Windows Server 2008 R2 Thread, Single 2008x86 DC -> R2 : To swing or not to swing... ? in Technical; Scenario is a Primary with just the one existing 2008x86 DC (Enterprise). Being able to manage GP from the console ...
15th May 2011, 09:32 PM #1
Single 2008x86 DC -> R2 : To swing or not to swing... ?
Scenario is a Primary with just the one existing 2008x86 DC (Enterprise). Being able to manage GP from the console (remotely) is a key requirement, but although they're not using it yet Windows 7 isn't supported blah-blah. There isn't any nasty 3rd party s/w with it's claws embedded in the DC, print drivers could be that occasional 65 & 32-bit fail though.
Option 1: Make a little Win 7 + RSAT VM you can fire up on the server on when you do need to play with GP settings. [We have ample h/w resources available)
Option 2: Swing migrate, ensuring the result has the same name as the original via an (external) 2008 R2 VM. May need to fix-up some GPP SIDs afterwards though.
Head says the first option, heart says the second (albeit with head heckling about greater endeavour - twice, coz I'd likely run through it virtually first).
Anyone have any opinions based on real experience?
Last edited by PiqueABoo; 15th May 2011 at 09:44 PM.
Reason: resources for VM
15th May 2011, 09:42 PM #2
Ok question before I answer your question, I have an idea, just need to confirm what extually you have
You say you have one single DC
Is this your only server? You could have another server(s) thats not a dc
How many hard drives has the server got? also how much RAM does it have?
15th May 2011, 10:02 PM #3
Why not bring up a 2008r2 server as a dc for failover. This then cures your issue and gives you a backup dc.
15th May 2011, 10:12 PM #4
You won't be able to do an inplace upgrade of the 2008 x86 box straight to 2k8 r2 as its x64 only.
but i would get another server and promote as dc and possible file store then hide somewhere in your school so that you have a second copy of AD as its a pain to restore!
15th May 2011, 10:34 PM #5
Bring up a virtual 2008 r2 DC copy whats required, demote other one then reinstall as 2008 r2 no swing needed.
15th May 2011, 10:39 PM #6
Server is the only one and it's Enterprise, it's has a few years life in it and has 8GB RAM with more than half of that 'spare' i.e. there are no serious obstacles for the proposed Win7 VM.
It's Primary, there is no money in most of those including this one, so a new second server simply isn't viable.
I know about the lack of in-place upgrade path , hence "swing" via a (temporary) VM - a significant point in this would be to only replace the (lots of space) system partition, leaving the mountains of user data and it's perms etc. on other logical drives throughout.
Nowhere to keep it, so I need to "take down" that VM, which would likely be on my laptop, afterwards i.e. new R2 install on original h/w gets promo'd and all the FSMOs back, virtual DC is depromo'd and disappeared from AD i.e. what is conventionally called a swing migration.
Bring up a virtual 2008 r2 DC copy
Last edited by PiqueABoo; 15th May 2011 at 11:04 PM.
15th May 2011, 11:04 PM #7
Im hoping you have some sort of backups going on?
Originally Posted by PiqueABoo
Ok what I sugguest
As you said you have all the user files etc on the other hard drives, that leaves you able to do the following
Create a virtual server (2008, not r2 as you cant run a 64bit virtual server as you running a 32bit server) transfer all the roles to this virtual server (makeing sure you save the files for the virtual server to another hard disk/partition)
then demote the physical server as a DC.
Makes sure any files on the system drive/partiton is copy to another drive
Now as you have a virtual server running for the domain you can now reload the physical server to Server 2008 R2. Of course your need to do this during half term, unless the school can have downtime
Once Server 2008 R2 is installed you can install hyper-v again add the virual server back on to server thats still saved on the other drive.
Transfer everything roles etc on the physical server, setup how you want it
Once this is done demote the virtual server.
Make a new virtual server (2008 R2)
Just make this a Domain Controller, this would be a backup just incase a problem arises on the first Domain Controller
Long progress, but thats all I can think off.
16th May 2011, 12:35 AM #8
Swing is longwinded but will give you better upgrade paths in future as 32bit is a deadend. I have to ask though, why not just copy the policy files from a Windows 7 box into the certral policy store. That way you can manage all the Windows 7 settings and don't really need to change anything.
In Group Policy for versions of Windows earlier than Windows Vista, if you modify Administrative template policy settings on local computers, the Sysvol share on a domain controller within the domain is automatically updated with the new ADM files. In Group Policy for Windows Server 2008 and Windows Vista, if you modify Administrative template policy settings on local computers, Sysvol will not be automatically updated with the new ADMX or ADML files (ADML files are XML-based ADM files that contain language-specific settings). This change in behavior is implemented to reduce network load and disk storage requirements, and to prevent conflicts from occurring between ADMX files and ADML files when edits to Administrative template policy settings are made across different locales. To ensure that any local updates are reflected in Sysvol as well, you must manually copy the updated ADMX or ADML files from the PolicyDefinitions folder on the local computer to the Sysvol\PolicyDefinitions folder on the appropriate domain controller.
