利用 GPMC 在域间迁移 GPO.docx
- 文档编号:24358275
- 上传时间:2023-05-26
- 格式:DOCX
- 页数:20
- 大小:75.96KB
利用 GPMC 在域间迁移 GPO.docx
《利用 GPMC 在域间迁移 GPO.docx》由会员分享,可在线阅读,更多相关《利用 GPMC 在域间迁移 GPO.docx(20页珍藏版)》请在冰豆网上搜索。
利用GPMC在域间迁移GPO
MigratingGPOsAcrossDomainswithGPMC
ByMikeTreit,MicrosoftCorporation
Published:
June2003
Abstract
OneofthekeyscenariosenabledbyMicrosoftGroupPolicyManagementConsole(GPMC)istheabilitytocopyGroupPolicyobjects(GPOs)fromonedomaintoanother,suchasmigratingaGPOfromatestdomaintoaproductiondomain.ThistechnicalarticleexplainshowtomoveGPOsfromonedomaintoanotherusingGPMCandidentifiessomeoftheissuesyoumightencounter.Inaddition,thisarticleintroducesvariousadvancedoptionsinGPMCthatmaketheprocesseasier.
TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.
Thisdocumentisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,ASTOTHEINFORMATIONINTHISDOCUMENT.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
©2003.MicrosoftCorporation.Allrightsreserved.
Microsoft,ActiveDirectory,andWindowsareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
Version1.1
Contents
Introduction1
OverviewofMigratingGPOs2
Scenario:
Test-to-ProductionMigration2
Scenario:
Production-to-ProductionMigration3
PolicySettingsThatMayRequireMapping4
UsingGPMCtoMigrateGPOs6
Copy6
Backup7
Import7
UnderstandingMigrationTables8
MigrationTableDetails9
CreatingMigrationTables11
PuttingItAllTogether12
Step1–BackuptheGPOtoafilesystemlocation12
Step2–CreateaNewGPOintheproductiondomain12
Step3–Createamigrationtable13
Step4–Editthemigrationtable13
Step5–Performtheimportoperation13
Step6–ConfigureanysecurityfilteringanddelegationsettingsontheGPO14
Step7–LinktheGPOtotherelevantcontainersinActiveDirectory14
Summary14
Larger-ScaleMigrations15
RelatedLinks16
Introduction
ThisarticlediscusseshowtousetheGroupPolicyManagementConsole(GPMC)tomigrateGroupPolicyObjects(GPOs)fromonedomaintoanother.
MigratingaGPOthatworksinonedomaintoanotherdomainrequiressomeplanning,butthebasicprocedureisfairlystraightforward.Thereare,however,twoaspectsofGPOsthatcomplicatetheprocess:
ThedatathatcomprisesaGPOiscomplexandstoredinmultiplelocations.
SomedataintheGPOcanbedomain-specificandmaybeinvalidifcopieddirectlytoanotherdomain.
ThefirstproblemissolvedfairlytransparentlybyGPMC—whenmigratingaGPOfromonedomaintoanother,GPMCensuresthatallrelevantdataisproperlycopied.
Tosolvethesecondproblem,GPMCusesmigrationtablesthatallowanadministratortoupdatedomain-specificdatainaGPOtonewvaluesaspartofthemigrationprocess.ThisonlyneedstobedoneiftheGPOcontainscertaintypesofpolicysettings,detailsofwhichareaddressedinthesection,“OverviewofMigratingGPOs.”
Beforelookingatthedetails,ithelpstounderstandthebasicprocessofmigratingoneormoreGPOsbetweendomains.
ToMigrateGPOsbetweenDomains
1.IdentifytheGPOsyouwanttomigrate.
2.Notewhetherthereistrustbetweenthesourcedomainandthetargetdomain:
a.Ifthereistrust,planondoingacopyoperation.
b.Ifthereisnotrust,planondoinganimportoperation,orconsiderusingtheStoredUserNamesandPasswordsutilityinWindowsXPtogainsimultaneousaccesstobothdomains.Thisprocedureisdocumentedindetailin“AdministeringGroupPolicywiththeGPMC”(andwillallowyoutoperformacopyoperationevenifthesourceandtargetdomainsdonothaveatrustrelationship.
3.Ifnecessary,createamigrationtabletohandlesecurityprincipalsandUniversalNamingConvention(UNC)pathsinthesourceGPOthatmayneedtobeupdatedtonewvaluesinthetargetGPO.Forfurtherdetails,seethesection,"UnderstandingMigrationTables."
4.Ifperforminganimportoperation,dothefollowing:
c.BackupthesourceGPOstoafilesystemlocationthatwillbeaccessiblefromthetargetdomain.
d.CreatenewGPOsinthetargetdomainforeachbacked-upGPO.
5.Performtheactualcopyorimportoperation,specifyingthemigrationtablecreatedinStep3,ifapplicable.
