Windows 7 on a 2003R2 domain

[garethedmondson]

We want to evaluate Windows 7 and work on it as much as possible before sending it out to clients. We have been told by the LEA that they will not allow .admx files on the network (cannot remember the reason).

I went to them with the information that AngryTechnician had on his blog here:

http://angrytechnician.wordpress.com/2009/11/05/the-angry-technicians-guide-to-managing-windows-7-you-idiots/#more-1551

They denied my request.

Since then we have been given our own local Domain Controller. This pulls down the policies from the central LEA domain controllers so if the broadband network goes down pupils can still logon et etc.

I believe that policies around the network replicate across all DCs so any I create on the central Dcs will replicate to my DC here on the network (and vice versa).

Now - if I create an admx store on our DC is there any way I can stop that store replicating back up to the central DCs - thus allowing me to test locally with the new Windows 7 admx files but not affecting anything else.

Cheers

Gareth

[powdarrmonkey]

Now - if I create an admx store on our DC is there any way I can stop that store replicating back up to the central DCs - thus allowing me to test locally with the new Windows 7 admx files but not affecting anything else.

No, I don't believe so. They'll replicate all across the domain in case you log in to a machine elsewhere geographically but attached to the same domain.

[FN-GM]

Is there any reason why you could not setup your own domain?

[powdarrmonkey]

Is there any reason why you could not setup your own domain?

LEA policy.

[FN-GM]

That stinks, is it not possible to break away from them?

[garethedmondson]

Is there any reason why you could not setup your own domain?

No - we used to be an RM school and several schools in the LEA used to have seperate network. It was decided by the Heads that they all went back into a central managed service with an SLA. As such that is where we are.

Cannot set up our own domains. We have domain admin rights on our branch of the AD but not Enterprise Admin rights so we cannot destroy anything. It's a huge AD structure - although probably not the biggest ever - with all schools and users. 15 comps, 97 or so primaries quite a few thousand machines over the LEA.

Gareth

[FN-GM]

Thats not to bad i suppose if you have your own domain

[ajbritton]

I'm going to sound like a really boring suit now, but here goes.

Firstly, I would say that if your managed service providers / LA have advised that .ADMX files are not permitted on the domain, then you may put your job at risk if you try to do so.

I know it's a PITA, but this is the way in which larger organisations work. The bigger the system, the greater the risk of making changes and the tighter the change control needs to be.

If it's just the case that you want to get acquainted with Windows 7 in a domain environment, then this is not really justification for messing around with the live production environment on which your schools depend. It would be better to set up a virtual environment on a high spec PC (quad core, 64 bit OS, 8 gb RAM etc). This way you could have the freedom to make whatever changes you want.

Speaking as someone on the other side of the fence as it were, I would suggest that another way to move forward would be to try to engage with whoever runs the network and find out how they are planning to support Windows 7. Perhaps you could offer to help with testing. Either way, the support window for XP is running out. If they are not already planning to support 7, then someone needs to light a fire under them.

[glennda]

Is there any reason why you could not setup your own domain?

could you not just do this to test? its not as if you would need the GPO's in place for xp clients if you want to test win 7

Toby

[cookie_monster]

I don't think you need a central store and the admx files shouldn't be replicated through the sysvol now. If you had a Win7 or 2008R2 box you could create a test GPO that will be created by the local admx files the GPO then just contains the policy file that is generated.

Have a read of this.

Ask the Directory Services Team : Windows 7, Windows Server 2008 R2 and the Group Policy Central Store


Personally I would set up a couple of play boxes, virtualbox or xenserver should help.

[garethedmondson]

I'm going to sound like a really boring suit now, but here goes.

Firstly, I would say that if your managed service providers / LA have advised that .ADMX files are not permitted on the domain, then you may put your job at risk if you try to do so.

I know it's a PITA, but this is the way in which larger organisations work. The bigger the system, the greater the risk of making changes and the tighter the change control needs to be.

If it's just the case that you want to get acquainted with Windows 7 in a domain environment, then this is not really justification for messing around with the live production environment on which your schools depend. It would be better to set up a virtual environment on a high spec PC (quad core, 64 bit OS, 8 gb RAM etc). This way you could have the freedom to make whatever changes you want.

Speaking as someone on the other side of the fence as it were, I would suggest that another way to move forward would be to try to engage with whoever runs the network and find out how they are planning to support Windows 7. Perhaps you could offer to help with testing. Either way, the support window for XP is running out. If they are not already planning to support 7, then someone needs to light a fire under them.

Hi - I agree totally and was not going to do it. I was just asking - collecting opinions and examples before talking to the LEA.

Thanks for the advice though. The LEA are testing Windows 7 so it is on the way. I'm just being impatient :-)

Gareth

[ajbritton]

I'm just being impatient :-)

Nothing wrong with that!

Like I said, I would go for a VM test setup. I find these easier to manage than physical boxes. Simple to try a change and revert to a snapshot if it doesn't work. VMWare Server is your friend.

[cookie_monster]

Don't forget to read the link I posted it gives you a good idea of how GPO's work in 2008+ especially replication.