Migrate GPO’s Between Domains

Hello World,

Just back from a business trip and already ready to move to another place ! I haven’t posted much lately. So, It may be time to start somewhere.  I’m currently busy with multiple projects. One of these projects consist of migrating and consolidating a Single forest, multiple domain into a single forest, single Domain.    Using the ADMT tool, we were able to migrate “effortless” the Active Directory Objects.  The child domain was using extensively group policies and the customer decided to port them into the root domain as well.

We needed to migrate these group polices as well.  Our stragegy for this migration was to use the GPMC Tool. This is the management console that come as an additonal download for Windows 2003 servers or as part of the Remote server administration tools for windows 2008 or later.  GPMC tools allows you to manage group policies and offer the possiblity to backup them, copy them or import settings into new Group policies.

Using GPMC tool, we were able to perform a backup of these group policies and we have re-imported them into the target domain.  This is quite straight forward.  The thing is that a group policy can contain information related to the domain.  When backing up and importing them in a new domain, this information might be lost making the group policy useless or unusable. To overcome this situation, you need to use a migration table.  A good example of such domain information is the delegation permissions or filtering that has been defined for a group policy.  Another example would be the scripts that might contains domain paths (exemple \\Child.parent.domain.local\netlogon\).  Another Group policy that brings a lot of problem if you do not use the migration table is the software deployment one.  When you create software deployment policy, you specify UNC path and the policy create a script (*.aas extension file) containing information about the package to be deployed.

If you do not use the migration table, you can start getting such message errors in your event viewer or when performing resultant set of policies.  For demonstration purposes, I’ve migrate a software deployment policy without the migration table.  To check if the policy is migrated correctly and applying as expected, we use the  Resultant set of Policies (RSOP.msc) console.

To run a resultant set of Policies, in the Run Box, you type rsop.msc.  You will see a new MMC opening.  In the screenshot below, you can notice the yellow symbol.  This means that a policy didn’t apply correctly and that some actions might be required. By expanding the nodes, you will be able to locate where the problem occurs.  In our case, the warning applies to the Software installation group policy

To get more information about this, you can always perform a right-click on the computer configuration node and select properties.

A new dialog box will be displayed.   If you click on the Error Information tab, you can receive extensive information about the warning sign.  In my case, the message was stating that the installation source for the product was not available.

You can retrieve information about this failed GPO operations in the event viewer.

To avoid such problems, you can simply create a migration table that will take care of updating this information.  The question is “How to you create a migration Table ? Actually, it’s quite easy but you might need to manually update some of the information wihtin the table.

To create a migration table, you simply open your GPMC console and you locate the node “Group policy Objects”. Right-Click on it and select the option Open Migration Table

The Open Migration Table opens but it’s empty. To populate the table,  you go to the Tools menu and you select the option that best fits your needs (populate from GPO’s or populate from Backup)

When you click on populate from, you will get a list of the group policies objects that can be migrated.  Select the one that needs to be migrated and where specific information needs to be modified.  At the bottom, you have also a useful checkbox that allows you to scan security Access list (ACL) of the GPO’s

After you press OK, You will get something similar to the following table. You can modify as required the file destination name wit the correct value.  If you move the location of the software package, you simply update the informatoin in your table. Make all the required changes and save this table. You will get a xml file.

When you are ready, you can start importing the settings into your group policies located in the target domain.  If the import wizard detect that some information needs to be update through a migration table, you will be presented with the following screen

To specify the migration table you’ve created above, you simply select the option “Using this migration table to map them in the destinaion GPO” and specify the xml file you have created.  If you didn’t, you can also create the migration table (using the same process as described above) by clicking the “New” button.  At the end of the wizard, you can check that the settings have been mapped correctly and they reflect indeed information found in the target domain.

In this article, we have performed all the operations (backup gpo, import Gpo, Link Gpo..) through the GUI.  You have to know that GPMC comes also with a bunch of scripts that can be used to automate the process. If you use Windows 2003, when you install the GPMC tool, you can locate the GPMC Script in c:\program Files\GMPC\Scripts.  Using this scripts, you can automate backup operations and import operations as well.  The ImportGPO.wsf script has a small error. Follow this link in order to fix the issue.

If you are using Windows 7 or Windows 2008 R2, you will not find these scripts(that was the bad news).  the good news is that the GPMC automation capabilites has been moved from vbs to powershell.  I recently use the powershell command to perform the migration and I have to say it’s really cool.  To work with GPOs in your powershell command box, you have first to import the module by typing

Import-module GroupPolicy

After that, you have a bunch of powershell cmdlet available for managing group policies.  Some examples are new-GPO, backup-GPO, New-GPLink.  You can find more information about these cmdlets here

Final Words

As you can see, migrating group policies between domains is not too complicated.  I have to say that the GPMC tool make it really easy to perform such migration.  In our project, we had to migrate multiple child domains containing more that 60 group policies.  So, as you can image, we have decided to script the operation.  If I have time, I’ll post the scripts that can be used to automate group policy migration. But to be honest, I think I’ll focus more on the powershell code because it’s just great and simpler to use

Migrating policies is really not complex when you know the tools and procedure that need to be used.

Till next Time

See ya

7 thoughts on “Migrate GPO’s Between Domains

  1. Great artical, just what i was looking for thankyou very much and for keeping it in simple terms

    Did you get round to doing those powershell scripts to automate it??

    Thanks

    Derrrick

  2. Hello Derrick,

    Yes, we have automated the migration of GPO between domains using powershell scripts and powershell cmdlets related to GPO.
    In a few words, we backup all the GPO from the source domain, we create a migration table using powershell script. In the target domain, we import the gpo using powershell script and the migration table is updated to reflect the domain change.

    In a near future, we will be posting some parts of the script

    Till then
    See ya around

  3. Thanks very much for you reply. can you email me when the script is available would be great with any instruction

    Thanks again

    Derrick

  4. If you could post examples of the import script, and inheritance\link order script, WELL, that would be greatly appreciated!!!

  5. Hello Ike,

    I’ll see what i can do…but will not be in the near future….I’m closing a bunch of projects and I have to meet a deadline (before end of this year)….. I’m overloaded…but I’ll be back

    Till next time
    see ya

  6. Has anybody an idea how to Migrate Values like Licenseserver Terminalserver or Registerkeys? I want to set a script with Powershell to Import an Default Script every time and set them automaticly (only Modify the Migtable)
    Anyone an Idea?

    See Ya

    Hauke

  7. Hello Hauke

    I do not underestand your question. Can you be a little bit more precise in what you wanna do ?
    You are talking about migration table. a migration table updates DACL, unc path,software installation policies,…. a migration table will not change entries for your registry key or values of gpo settings. The migration table will help you remove reference from old domain and replace with the new domain information….

    You can have a look at this http://c-nergy.be/blog/?p=3186 which provide a script to update a migration table. This is maybe what you are looking for…

    If you need to set values for licenseserver,terminalserver (these are registry keys) or generic registry key, you can use

    1. a GPO
    2. a powershell script to set these values
    3. a reg file to export/import the values you want to use

Leave a Reply