When you formulate a backup and recovery strategy for your Windows systems, you need to make sure to include Group Policy Objects (GPOs) in that strategy. Microsoft provides a means to back up and restore GPOs in the form of Group Policy Management Console (GPMC), a Microsoft Management Console (MMC) snap-in that you can use to manage GPOs on Windows Server 2003 and Windows 2000 Server systems. In June, Microsoft released GPMC with Service Pack 1 (SP1)—an updated version of GPMC—that lets you back up, restore, and copy or migrate GPOs on Windows 2003, Windows XP, and Win2K Server systems without requiring you to have Windows 2003 installed. (Previously, you needed a Windows 2003 license to use GPMC.) This change means that you can use GPMC to back up, restore, and copy GPOs in domains with any combination of Windows 2003, XP, and Win2K Server systems. You can download the free GPMC with SP1 at http://tinyurl.com/ysx4u.
A Little History
In the early days of Active Directory (AD) and Group Policy, the only way to back up and recover GPOs was to use the NTBackup utility, then perform an AD authoritative restore—a procedure not for the faint of heart. One irritating characteristic of NTBackup is that it backs up the entire system state as well as the GPOs themselves and thus requires a hefty chunk of free disk space to house each instance of the system state.
Performing an authoritative restoration a GPO that had been accidentally deleted, changed, or corrupted was even more complicated. First, you had to take offline the domain controller (DC) on which you ran NTBackup and reboot the DC in Directory Services Restore Mode. Then, you had to restore the backup to prepare the server with the data you wanted to restore. Finally, you performed an authoritative restore, which required you to know the complete distinguished name (DN) of the deleted or modified GPO. Don't confuse the DN with the GPO's more familiar friendly name—for example, "Security Settings for the Sales OU." The DN is a complicated string that includes the GPO path in DN format along with the GPO's globally unique identifier (GUID)—for example, cn=\{01710048-5F93-4F48-9DD2-A71C7486C431\}, cn=policies,cn=system,DC=corp,DC=com, where the GUID is the component preceding the first comma. If you didn't know the GPO's GUID before the disaster, you had little hope of recovering it (and thus, little hope of restoring the GPO). At this point in the GPO restoration process, people often just gave up. (For more information about restoring AD, see "Repairing and Recovering AD," September 2002, InstantDoc ID 25957.) Third-party products, such as FullArmor's FAZAM 2000, which included a GPO backup-and-restore feature, and Quest Software's Aelita Recovery Manager for Active Directory, made the GPO backup-and-restore process bearable. Indeed, third-party tools are available today that include a GPO backup-and-restore feature.
Using GPMC to Back Up GPOs
IT pros were more than ready for a better Windows tool to back up and recover GPOs. Soon after Microsoft released Windows 2003, the company fulfilled customers' wishes when it delivered GPMC and, more recently, GPMC with SP1.
To start using GPMC, your first task is to install GPMC by loading it on a Windows 2003 or an XP machine. After you've installed GPMC, start the program, then navigate to Forest, Domains, domain name, Group Policy Objects. You'll see a list of all GPOs in the domain. At this point, you can perform one of two actions: Back up all GPOs, or back up individual GPOs. To back up all GPOs, right-click the Group Policy Objects node and select Back Up All from the context menu, as Figure 1 shows. (Alternatively, you can right-click a single GPO and select Backup.)
Next, you're prompted to enter the directory in which to store the backups and the name of the backup set. Although you can store the backup files anywhere, I recommend that you store them in a secure location. The GPMC then backs up each GPO in the domain and stores the backed-up GPOs as files in subdirectories of the directory you specified. At this point, you're ready to burn the resulting directories and files to a CD-ROM, copy them to tape or to another secure server, or otherwise ensure that they remain safe.
If you examine the automatically generated subdirectories that the system creates during backup, you'll notice that the names of these directories resemble the GUIDs that I described earlier. However, what isn't immediately obvious is that these directory and GUID combinations don't correspond to the GUID of the underlying GPO and, in fact, are unique and unrelated to the GPO's GUID. This distinction lets you back up a GPO without fearing collision with an existing subdirectory. You can store all the backups in the same subdirectory or in different ones.
Restore GPOs
If a GPO is deleted, corrupted, or becomes otherwise invalid and you want to restore the backed-up GPO, you can do so at any time by right-clicking the Group Policy Objects node and selecting Manage Backups. In the Manage Backups dialog box, which Figure 2, page 55, shows, you choose which GPOs you want to restore.
