利用 GPMC 在域间迁移 GPO.docx

利用 GPMC 在域间迁移 GPO.docx

《利用 GPMC 在域间迁移 GPO.docx》由会员分享，可在线阅读，更多相关《利用 GPMC 在域间迁移 GPO.docx（20页珍藏版）》请在冰点文库上搜索。

利用GPMC在域间迁移GPO

MigratingGPOsAcrossDomainswithGPMC

ByMikeTreit,MicrosoftCorporation

Published:

June2003

Abstract

OneofthekeyscenariosenabledbyMicrosoftGroupPolicyManagementConsole（GPMC）istheabilitytocopyGroupPolicyobjects（GPOs）fromonedomaintoanother,suchasmigratingaGPOfromatestdomaintoaproductiondomain.ThistechnicalarticleexplainshowtomoveGPOsfromonedomaintoanotherusingGPMCandidentifiessomeoftheissuesyoumightencounter.Inaddition,thisarticleintroducesvariousadvancedoptionsinGPMCthatmaketheprocesseasier.

TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.

Thisdocumentisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,ASTOTHEINFORMATIONINTHISDOCUMENT.

Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans（electronic,mechanical,photocopying,recording,orotherwise）,orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.

Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.

©2003.MicrosoftCorporation.Allrightsreserved.

Microsoft,ActiveDirectory,andWindowsareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.

Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.

Version1.1

Contents

Introduction1

OverviewofMigratingGPOs2

Scenario:

Test-to-ProductionMigration2

Scenario:

Production-to-ProductionMigration3

PolicySettingsThatMayRequireMapping4

UsingGPMCtoMigrateGPOs6

Copy6

Backup7

Import7

UnderstandingMigrationTables8

MigrationTableDetails9

CreatingMigrationTables11

PuttingItAllTogether12

Step1–BackuptheGPOtoafilesystemlocation12

Step2–CreateaNewGPOintheproductiondomain12

Step3–Createamigrationtable13

Step4–Editthemigrationtable13

Step5–Performtheimportoperation13

Step6–ConfigureanysecurityfilteringanddelegationsettingsontheGPO14

Step7–LinktheGPOtotherelevantcontainersinActiveDirectory14

Summary14

Larger-ScaleMigrations15

RelatedLinks16

Introduction

ThisarticlediscusseshowtousetheGroupPolicyManagementConsole（GPMC）tomigrateGroupPolicyObjects（GPOs）fromonedomaintoanother.

MigratingaGPOthatworksinonedomaintoanotherdomainrequiressomeplanning,butthebasicprocedureisfairlystraightforward.Thereare,however,twoaspectsofGPOsthatcomplicatetheprocess:

ThedatathatcomprisesaGPOiscomplexandstoredinmultiplelocations.

SomedataintheGPOcanbedomain-specificandmaybeinvalidifcopieddirectlytoanotherdomain.

ThefirstproblemissolvedfairlytransparentlybyGPMC—whenmigratingaGPOfromonedomaintoanother,GPMCensuresthatallrelevantdataisproperlycopied.

Tosolvethesecondproblem,GPMCusesmigrationtablesthatallowanadministratortoupdatedomain-specificdatainaGPOtonewvaluesaspartofthemigrationprocess.ThisonlyneedstobedoneiftheGPOcontainscertaintypesofpolicysettings,detailsofwhichareaddressedinthesection,“OverviewofMigratingGPOs.”

Beforelookingatthedetails,ithelpstounderstandthebasicprocessofmigratingoneormoreGPOsbetweendomains.

ToMigrateGPOsbetweenDomains

1.IdentifytheGPOsyouwanttomigrate.

2.Notewhetherthereistrustbetweenthesourcedomainandthetargetdomain:

a.Ifthereistrust,planondoingacopyoperation.

b.Ifthereisnotrust,planondoinganimportoperation,orconsiderusingtheStoredUserNamesandPasswordsutilityinWindowsXPtogainsimultaneousaccesstobothdomains.Thisprocedureisdocumentedindetailin“AdministeringGroupPolicywiththeGPMC”（andwillallowyoutoperformacopyoperationevenifthesourceandtargetdomainsdonothaveatrustrelationship.

3.Ifnecessary,createamigrationtabletohandlesecurityprincipalsandUniversalNamingConvention（UNC）pathsinthesourceGPOthatmayneedtobeupdatedtonewvaluesinthetargetGPO.Forfurtherdetails,seethesection,"UnderstandingMigrationTables."

4.Ifperforminganimportoperation,dothefollowing:

c.BackupthesourceGPOstoafilesystemlocationthatwillbeaccessiblefromthetargetdomain.

d.CreatenewGPOsinthetargetdomainforeachbacked-upGPO.

5.Performtheactualcopyorimportoperation,specifyingthemigrationtablecreatedinStep3,ifapplicable.