6.SetanydesiredsecurityfilteringanddelegationpermissionsonthenewGPOs.
7.LinkthenewGPOstotheappropriatesite,domainororganizationalunitintheActiveDirectory®directoryservice.Atthispoint,thenewGPOswillbeliveandfunctioninginyourenvironment.
Therestofthisarticlefocusesonthedetailsnecessarytomakethisprocesssuccessful.
OverviewofMigratingGPOs
Let’saddressthebasicproblemoftakingaGPOinagivendomainandcreatinganewGPOthatcontainsthesamesetofpoliciesinadifferentdomain.Inthepast,Microsoftdidnotprovideanytoolstohelpwiththisscenario,anditwasnotsomethingthatcouldbeeasilydonebyaGroupPolicyadministrator.
GPOsarecollectionsofpolicysettingsthatareusedtocreatestandardconfigurationsforusersandcomputers.YoucanthinkofaGPOasakindofcontainerthatholdspolicysettingsofmanydifferenttypes:
registrypolicysettings,softwareinstallationpolicysettings,logonscripts,andsoon.
What’ssohardaboutcopyingaGPO?
Althoughthiscollectionofsettingsislogicallyasingleentity,thedataforasingleGPOisstoredinmultiplelocationsandinavarietyofformats;somedataiscontainedinActiveDirectoryandotherdata(ofvarioustypes)isstoredontheSYSVOLshareonthedomaincontrollers.ThismeansthatcopyingGPOsisnotassimpleastakingafolderandcopyingitfromonemachinetoanother—youcouldnot,forexample,justwriteabatchfileorevenamoderatelycomplexscripttoaccomplishasafeandrobustcopyofaGPO.
InadditiontothecomplexwayinwhichGPOdataisstored,certainpolicydatamaybevalidinonedomainbutbeinvalidinthedomainthattheGPOisbeingcopiedto.Forexample,SecurityIdentifiers(SIDs)storedinsecuritypolicysettingsareoftendomain-specific.Inaddition,settingsthatcontainUNCpathsforfolderredirectionorsoftwareinstallationpoliciesmaynotworkproperlyifthedataintheGPOiscopiedwithoutmodificationtoadifferentdomain.
ToclarifywhycertainpolicysettingscancauseproblemswhencopyingGPOsfromonedomaintoanother,let’slookattwocommonscenarioswhereapolicyadministratorwouldwanttomigratesomeGPOs.Thesetwoscenariosare:
Test-to-productionmigration.
Production-to-productionmigration.
Scenario:
Test-to-ProductionMigration
Inatesttoproductionmigration,weusuallyhavetwoseparateActiveDirectoryforests—onefortheproductionenvironment,andoneforthetestenvironment.Thetestforestistypicallyconfiguredasamirrorimageoftheproductionforest,withnotrustbetweenthetwo.
Figure1illustratesmigratingasingleGPOfromadomaininthetestforesttoadomainintheproductionforest.
Figure1.MigratingaGPOfromtesttoproduction
Inthiscase,wewanttomigrateaGPOcalledGPOXfromDomainBinourtestforesttoDomainEinourproductionforest.Intheprocess,weneedtotranslatethesettingsforthelogonlocallyuserrightconfiguredintheGPOtomaptonewgroupsandusersintheproductionforest,ratherthantheoriginaltestgroupsandusersfromourtestforest.
Whyisthisnecessary?
Inourtestdomain,theGPOstoresinformationstatingthatcertaingroups,suchasA\Group,havesomespecificrightsinthedomain.ThisdataisstoredasSIDsthatareonlyvalidinthetestdomain.IfwecopythoseSIDstotheproductiondomainwhenwemigratetheGPO,thepolicysettingswillrefertogroupsthatdonotexist,andwillthereforebeincorrectforthedomainthattheGPOwasmigratedto.
Scenario:
Production-to-ProductionMigration
ProductiontoproductionmigrationoccurswhenyouwanttomigrateaGPOfromoneproductiondomaintoanother,typicallywithinthesameforest.Figure2illustratesthisprocess.
Figure2.MigratingaGPObetweendomainsinproduction
Inthiscase,wehavecopiedGPOXfromDomainBtoDomainC.Intheprocess,itmakessensetomapsomeofthesecurityprincipalsreferencedinthelogonlocallyuserrighttonewvaluesmoreappropriateforthetargetdomain.Inthiscase,wewouldwanttochangeDomainBtoDomainC,butleavereferencestosecurityprincipalsinDomainAunchanged.
PolicySettingsThatMayRequireMapping
NotallpolicysettingsinaGPOneedtohavevaluestranslatedaspartoftheprocessofmigratingfromonedomaintoanother.Forexample,AdministrativeTemplatespolicysettingsca
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 利用 GPMC 在域间迁移 GPO 迁移