Shulou(Shulou.com)06/02 Report--

In general, we have seen cross-forest and cross-domain migration of users, computers, and shares. does group policy also support migration? the answer is yes. In this paper, we will discuss the scenario and practice of group policy migration in detail.

Possible scenarios for Group Policy Migration

From the test environment to the production environment, the enterprise has deployed two sets of AD domains of different forest environments for the production environment and the test environment. In order to ensure security, there is no trust between the two domains. Now it is necessary to apply the group policy that has been successfully tested in the test environment to the production environment, or in reverse.

According to the parent-child domain architecture, the enterprise has deployed a new child domain. Because the group policy is domain-level data, the child domain will not get the group policy of the parent domain, but the child domain does not have professional IT personnel and wants to reuse the group policy settings of the headquarters.

Mature group policy, migration and reuse between trees in the forest, migration and reuse of trust in the forest, migration and reuse of mistrust across forests

Group policy migration needs to be done in the GPMC group policy management tool, and there are two optional methods for group policy migration

Group policy replication: suitable for group policy migration between trees within the forest, between parent and child domains, and forest trust. Migration to a domain without trust is not supported. The source target domain controller is required to be online during the migration. The new GPO created during the replication operation will be given a new global unique identifier (GUID) and unlinked, and the permission settings for the group policy object can be retained.

Group policy backup: suitable for group policy migration between trees within the forest, between parent and child domains, forest trust, and no trust environment. Backup contents include GPO (GUID), GPO settings, discretionary access control list (DACL) on GPO, WMI filter links (if any), but not the filter itself, links to IP security policies (if any), XML reports for GPO settings, which can be viewed in GPMC in HTML format The date and time stamp of the backup, the backup description provided by the user, the backup file will be generated and need to be copied to the target domain control for import.

Key concept of Group Policy Migration-Migration Table

We will encounter a problem when implementing the group policy cross-forest migration. The security principal of the current domain user or group may be set in the group policy, and the shared path mapping in the current domain may be set. However, there are no these users and shared paths in the target domain. If we do not use the migration table, we need to manually change it one by one after the migration, and the migration table can help us to complete the mapping before performing the import. For example, all test security groups in the test domain group policy are replaced with production security groups, and all test environment group policy shared paths are replaced with production environment paths, ensuring that the migrated past group policy takes effect directly, which may not show much value in a small environment, but if there are many security and shared settings in the group policy, the migration table can save us a lot of trouble during migration.

Group policy replication, complete the steps directly in the wizard, do not need to export the group policy to the file system, the group policy backup will be corresponding to the group policy import step, we will import the group policy backup file in the new environment, including the contents of all backups, whether it is the replication process or the import process, we support the selection of migration tables to help us automatically complete the migration process. Security principals such as users / groups / computers and shared paths are mapped with different names in the new environment.

Introduction of experimental environment

The current environment has a set of test domain oa.com, a set of production domain zq.com, the two domains have no trust relationship and are two independent forests. Now it is necessary to import the group policy into the production environment and complete the mapping of different security objects in the process. The current test environment uses OU DEP, in which there are three users, one group, Jason and Mike join the VIP group, create group policy dev, set the test environment sharing path, and set security policy.

Cross-forest group policy migration process

Write migration table mapping

Backup Source Group Policy

Copy Group Policy backup files and migrate tables to the target domain

Target domain target OU create blank group policy

Import group policy backup files, migrate tables

OK, the next time to look at the migration table, this is an antique, remember should be a product of the 2003 era, support GUI interface migration table editor, also support CMD management, open GPMC- group policy object-open migration table editor

You can edit the migration table after the backup completes the group policy, or you can edit the migration table first. Finally, the migration table file + group policy backup needs to be imported together in the target domain environment. The migration table editor has a very practical function. Open the tool drop-down menu, which can be seen from the GPO fill.

In the GPO fill interface, we select the group policy to be migrated, and the migration table will help us automatically scan the domain-specific user / group / computer and other security principal settings involved in the group policy, otherwise we need to fill in them one by one. If we check the top and bottom, the scanning process, including security principals from DACL on GPO, our security settings for group policy objects will also be scanned.

After the scan is completed, we map the security principal of this domain to the security principal of the target domain to ensure that it can be used normally after migration, modify incorrect source types, and supplement shared paths or security principals that are not scanned in the group policy.