6.SetanydesiredsecurityfilteringanddelegationpermissionsonthenewGPOs.

7.LinkthenewGPOstotheappropriatesite,domainororganizationalunitintheActiveDirectory®directoryservice.Atthispoint,thenewGPOswillbeliveandfunctioninginyourenvironment.

Therestofthisarticlefocusesonthedetailsnecessarytomakethisprocesssuccessful.

OverviewofMigratingGPOs

Let’saddressthebasicproblemoftakingaGPOinagivendomainandcreatinganewGPOthatcontainsthesamesetofpoliciesinadifferentdomain.Inthepast,Microsoftdidnotprovideanytoolstohelpwiththisscenario,anditwasnotsomethingthatcouldbeeasilydonebyaGroupPolicyadministrator.

GPOsarecollectionsofpolicysettingsthatareusedtocreatestandardconfigurationsforusersandcomputers.YoucanthinkofaGPOasakindofcontainerthatholdspolicysettingsofmanydifferenttypes:

registrypolicysettings,softwareinstallationpolicysettings,logonscripts,andsoon.

What’ssohardaboutcopyingaGPO?

Althoughthiscollectionofsettingsislogicallyasingleentity,thedataforasingleGPOisstoredinmultiplelocationsandinavarietyofformats;somedataiscontainedinActiveDirectoryandotherdata（ofvarioustypes）isstoredontheSYSVOLshareonthedomaincontrollers.ThismeansthatcopyingGPOsisnotassimpleastakingafolderandcopyingitfromonemachinetoanother—youcouldnot,forexample,justwriteabatchfileorevenamoderatelycomplexscripttoaccomplishasafeandrobustcopyofaGPO.

InadditiontothecomplexwayinwhichGPOdataisstored,certainpolicydatamaybevalidinonedomainbutbeinvalidinthedomainthattheGPOisbeingcopiedto.Forexample,SecurityIdentifiers（SIDs）storedinsecuritypolicysettingsareoftendomain-specific.Inaddition,settingsthatcontainUNCpathsforfolderredirectionorsoftwareinstallationpoliciesmaynotworkproperlyifthedataintheGPOiscopiedwithoutmodificationtoadifferentdomain.

ToclarifywhycertainpolicysettingscancauseproblemswhencopyingGPOsfromonedomaintoanother,let’slookattwocommonscenarioswhereapolicyadministratorwouldwanttomigratesomeGPOs.Thesetwoscenariosare:

Test-to-productionmigration.

Production-to-productionmigration.

Scenario:

Test-to-ProductionMigration

Inatesttoproductionmigration,weusuallyhavetwoseparateActiveDirectoryforests—onefortheproductionenvironment,andoneforthetestenvironment.Thetestforestistypicallyconfiguredasamirrorimageoftheproductionforest,withnotrustbetweenthetwo.

Figure1illustratesmigratingasingleGPOfromadomaininthetestforesttoadomainintheproductionforest.

Figure1.MigratingaGPOfromtesttoproduction

Inthiscase,wewanttomigrateaGPOcalledGPOXfromDomainBinourtestforesttoDomainEinourproductionforest.Intheprocess,weneedtotranslatethesettingsforthelogonlocallyuserrightconfiguredintheGPOtomaptonewgroupsandusersintheproductionforest,ratherthantheoriginaltestgroupsandusersfromourtestforest.

Whyisthisnecessary?

Inourtestdomain,theGPOstoresinformationstatingthatcertaingroups,suchasA\Group,havesomespecificrightsinthedomain.ThisdataisstoredasSIDsthatareonlyvalidinthetestdomain.IfwecopythoseSIDstotheproductiondomainwhenwemigratetheGPO,thepolicysettingswillrefertogroupsthatdonotexist,andwillthereforebeincorrectforthedomainthattheGPOwasmigratedto.

Scenario:

Production-to-ProductionMigration

ProductiontoproductionmigrationoccurswhenyouwanttomigrateaGPOfromoneproductiondomaintoanother,typicallywithinthesameforest.Figure2illustratesthisprocess.

Figure2.MigratingaGPObetweendomainsinproduction

Inthiscase,wehavecopiedGPOXfromDomainBtoDomainC.Intheprocess,itmakessensetomapsomeofthesecurityprincipalsreferencedinthelogonlocallyuserrighttonewvaluesmoreappropriateforthetargetdomain.Inthiscase,wewouldwanttochangeDomainBtoDomainC,butleavereferencestosecurityprincipalsinDomainAunchanged.

PolicySettingsThatMayRequireMapping

NotallpolicysettingsinaGPOneedtohavevaluestranslatedaspartoftheprocessofmigratingfromonedomaintoanother.Forexample,AdministrativeTemplatespolicysettingsca