Select the location of the GPO backup you want to restore from the Backup location drop-down list, or click Browse. If you've created multiple backups of one or more GPOs in the same directory, simply select the Show only the latest version of each GPO check box to view the most recent set that you backed up. Otherwise, all GPOs you wrote to this directory will be displayed along with the time they were backed up. If you need a reminder about what settings were preserved within a GPO, simply click the GPO, then click View Settings. Finally, when you're ready, select the GPO and click Restore. If you want to remove a GPOs from a particular backup set, you can do so by clicking Delete.
Copy or Migrate GPOs
Depending on how your organization is constructed, you might choose to first create your GPOs somewhere other than the eventual target location. For instance, you might generate all your GPOs in a test domain—perhaps in a domain that's online and trusts the production network or in a lab, completely offline and isolated. Then, after the GPOs have been fully tested and are ready, you can migrate them to your production domain. GPMC can help you transition your GPOs from test to production in both situations.
You can use GPMC to copy a GPO within a domain or from one domain to another. You'll need to tell GPMC to change the view to display the available domains; to do so, right-click the Domains node and select Show Domains. Next, to copy a GPO, right-click that GPO and select Copy. Then, simply right-click the domain's Group Policy Objects container, and select Paste to create a copy.
Migrating GPOs to your production domain from an offline lab is a bit more difficult. To do this, you use GPMC's Import function. The migration steps that you perform when using the Import function are related to the backup-and-restore procedure. To migrate a GPO between domains that are in different forests, perform these steps:
1.Make a backup copy of the source domain's GPOs.
2.Create a new GPO in the target domain (or choose to overwrite an existing GPO).
3.Right-click the target GPO and select Import Settings. Doing so starts the Import Settings Wizard that Figure 3 shows. The wizard lets you select a backup set and choose a GPO from which to import.
The Import Settings Wizard lets you back up the target GPO before you import the source GPO to it. You need to back up the target GPO only when it isn't newly created.
The steps I just walked through make up the basic procedure for copying or migrating a GPO by using the Import command. However, if the GPO from which you want to import settings contains Universal Naming Convention (UNC) paths or security groups, you'll probably need to use the GPMC migration table feature. For instance, the Group Policy Software Installation and Folder Redirection settings functions use UNC pathnames. To appropriately specify software to distribute, the GPO typically launches a Windows Installer (.msi) file that's located in the UNC path—for example, \\Server1\share. However, a server named Server1 might not exist in the target domain. Or, worse, Server1 does exist, but you don't want your users to use that server. To ensure that you import the correct GPO with the correct UNC and security group references, you need to process your migration Copy and Import function with a migration table.
The migration table lets you convert any UNC references from the source domain into valid references in the target domain. The Import Settings Wizard automatically alerts you of UNC paths in the source domain and gives you two options for handling UNC pathnames, as Figure 4 shows. The first option, Copying them identically from the source, typically isn't a wise choice because, as I mentioned earlier, the UNC or security group references in the source domain might not exist in the target domain; thus, the GPO probably won't work after you copy it to the target domain. Therefore, the better choice is to select the other option, Using this migration table to map them in the destination GPO. To create your first migration table, at the Migrating References window that Figure 4 shows, click New. You'll see the Migration Table Editor, the spreadsheet-like dialog box that Figure 5 shows. You can start by filling in the table with the information you know. Because you're importing from a backup, select Tools, Populate from Backup. Next, select the GPO that you'll be migrating. Doing so automatically populates the Source Name column with all the UNC references in the GPO you've specified. Then, simply type a new UNC path (or security group reference) in the Destination Name field for each UNC path (or security group) you need to migrate. In Figure 5, you can see that the selected GPO includes the UNC pathname \\OLDServer\Software. However, in the target domain, this server doesn't exist. Therefore, you need to enter the appropriate pathname for the GPO, such as \\NEWServer\OurStuff, to ensure that the GPO has the correct references in the target domain.
After you've entered the new destination names, select Tools, Validate in the Migration Table Editor to ensure that all the destination names are valid. After you've verified their validity, select File, Save as to save the migration table you just created, then close it. The Migrating References window is again displayed. Again, select the Using this migration table to map them in the destination GPO option, and from the drop-down list select the migration table that you want to use. Typically, you'll select the migration table you just created, although you can select a previously created migration table instead. Using an existing migration table comes in handy when you're repeating the same actions—for instance, when you want to transfer the same GPO from one domain to several other domains. I also recommend that you select the Use migration table exclusively... check box, to ensure that you always migrate GPOs with valid destination references.
The Sooner, the Better
Domain administrators can use GPMC to back up, recover, and transfer GPOs safely. Use this article as a guide for using Microsoft's useful GPMC with SP1 to perform GPO backup, recovery, and copy and migration operations. Don't wait to back up those GPOs—do it today! The domain you save might be your own.
