none
Question about creating a Central Store on a DC

    Question

  • Hello all and thanks in advance for your time and expertise.

    In the next few days I'm going to create a Central Store for my work domain.  We're also starting to implement Windows 10 in some bulk so we're also going to finally upgrade one of our DCs to server 2012 r2.

    I'm thinking it's obviously best to create the central store on the 2012 r2 DC.  The other DCs are all 2008 r2 with two 2008 dcs.  One catch is the role holder is a 2008 dc.

    My first question is should I move the fsmo roles to the new 2012 r2 DC when it's online?

    Second, after I download the admin templates for windows 10 and copy them to the central store - should I also copy the existing .admx files from a DC in my work domain (we're a mostly win7 pro shop) and place them in the central store as well?

    I just want to make sure I follow best practices relative to this project.  Your advice and recommendations are greatly appreciated.

    Monday, June 06, 2016 7:15 PM

Answers

  • Hi Pendal1,

    Thanks for your post.

    My first question is should I move the fsmo roles to the new 2012 r2 DC when it's online?

    >>>If you want the Windows Server 2012 R2 DC to be primary domain controller, you need transfer FSMO roles to the new 2012 DC.

    For more information about transfer FSMO roles, you could refer to the article below.

    Transferring FSMO Roles in Windows Server 2008

    http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-windows-server-2008.aspx

    Here is an article below about FSMO placement may be helpful to you.

    FSMO placement and optimization on Active Directory domain controllers

    https://support.microsoft.com/en-us/kb/223346

    Second, after I download the admin templates for windows 10 and copy them to the central store - should I also copy the existing .admx files from a DC in my work domain (we're a mostly win7 pro shop) and place them in the central store as well?

    >>>For what files you need copy to central store, you could refer to the instruction of article below.

    How to create and manage the Central Store for Group Policy Administrative Templates in Windows

    https://support.microsoft.com/en-us/kb/3087759

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by pendal1 Wednesday, June 08, 2016 3:51 PM
    Tuesday, June 07, 2016 2:34 AM
    Moderator
  • Jay,

    Thanks for your reply.  I'm still unsure about one aspect.  I have existing policies, for example for windows 7.   That is why I asked should I move existing .admx files from an existing domain controller into the central store when the central store is created.

    I guess I'm concerned about my existing policies.  When I create the central store and populate it with new .admx files for windows 10, etc - does this have any affect on my existing policies.  For example will clients still receive policies if a specific .admx file was not moved to the central store.  If all DCs are looking at the central store for .admx files - what happens relative to old winows 7 policies if the their .admx files are not in the central store.

    I would greatly appreciate clarification on this topic.  Much appreciated jay.

    ADMX/ADML files are templates, which defines the names of settings, the possible values for those settings, and the description of the settings. The templates are used by GPMC/GPME/RSoP to help you create/modify GPOs and to display the RSoP in a nice neat way.

    The templates are not linked nor involved once the GPO has been established, with the exception of RSoP will refer to them to display neatly.

    The templates are not used for processing/applying GP at all. Once a GPO has been created, technically you could delete the templates and the GPO will happily process/apply (although there's no value in deleting the templates, it is merely an example)

    By default, Windows keeps the templates at c:\windows\policydefinitions\ - this is a local template store.
    This means that if you add templates or update templates in that local store, when you open GPMC/GPME/RSoP on a different machine, the local store of the machine might contain a different set of templates.
    Each time you use a different machine for GPMC/GPME/RSoP, you would need to check and refresh that local store.
    This is one of the reasons why MSFT developed the CS.

    You can be assured that GPOs will apply/process regardless of the content of local store or of CS. Change templates does not affect existing GPOs in any way.

    As for establishing/populating the CS, in general, templates for Windows are cumulative, i.e. the templates for Win7/WS2008R2 include settings for WinVista/WS2008 and earlier. This concept continues with each successive release of Windows, so, you can actually poplate your CS with the very latest set of Windows templates and that caters for all previous releases of Windows.

    This concept does *not* apply for Office admin templates - Office admin templates are version-specific, so, if you have several versions of Office used in your organisation, say, OFF2010 and OFF2013, you must populate all used Office admin templates versions into your CS.

    When establishing your CS, populate the CS with the latest available version of Windows admin templates.

    Sometimes, you may find that the server-edition of templates might contain different files/settings compared to the client-edition of that Windows generation (e.g. Win7 and WS2008R2 may have some different/extra template files, so you might consider placing both sets of files into your CS). If there is a duplicate template filename, you can overwrite safely.

    Also, note that older Windows OS versions such as WinVista/WS2008, can't process some of the newer types of settings/ADMX, so if you will intend to use WS2008 (not R2) you may find that the newer template files will cause an error on that old 2008 GPMC/GPME/RSoP.

    You can simply cease to use those old Windows OS versions for GP tasks, or, upgrade those computers to a modern OS, or, reconsider the use of CS if it's an issue for you.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pendal1 Wednesday, June 08, 2016 3:51 PM
    Tuesday, June 07, 2016 9:26 PM

All replies

  • Hi Pendal1,

    Thanks for your post.

