forest functional levels are still at 2003
Next up is remote GP Update – yes ladies and gentlemen, you can select an OU and choose to initiate a GPUpdate /FORCE on the computers within that OU.
Two computers are found in the target OU (and any sub-OUs)…
The update fails against one. We can "Save" the log to a CSV file for documentation, historical tracking or further troubleshooting work.
I opened the appropriate firewall ports via the "Group Policy Remote Update Firewall Ports" Starter GPOs which are part of WS 2012, too. I was then able to update the failing system.
The way this works, is it creates a Scheduled Task to run GPUPDATE /FORCE on each system in the OU for both USER and COMPUTER portions of the GPO(s).
Wrapping up this post, have a look at the GP Reporting improvements (both in Results and Modeling):
A few items of note here:
Broken record repeat - important note – the updated GPMC tool is ready to go as soon as you deploy your first WS 2012 or Win8 member system w/ RSAT tools installed and enabled.
More info about Group Policy (GPMC and beyond) in WS 2012: http://technet.microsoft.com/en-us/library/jj574108.aspx
If you combine the above information with the information from a similar post from Ned Pyle during the beta-days of Windows 8/2012 Server, you'll be well on your way to GPMC Superhero status!
Until next time…
psexec @computerlist.txt gpupdate /force
BTW, Invoke-GPUpdate needs remoting enabled or not? Or it does something similar as executing schtasks /s RemoteServer TASK-DETAILS, where only open ports are necessary?
Jose - PSEXEC is a super-handy tool!
For the INVOKE-GPUpdate, you just a few firewall rules enabled on the remote system(s) allowing connectivity:
--Remote Scheduled Tasks Management (RPC)
--Remote Scheduled Tasks Management (RPC-ERMAP)
--Windows Management Instrumentation (WMI-IN)
I miss in the blog the Process and back compatible for update the CentralStore Folder in the Sysvol. Update admx and adml Files.
Thanks for a Part II
Stive - do a search on this blog for "ADMX" and you'll find two great articles for moving to the Central Store model. Cheers!
Great post Michael.
Santosh - Glad you liked it!
Two things about the Infrastructure Status
- It does not examine folders outside the Policies folder contents. For example, it does not examine NETLOGON or the central ADMX store PolicyDefinitions folder.
- If ADMs are configured to be stored only in the PDCE and filter out so they do not replicate to the rest of the DCs, “replication in progress” will be seen for all DCs.
Gladys - thanks for the pointer to some helpful "real world" information!
Really good topic
Now what is missing:
Rebooting PCs within OU
Renaming PC's within OU
Right click ANY PC's / Servers in OU and start RDP
Right click ANY PC's / Servers in OU and get network configuration, IP addresses
Right click ANY PC's / Server in OU and push a printer.
Show Currently Logged On Users on any given PC
Fireup remote command prompt
Fireup remote task manager
Just some of the VERY basic tasks that 3rd party vendors can do EEEEEEAAAAASILY but not from 14 YEARS Mature Active Directoiry!
Kevin - thanks.
Amy - I hear ya ... there are things we can offer for some of your requests. There is a mod you can make to DSA.MSC so the right-click menu has a 'Connect via RDP...' choice (www.microsoft.com/.../details.aspx).
Server Manager on 2012 can get you remote PowerShell sessions, RDP, restart computer, IP addr, computer management and a few other 'right click' choices. See my Server Manager post for some details - blogs.technet.com/.../welcome-to-server-manager-2012-style.aspx
It's not 100% but it's more than nothing ... Cheers!