Windows Server 2012 - What’s New for Group Policy? (Part 1)

by [Published on 28 May 2013 / Last Updated on 24 July 2013]

This article discusses improvements that Microsoft has made to group policies in Windows Server 2012.

If you would like to read the other parts of this article series please go to:

Introduction

When Microsoft created Windows Server 2012, they built in all kinds of cool new features. There were so many new features in fact, that it is easy to overlook enhancements that have been made to features that have long been a staple of Windows Server. Group policies are a perfect example of this. Group policies have been around since Windows 2000, and although they have evolved over the years the basic structure and management tools have remained relatively consistent.

Although there are no revolutionary changes to group policy functionality in Windows Server 2012, Microsoft has made some changes that admins need to know about. Some of these changes relate to the Group Policy Management Console. Other changes are related to the policy settings themselves. As such, I thought that it might be fun to write an article highlighting the best of the new group policy features.

The Group Policy Management Console

As previously mentioned, Microsoft has made some improvements to the Group Policy Management Console. The first such improvement is the addition of a Status tab. You can see what the new Group Policy Management Console looks like in Figure A.

Image
Figure A:
Microsoft has added a Status tab to the Group Policy Management Console.

As you can see in the figure, I have selected my domain. Upon doing so, the details pane displays several tabs – one of which is the Status tab. The Status tab displays the state of both Active Directory replication and SYSVOL replication as it relates to group policy.

The first useful piece of information displayed is the baseline domain controller for the selected domain. As you may know, a portion of the group policy is stored in the Active Directory and a part of it is stored in the SYSVOL container.

When an update is made to a group policy object, the update could theoretically be made to any writable domain controller (as opposed to a read only domain controller). Once the update has been written, it must be replicated to the other domain controllers in the domain. As such, group policy health is directly tied to domain controller replication health.

One of the best ways to determine whether or not your group policies are healthy is to compare one domain controller to another to determine whether or not they both contain the same updates.

When the Group Policy Management Console checks the domain controllers for group policy object related inconsistencies, it treats one domain controller as the baseline domain controller. When the Group Policy Management Console checks the group policy health, it does so by comparing the other domain controllers to the baseline domain controller to see if they are in a consistent state.

If you refer back to Figure A, you can see that Windows Server 2012 is telling you which domain controller is being treated as the baseline domain controller for the purpose of these comparisons. You will also notice however, that there is a Change link to the right of the listing for the baseline domain controller. Clicking this link allows you to select a different baseline domain controller.

Another thing that you might notice in Figure A is that there is an icon just to the left of the listing for the baseline domain controller. You can click this icon if you want to view additional data about the baseline domain controller. For example, in Figure B you can see that when I clicked the icon Windows displays the domain controller’s site name, IP address and group policy objects.

Image
Figure B:
You can expand the Status Details section to view additional information about the baseline domain controller.

The expanded Status Details section shown in the figure above can be helpful, but there are a couple of things that I need to point out. First, the Status Details section displays the baseline domain controller’s IPv6 address, but not its IPv4 address. This will likely prove to be an inconvenience for some, but probably won’t be a significant enough issue to warrant abandoning the tool.

The other thing that you might notice is that next to GPOs, the console reports that “Data is Uncollected”. This message is consistent with the message that is displayed in the next section, which indicates that no infrastructure information exists for the domain.

The reason for the lack of information has to do with the highly dynamic nature of group policy objects. Group policy objects (and the Active Directory at large) can be updated frequently. As such, replication health data from several minutes ago will likely be outdated. That being the case, the Group Policy Management Console makes no attempt to schedule the automated collection of replication health data because that data becomes outdated so quickly.

Although it is cut off in Figure B, there is a Detect Now button that is located in the lower, right corner of the interface. When you click this button, Windows will gather information about the replication process and will report the number of domain controllers for which replication is presently in progress. It will also report the number of domain controllers that are presently synced with the baseline domain controller. Finally, the GPOs field (shown in Figure B) is updated to show the number of group policy objects that are in use within the domain.

It is worth noting that the data collection process can take a while to complete in large domains with a lot of domain controllers. Conversely, the information that is displayed on the Status tab is basically useless in domains that contain only a single domain controller because replication is not performed unless multiple domain controllers exist. Incidentally, Microsoft’s recommended best practices state that a domain should never have less than two domain controllers.

In case you are wondering, the Group Policy Management Console does not provide you with a way to export the data that has been collected. Your only option is to view it within the console. If you close and then later re-open the console, you will have to re-detect the domain controller synchronization data. Surprisingly, Microsoft does not provide any PowerShell commands for acquiring group policy status information (at least none that are publically documented).

It’s easy to see how the Status tab might be useful, especially when it comes to troubleshooting group policy (or Active Directory replication) related problems. However, you may be wondering whether or not this tool can be used in your own environment.

The really surprising thing about the Group Policy Management Console’s Status tab is that it does not require you to have any Windows Server 2012 domain controllers. At a minimum all you really need is a member server that is running Windows Server 2012 and that has the Group Policy Management Console installed. The console’s Status tab works with any domain controller that is running Windows Server 2003 or above. Presumably, the forest functional level and domain functional level must also be set to at least Windows Server 2003.

Conclusion

The Status tab is a helpful tool for diagnosing group policy replication issues. However, this is only one of many improvements that Microsoft has made to group policies in Windows Server 2012. I will discuss some more improvements in Part 2.

If you would like to read the other parts of this article series please go to:

Advertisement

Featured Links