    My first question is should I move the fsmo roles to the new 2012 r2 DC when it's online?

    >>>If you want the Windows Server 2012 R2 DC to be primary domain controller, you need transfer FSMO roles to the new 2012 DC.

    For more information about transfer FSMO roles, you could refer to the article below.

    Transferring FSMO Roles in Windows Server 2008

    http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-windows-server-2008.aspx

    Here is an article below about FSMO placement may be helpful to you.

    FSMO placement and optimization on Active Directory domain controllers

    https://support.microsoft.com/en-us/kb/223346

    Second, after I download the admin templates for windows 10 and copy them to the central store - should I also copy the existing .admx files from a DC in my work domain (we're a mostly win7 pro shop) and place them in the central store as well?

    >>>For what files you need copy to central store, you could refer to the instruction of article below.

    How to create and manage the Central Store for Group Policy Administrative Templates in Windows

    https://support.microsoft.com/en-us/kb/3087759

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by pendal1 Wednesday, June 08, 2016 3:51 PM
    Tuesday, June 07, 2016 2:34 AM
    Moderator
  • Jay,

    Thanks for your reply.  I'm still unsure about one aspect.  I have existing policies, for example for windows 7.   That is why I asked should I move existing .admx files from an existing domain controller into the central store when the central store is created.

    I guess I'm concerned about my existing policies.  When I create the central store and populate it with new .admx files for windows 10, etc - does this have any affect on my existing policies.  For example will clients still receive policies if a specific .admx file was not moved to the central store.  If all DCs are looking at the central store for .admx files - what happens relative to old winows 7 policies if the their .admx files are not in the central store.

    I would greatly appreciate clarification on this topic.  Much appreciated jay.

    Tuesday, June 07, 2016 6:30 PM
  • Jay,

    Thanks for your reply.  I'm still unsure about one aspect.  I have existing policies, for example for windows 7.   That is why I asked should I move existing .admx files from an existing domain controller into the central store when the central store is created.

    I guess I'm concerned about my existing policies.  When I create the central store and populate it with new .admx files for windows 10, etc - does this have any affect on my existing policies.  For example will clients still receive policies if a specific .admx file was not moved to the central store.  If all DCs are looking at the central store for .admx files - what happens relative to old winows 7 policies if the their .admx files are not in the central store.

    I would greatly appreciate clarification on this topic.  Much appreciated jay.

    ADMX/ADML files are templates, which defines the names of settings, the possible values for those settings, and the description of the settings. The templates are used by GPMC/GPME/RSoP to help you create/modify GPOs and to display the RSoP in a nice neat way.

    The templates are not linked nor involved once the GPO has been established, with the exception of RSoP will refer to them to display neatly.

    The templates are not used for processing/applying GP at all. Once a GPO has been created, technically you could delete the templates and the GPO will happily process/apply (although there's no value in deleting the templates, it is merely an example)

    By default, Windows keeps the templates at c:\windows\policydefinitions\ - this is a local template store.
    This means that if you add templates or update templates in that local store, when you open GPMC/GPME/RSoP on a different machine, the local store of the machine might contain a different set of templates.
    Each time you use a different machine for GPMC/GPME/RSoP, you would need to check and refresh that local store.
    This is one of the reasons why MSFT developed the CS.

    You can be assured that GPOs will apply/process regardless of the content of local store or of CS. Change templates does not affect existing GPOs in any way.

    As for establishing/populating the CS, in general, templates for Windows are cumulative, i.e. the templates for Win7/WS2008R2 include settings for WinVista/WS2008 and earlier. This concept continues with each successive release of Windows, so, you can actually poplate your CS with the very latest set of Windows templates and that caters for all previous releases of Windows.

    This concept does *not* apply for Office admin templates - Office admin templates are version-specific, so, if you have several versions of Office used in your organisation, say, OFF2010 and OFF2013, you must populate all used Office admin templates versions into your CS.

    When establishing your CS, populate the CS with the latest available version of Windows admin templates.

    Sometimes, you may find that the server-edition of templates might contain different files/settings compared to the client-edition of that Windows generation (e.g. Win7 and WS2008R2 may have some different/extra template files, so you might consider placing both sets of files into your CS). If there is a duplicate template filename, you can overwrite safely.

    Also, note that older Windows OS versions such as WinVista/WS2008, can't process some of the newer types of settings/ADMX, so if you will intend to use WS2008 (not R2) you may find that the newer template files will cause an error on that old 2008 GPMC/GPME/RSoP.

    You can simply cease to use those old Windows OS versions for GP tasks, or, upgrade those computers to a modern OS, or, reconsider the use of CS if it's an issue for you.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pendal1 Wednesday, June 08, 2016 3:51 PM
    Tuesday, June 07, 2016 9:26 PM
  • Thank you very much.  Best wishes.
    Wednesday, June 08, 2016 4:07 PM