Here are the latest templates, it should just be a case of installing it then copying from %Systemroot%\PolicyDefinitions to sysvol\PolicyDefinitions
Last edited by SYNACK; 16th May 2011 at 01:03 AM.
16th May 2011, 09:07 AM #9
I especially want to manage Win7, IE8 etc. GPPs on the DC and rightly|wrongly assumed you need Win7 RSAT or the R2 editor for that?
why not just copy the policy files from a Windows 7 box into the certral policy store. That way you can manage all the Windows 7 settings
PS: Have they sorted IE9 preferences yet?
Last edited by PiqueABoo; 16th May 2011 at 09:10 AM.
16th May 2011, 09:22 AM #10
I think you're making it way too complicated for a primary school and possibly frightening the head into thinking that excess 'mucking' around with a system that works (in his eyes) won't work afterwards.
Is the aim to have gp control over windows 7? I'd go for the RSAT option but would just install it on the first windows 7 machine you get.
16th May 2011, 09:22 AM #11
You can manage your Windows 7 clients from a mix of 2008 and R2 DCs. I'm not 100% as I set my clients up on R2, but I believe all 7 policies can be managed from 2008 - the key switch was in moving from 2003 where .admx was not supported. As long as you update the central store, should be fine.
You'll want a second DC though
16th May 2011, 12:16 PM #12
This isn't going anywhere near the Head's delicate constitution. I'm essentially on your side, but hassle-free remote access to all necessary GPO/GPP config tools on the DC is a *requirement* (remote support=lower cost).
I think you're making it way too complicated for a primary school and possibly frightening the head
I'm prepared to accept that updating the ADM[X]s SYNACK posted will likely expose new Win7/R2 GPO policies in the existing 2008 editing because we all know how they work etc., I'm doubtful about the GPPs.
I believe all 7 policies can be managed from 2008
16th May 2011, 12:45 PM #13
You have 2008 which has the same ADMX editor as the later versions the only difference is the templates as above, update those and your done. You will be ably to fully manage the Windows 7 GPOs on the server (all in about 20 minutes worth of work ). Not sure about the IE9 prefs, have not had to change any since IE8 so has not really come up.
Originally Posted by PiqueABoo
16th May 2011, 12:46 PM #14
GPPs are available on 2008 here, identical to R2.
16th May 2011, 03:36 PM #15
Here's some MS DS blog text:
Windows 7 ADMX files now include support for two registry types: REG_MULTI_SZ and REG_QWORD. The REG_MULTI_SZ registry data type represents multi strings entries within a single registry value. The REG_QWORD registry data type represents a 64-bit number, which is twice the size of the 32-bit number stored in REG_DWORD. These new aspects of the ADMX syntax are only viewable when using the GPMC and Group Policy editors from Windows Server 2008 R2 or Windows 7 Remote Server Administration Tools (RSAT). Group Policy editors and the GPMC from Windows Vista cannot read ADMX files containing this new syntax.
My emphasis. I just have experienced and I'm certain you will get a complaints if you try getting 2008 GPMC/GPME to use Win7/R2 ADMXs. Specifically these are about terminalserver-server.admx which I simply removed from the central store because I don't think I'll need that in this scenario. That done it all seems happy and although I can't say anything about the Software and Windows Settings, I have Win7/R2 specific policy settings in Administrative Template using the 2008 tools.
As for GPP identical-ness this did nothing for that - go to Internet Settings and the newest IE you get is still IE7, not the IE8 you have with R2.
I'm rethinking all of this: On reflection IE is the only GPP that's bothering me and as remarked above I believe you have the same problem on R2 just shifted a version upwards - you can make GPPs for IE8 but not IE9. This is a pain, I really liked the IE GPPs for their idiot-friendliness but if MS aren't going to add GPP support for new versions then I think I'll have to revert to the old method. You can edit the relevant sysvol XML file as an obviously unsupported workaround, but that edit can get reverted very easily.
By danielson81 in forum General Chat
Last Post: 5th March 2009, 09:01 AM
By beeswax in forum General Chat
Last Post: 21st January 2009, 09:53 AM
By mattx in forum Jokes/Interweb Things
Last Post: 19th October 2008, 04:21 PM
By beast_gts in forum Hardware
Last Post: 1st June 2007, 02:47 PM
By faza in forum General Chat
Last Post: 2nd February 2007, 09:37 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)