Re: Local Group Policy versus OU (Time Service)
From: Darren Mar-Elia (dmanonymous_at_discussions.microsoft.com)
Date: 08/27/04
- Previous message: KTFCU ITDept: "Re: can't run scripts! grrr"
- In reply to: Jerry: "Re: Local Group Policy versus OU (Time Service)"
- Next in thread: Roger Abell: "Re: Local Group Policy versus OU (Time Service)"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 27 Aug 2004 11:48:44 -0700
Jerry-
One way I'd skin this is, if those servers are all over your domain (i.e.
spread across multiple OUs) is to simply create and link a GPO at the domain
level and set up a "Server Time Services" computer group and use that to
filter the effects of the GPO. You can put all those non-PDC servers into
that group and then only they will process that GPO. That way you don't have
to move servers around but you can get the coverage you need without
impacting the PDC's configuration.
I very rarely come across a lot of differences in policy btw the PDC role
holder and other DCs. Member servers are another story, and can more often
need different policy, esp. for security related settings.
-- Darren Mar-Elia MS-MVP-Windows Management http://www.gpoguy.com "Jerry" <jerry.giacinto@ketteng.com.nospam.com> wrote in message news:u8hswMGjEHA.536@TK2MSFTNGP11.phx.gbl... > Darren, > > Thanks for the response. I was thinking the same thing with regards to > over complicating the setup. However, that leads me to another dilemna. > It > would be nice to configure the Windows Time Service in Group Policy for > the > rest of the servers, because they'll all have identical settings. To do > that requires one of two approaches: > 1) Set up an OU that does not include the PDC > 2) For the settings that are different between the other servers and the > PDC, configure those in the registry, and leave the GPO setting as "Not > Configured" > Maybe the first approach is a good idea anyway. Do you find that you set > a > lot of Group Policy settings differently on your DC's and member servers > than you do on your PDC? > The second approach presents a potential problem because with the Time > Service, the settings I would want to be different for the PDC are the > NtpServer and Type under the NTP Client properties. But there are 5 other > settings under the NTP Client. So, to specify any of those other > settings, > means I have to configure the NtpServer and Type as well. Then I can't > use > the same GPO for all servers. > > What do you think? > > Thanks again, > Jerry > > > "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message > news:eIMFnfFjEHA.3016@tk2msftngp13.phx.gbl... >> Jerry- >> In your case, where you have a set of registry settings that only apply >> to >> one machine, I don't really think Group Policy is required. It just adds >> complexity where none is needed. I would just make the settings changes > you >> need to make via a reg file and have that file on hand if you ever need >> to >> promote a different DC to be the PDC role holder. >> >> -- >> Darren Mar-Elia >> MS-MVP-Windows Management >> http://www.gpoguy.com >> >> >> >> "Jerry" <jerry.giacinto@ketteng.com.nospam.com> wrote in message >> news:eAO3p5EjEHA.2696@TK2MSFTNGP11.phx.gbl... >> > Hi, >> > >> > I am in the process of designing a time synchronization plan for a >> > Windows >> > 2003 domain. I need to configure the PDC operations master to > synchronize >> > with a reliable external source. Then, the rest of the servers and >> > workstations will follow the default domain hierarchy. I can configure >> > Windows Time Service settings in Group Policy, and therefore, can make >> > specific settings changes for the PDC. My lack of experience has >> > caught >> > up >> > with me real quick when it comes to proper methods for applying group >> > policy >> > or local settings in the domain. What I'd like to know is for specific >> > settings on the PDC (or any single computer), is it better (or more >> > acceptable) to create an OU that contains just the PDC and apply Group >> > Policy to that OU, or define the settings in Local Group Policy, or > simply >> > change the settings in the registry. It seems that it would be easier > to >> > manage by creating a specific OU for the PDC because I could use the > Group >> > Policy Management Console to administer settings for the whole domain, >> > including special cases like this. Does anyone know a good resource >> > for >> > designing Active Directory and Group Policy in a small to mid-size >> > environment? >> > >> > Thanks for your help, >> > Jerry >> > >> > >> >> > >
- Previous message: KTFCU ITDept: "Re: can't run scripts! grrr"
- In reply to: Jerry: "Re: Local Group Policy versus OU (Time Service)"
- Next in thread: Roger Abell: "Re: Local Group Policy versus OU (Time Service)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