Confirm that all the information to be mapped in the production environment has been modified, click the file, save as, and save the migration table file

Click the group policy object, select dev, and right-click backup

Copy backup files and migrate table files to target domain control after backup is completed

Come to the production domain OU and create a new GPO

Select the newly created Group Policy in the Group Policy object container, right-click Import Settings, and select the copied Group Policy backup file directory.

Click next, the import wizard detects that there are references to source domain security objects and shared paths in the group policy, and asks how to handle references. You can choose to copy completely from the source. Because we do not have trust across forests, the source reference must be invalid, so we choose to use migration table mapping and choose migration table files.

There is an exclusive option below, which is mainly to prevent misimport and map the wrong migration table to the group policy. Here we confirm that it is the correct migration table, so do not check it.

Click next to start the import. Why did you choose to import instead of backing up the corresponding restore? because the restore function of Group Policy does not recognize the backup files of other machines, it only supports the backup of the original server.

After import, open group policy verification, all security object references, and file sharing paths have been mapped across forests.

Experiment 2. The current forest root domain oa.com, merges the company's gate.com domain tree, and the two domains establish domain tree trust. The merged company hopes to directly reuse the group policy settings of the headquarters. The current forest root domain environment uses OU DEP, in which there are three users, one group, Jason and Mike join the VIP group, create group policy OPS, set test environment shared path script execution, and set group policy object safety list.

Cross-domain migration group policy process

Write a migration table

Add a display destination trust domain in the source group policy manager (the source target must be online)

Copy the selected group policy

Click paste under the target trust domain group policy object container

Trigger cross-domain replication wizard, select permission replication model, map migration table

Manually link the copied GPO to the target OU

Set up the migration table according to the steps of cross-forest migration

In the Source Domain Group Policy Manager, click the domain, right-select Show Domain, and check Show Target Trust Domain

Since there is a trusted domain relationship this time, we right-click the Group Policy object directly in the source domain and select replication.

Switch to the target trust domain group policy object, right-click and paste

Be sure to paste here to wake up the Cross-domain replication Group Policy Wizard!

This step is very important and will not be mentioned in most online blogs. If you check the new GPO to use the default permissions, then the security permissions of the source domain group policy objects will not be migrated to the target domain, and GPO replication to the new domain will use new security permissions. Even if the migration table is scanned and the mapping is configured, it will not take effect. If you want to copy the source GPO security settings to the target trust domain as is Or you want to map the security principal in the source domain GPO security settings to the target trust domain using the migration table, then you must check the following option to take effect. After the actual test of Lao Wang, the migration mapping group policy security permission setting only takes effect in the inter-domain trust environment within the forest. The migration table can map the security principal to the group policy object permission list, cross-forest or untrusted domain. The group policy object permission list mapping is invalid and needs to be reset manually.

Click next, cross-domain replication Group Policy Wizard, and detect the existence of security principals and shared paths in the source group policy.

Ask if you want to copy as is, or use the migration table to complete the mapping, select the configured migration table file, you can do this directly on the source host, and use the source host local migration table file

Click next to finish and start copying.

After the replication is successful, the group policy security permission list can be seen, and all the group policy content settings have been mapped.

Manually link the group policy object to the target OU after confirmation, because we copy directly to the group policy object, not to OU, which is the difference from import

Tip: WMI filter migration is not supported whether using replication or import. If you need a large number of WMI filter migration, or if you want to use Powershell to handle group policy migration, please refer to the blog

WMI filter Migration script

Next step of the blog plan: since writing the WSFC blog in 2017, Lao Wang has made many friends and is honored to be recognized by many friends. I am very happy to convey the technology to help bloggers solve practical problems. Lao Wang's WSFC blog will continue to write in the next step, but basically all the WSFC blogs that can be written have been written. Once you meet a good topic, you will share it as soon as possible, and 2019 will be released at the same time. If I see some good technologies that I think are practical and novel, I will write a blog to share with you. I will also write about the old enterprise-level technologies I have seen, but I will also write about those that are rarely mentioned in China. Basically, it mainly focuses on these three pieces of content. If the WSFC series does not find a topic for a long time, Lao Wang may start a new series of blogs at the end of the year or next year. The current plan is to apply MDOP or SCO+SCSM+SCOM deeply. No matter which Lao Wang chooses, he will maintain the level of the WSFC series.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.