1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Child Domain GPO's

Discussion in 'Windows Server 2003 / 2008 / 2012 Exams' started by craigie, Oct 27, 2008.

  1. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    I have deployed a child domain in my lab and configured the following:

    1. Child Domain is recieving updates from my WSUS Server
    2. Child Domain is a DHCP Server using the 80/20 rule for fault tolerance
    3. Child Domain is a DNS Server using AD Integrated Zones

    All of this is working, however what I cannot figure out and I have been on Technet and Google is how do I get the Child Domain to inherit all the GPO's from my Parent Domain?

    Do I have to export the policies and import them using GPMC or am I missing something?

    Thanks for any help :D
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  2. kevicho

    kevicho Gigabyte Poster

    1,219
    58
    116
    A subdomain doesnt inherit policies from a parent domain (according to my book which i read about this a few hours ago), can you not just link the policy through the group policy tab in the OU?
     
    Certifications: A+, Net+, MCSA Server 2003, 2008, Windows XP & 7 , ITIL V3 Foundation
    WIP: CCNA Renewal
  3. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Thanks for the reply Kevicho.

    I have just done the following:

    Parent Domain Controller (contoso.com) Right Clicked > Properties > Group Policy > Add > Child Domain Controller (child.contoso.com)

    I have ensured that no disbaled, overrides or blocked inheritence are in place.

    Then I went to AD Sites & Services and replicated across both sites and run a gpddate.

    The GPO's havent come across, perhaps I'm missing something?
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  4. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    I dont think you can mate, well what I remember from my MCSE studies anyways. :biggrin

    You can link the GPO at site level and if both domains are in the site then they should apply the GPO.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  5. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    So, lets say you had a forest and you wanted to change the GPO across the whole forest.

    You would then need to change every single DC individuallly?
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Well, for each domain, yes.

    You should be able to link the same GPO in each domain though, so you would only have to change that one GPO.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    So lets say I had:

    contoso.com
    child.contoso.com
    child.child.contoso.com
    child.child.child.contoso.com

    I made some changes to the GPO in contoso.com which I thought, hey I would like all of my employees to have a minimum password length of 8 characters, this would not be replicated to the child domains, I would need to manually change the rest?
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  8. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    It wouldnt be replicated, but as I said you might be able to link one GPO to each domain (I havent done this so you would have to test it).
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  9. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    I was reading about this a few months back so my memory is kind of vague but if global catalog replication is implemented, wouldn't that effect the inheritance of the GPO's? I know it's used to give users in the Forrest access to all the objects in the Forrest, etc. So maybe that would effect the GPO's as well? I am not sure just throwing an idea because I am interested as well. I am setting up a child domain my self and would like to know if GPO can be inherited.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  10. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  11. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Thanks for the feedback everyone.

    Was just looking at the GPO's as a side note, but I do really really want to investigate and test this some more.

    But time dictates and I'm going to have to put this down as I should be studying for the 70-291!
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  12. kevicho

    kevicho Gigabyte Poster

    1,219
    58
    116
    My mspress book says (in so many words)

    An (enabled/disabled) policy applied to an OU will override any policy thats applied at domain level
    An (undefined policy) defined at an OU level will inherit any policy applied at domain level
    An child domain policy will not inherit from a top level domain policy.
    Also domain policies (and so on) override local policies

    So looks like its best to apply policies as close to the domain controllers/PCs etc at OU level, also you can save policies as a .inf file for backup and transferral purposes, helpful especially if you want to vary slightly what each subdomain has in the way of policies, also if you edit a linked policy it will effect everywhere so might be worth doing that sort of thing as a best practice.

    Finally remember the RSOP tool, will show you whats applied to your client/policy recipient.
     
    Certifications: A+, Net+, MCSA Server 2003, 2008, Windows XP & 7 , ITIL V3 Foundation
    WIP: CCNA Renewal
  13. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Thanks for the feedback everyone.

    Having read up on this the best way to transfer GPO settings is:

    Install Group Policy Management Console from MS found here http://www.microsoft.com/downloads/...24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en on both the Parent & Child Domain Controller

    On your Parent Domain Controller go to Group Policy Objects Node > Right Click > Backup
    Then on the Child Domain Controller go to Group Polocy Object Node > Right Click > Import Settings

    Voila!
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5

Share This Page

Loading...