Extend your Server 2003 Active Directory Schema for Windows Vista and Server 2008
Windows Vista and Windows Server 2008 include additional group policy settings that give the administrator more granular management of their user's workstations. To leverage these new configuration items, the schema of a Server 2003 Active Directory forest must be upgraded to a Server 2008 schema. You can upgrade your schema without installing Server 2008. We just need to tell the Server 2003 Schema that it needs to be aware of additional objects that Windows Vista can leverage. All of your Server 2003 DCs must be running at least SP1. There are a few ways to upgrade the Server 2003 schema, one is pretty lengthy, the other way is a lot easier and more straight forward. First I'll give you a brief run down on some of the new stuff in store in Windows Vista and Server 2008:
Windows Vista and Windows Server 2008 introduce a new format for group policies. ADMX files are the new file formats and they are stored in xml format. These new policy settings can only be managed from Windows Vista or Windows Server 2008 based administrative machines running Group Policy Object Editor or Group Policy Management Console. These new policy settings are defined only in ADMX files and as such, are not exposed on the Windows Server 2003, Microsoft Windows® XP, or Windows 2000 versions of these tools. Here's where it gets a bit dicey. I'd like you to upgrade Windows Vista to SP1, the upgrade is well worth it, but doing so removes the ability for Windows Vista to manage domain policies. To add this functionality back to Vista, you need to install the Remote Server Administration Tools to get the management functionality restored. This is actually a good thing. The reality is that 99% of your user community should not be modifying domain policies, so it's best to take the bullets out of their gun :). Here are a few of the highlights:
- The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor and Group Policy Management Console can be used to manage all operating systems that support Group Policy (Windows Vista and Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000).
- The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor and Group Policy Management Console support interoperability with versions of these tools on early operating systems. For example, custom ADM files stored in GPOs will be consumed by the new tools.
- In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.
Now, back to the question of how do I upgrade my Server 2003 Schema to support Server 2008 and / or Vista?
First, do not use the schema extensions shipped on the RTM version of Windows Vista. The version included on your Vista RTM DVD contains the beta version of the Server 2008 schema extensions. Check out:
https://support.microsoft.com/kb/933585
The article below discusses the details of adding a Server 2008 server to your SBS network. There are just a few things you need to be aware of, and it also discusses how to prepare the forest for Server 2008. This will get you ready to manage Group Policies for Windows Vista within your SBS or Server 2003 Forest.
Adding a Server Running Windows Server 2008 to a Windows Small Business Server 2003 Network
I'm going to reiterate this again, to manage all of the new toys in Windows Vista, you need to install the Remote Server Administration Tools for Vista SP1. Here is a brief run down:
Installing the Remote Server Administration Tools for Vista SP1
Once you install the update, you have to enable the new features you added. This is similar to the way the R2 functionality in Server 2003 was added. The install just gives you the ability to enable the Admin tools. Go into the Program and Features applet in Control Panel and add the components.
If you are running SBS 2003, you can stop here. If you want to drill into more of the planning for Server 2008, I've included additional information below.
I encourage you to follow this document so that you can fully plan your move to Server 2008. We both know you'll get there, so let's do it right from the beginning.
Information and resources to use when you plan to upgrade Windows Server 2003 to Windows Server 2008
Please review this article, I'm encouraging you to plan this upgrade before you do it.
https://support.microsoft.com/default.aspx/kb/948070
The process to upgrade your schema to Server 2008 AD DS is located here. This is the actual process to do the upgrade, but I'd really like you to review the information I have provided first. I'm not saying you need to be afraid of the schema upgrade, but please plan it before you just do it. One last thing, backup, backup and then backup again. Please make sure you have a good backup before you do a schema upgrade. I've never heard of a schema upgrade failing, but if it does, it could force you to rebuild your whole forest. Please remember that when you have the power to make positive change, you also have the power to mess things up, so make sure you have a good plan.
adprep /forestprep is the command that you will enter at the command prompt, but please read the full instructions. You need to run this command from your Schema Master FSMO role holder, and you must be a member of the Schema Admins role.
Please start here for the low down on all of the steps you should follow:
Performing the Upgrade of Active Directory Domains to Windows Server 2008 AD DS Domains
If you have a copy of Server 2008, it includes adprep and will allow you extend the schema right from the Server 2008 media. If you do not have the Server media, you can download the evaluation version of Server 2008 here, it will let you use ADPrep to prepare your Server 2003 Schema to a Server 2008 Schema. The eval version of Server 2008 contains the same ADPrep, so you can use the ADPrep to upgrade your forest even if you do not install Server 2008. Right now, all we need are the schema extensions, not Server 2008 itself.
We have a whole section on Windows Server Group Policy, so please check out the new power you have at your finger tips. Please remember that with power, comes risk. You have the power to deploy a group policy that can render your domain useless. Let me say that one more time. If you are not paying attention, and you do not test your changes in a test lab first, you could render your domain useless. A useless domain will require you to rebuild from the ground up. My intent isn't to scare you, but I want to make sure you properly plan and test every single change before you deploy your changes into production. Here is a good run down of the Vista SP1 updates, the Group Policy Preferences and the Planning and Deployment guide.
https://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx
ADMX Migrator is a snap-in for the Microsoft Management Console (MMC) that simplifies the process of converting your existing Group Policy ADM templates to the new ADMX format and provides a graphical user interface for creating and editing administrative templates https://go.microsoft.com/fwlink/?LinkId=77409.
How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain https://support.microsoft.com/kb/921469
New and updated features in Group Policy https://www.microsoft.com/technet/windowsvista/library/gpol/a8366c42-6373-48cd-9d11-2510580e4817.mspx?mfr=true
Managing Group Policy ADMX Files Step-by-Step Guide https://go.microsoft.com/fwlink/?LinkId=60363
Step-by-Step Guide to Controlling Device Installation and Usage with Group Policy https://go.microsoft.com/fwlink/?LinkId=72206
How's that for a little bit of information.
Until next time!
Rob
del.icio.us Tags: extend Schema,Windows Server 2008
Technorati Tags: extend Schema,Windows Server 2008