With Windows Server 2012, there are tools, features and functions that are available from the first member server (or Win8 PC with the RSAT pack - http://www.microsoft.com/en-us/download/details.aspx?id=28972).
** You don't need a schema extension, you don't need to deploy any 2012 Domain Controllers, you don't need to flip the bit to Domain or Forest Functional Levels. All you need to do is install the OS and install/enable the Remote Server Administration Tools.
********** EDIT ************
While you don't need the WS 2012 or newer schema extensions, my lab has met a few minimum AD/OS milestones:
Otherwise, you may get an error on the Infrastructure Status tab of the UI stating that "A processing error occurred collecting data using this base domain controller. Please change the base domain controller and try again."
******* END EDIT *********
In this post, I'll show you some things in the updated "Group Policy Management Console" (GPMC).
Before I show off some of the coolness of the new GPMC, hop on the 'way-back' machine and recall the joys of GPO editing circa Windows 2000….anyone remember doing that?
The GPMC is one of those rare IT gems – free, easy to use without too much ramp-up or massive whitepapers to pour through before you're able to make use of the tool and get some work done.
We got it right with that tool….and it has some great improvements in 2012.
When you open the GPMC, there is now a 'Status' tab. This shows 'at-a-glance' replication status of the Group Policy elements across your DCs.
This first screen shot shows that "Infrastructure Status" data has not been gathered yet for this domain and that DC01 is the current "baseline domain controller" (which can be changed).
Click "Detect Now" at the bottom of the tab to initiate the data gathering and comparison against the baseline DC.
** WARNING ** This can take some time in a large AD environment, as it has to check multiple items on EACH DC in the domain.
Click the circle-arrow buttons to see more detail … currently showing that all four GPOs in the domain are in full sync between my baseline DC and my one other DC.
Refresh the console to see how the DCs drift from full sync as GPOs are edited and replication occurs…
If you click the "GPO version" link under "Active Directory" or "SysVol", a dialog displays which shows the version numbers for the GPO(s) not yet in sync…
Refresh the console again to see the replication status settle back into full sync against the baseline DC…
Here's a screenshot of the same process with the "baseline domain controller" being a 2003 R2 DC which also hosts all 5 FSMOs in my lab domain/forest.
And the Domain/Forest functional levels are still at 2003
Next up is remote GP Update – yes ladies and gentlemen, you can select an OU and choose to initiate a GPUpdate /FORCE on the computers within that OU.
Two computers are found in the target OU (and any sub-OUs)…
The update fails against one. We can "Save" the log to a CSV file for documentation, historical tracking or further troubleshooting work.
I opened the appropriate firewall ports via the "Group Policy Remote Update Firewall Ports" Starter GPOs which are part of WS 2012, too. I was then able to update the failing system.
The way this works, is it creates a Scheduled Task to run GPUPDATE /FORCE on each system in the OU for both USER and COMPUTER portions of the GPO(s).
Wrapping up this post, have a look at the GP Reporting improvements (both in Results and Modeling):
A few items of note here:
Broken record repeat - important note – the updated GPMC tool is ready to go as soon as you deploy your first WS 2012 or Win8 member system w/ RSAT tools installed and enabled (but PLEASE see the edit towards the top of the post).
More info about Group Policy (GPMC and beyond) in WS 2012: http://technet.microsoft.com/en-us/library/jj574108.aspx
If you combine the above information with the information from a similar post from Ned Pyle during the beta-days of Windows 8/2012 Server, you'll be well on your way to GPMC Superhero status!
Until next time…