Devilsbane wrote: » Just test them out a bunch. I am certainly not a GPO expert, but just poke around and see what is there. Since you already have the 2000 GPO's, you can use them to work off of.
NinjaBoy wrote: » If you're happy with the existing GPO's, but just need GPO's to work with Vista/Win7. Just create the GPO's for Vista/Windows 7, then use WMI filters (on both the old and new GPO's) so that the correct GPO's will apply to the correct OS. We've had a couple of problems of trying to create only one set of GPO's for all operating systems. -ken
Paul Boz wrote: » I've relied on general security experience as well as the CIS benchmarks. The MSCM tool is also exceedingly helpful with regards to documentation. If you click on a specific GPO you can actually visit a "description" tab and it will give you a writeup of what the GPO does, what the risks are, and why they recommend the settings. You should also reference the GPO in the CIS guide for their recommendations and justifications. As Devilsbane said, you should definitely test the **** out of these GPOs before you put them into production. If you don't already, I'd recommend setting up a mirrored domain environment in a lab (either physical or virtual) and pushing your GPOs to test Windows 7 machines. You should definitely install all of your business apps on the Windows 7 machines prior to testing to ensure that your users don't get broken. The last thing you want to do is roll out Windows 7 and cause a huge impact to the business.
Paul Boz wrote: » What DC are you using? 2k3 or 2k8? If you're using 2k3 are you planning on upgrading your DC to 2k8? If so, I'd recommend doing that before tackling Windows 7. Either way, I'd take your existing DC and literally image it to your lab so that your lab environment as closely mirrors production as possible. I would definitely avoid allowing the test environment to interact with the prod network though.
dynamik wrote: » You can do p2v while it's running. How complex is your domain/OU structure? How many GPOs are you dealing with? The first step is to going to be documenting everything you currently have. Good advice on the WMI filtering.
Bl8ckr0uter wrote: » But I can't P2V it while it is running without anyone noticing lol.
Bl8ckr0uter wrote: » Apparently a few hundred or so.
dynamik wrote: » I'm not following you. Are you trying to do this without other admins noticing, or are you worried about performance issues?
dynamik wrote: » I don't envy you at all. How many users and systems do you have?
t3ch_guru wrote: » I normally use disk2vhd for virtualizing a production server. If your don't want him to find out why not run it after hours or something and redirect it to your box. Is your shop 24/7 or something?
Bl8ckr0uter wrote: » Wouldn't I need to sid scramble and all sorts of stuff. That seems to be much more difficult than building a new box and starting fresh.
dynamik wrote: » Your test network should be completely isolated from your production network, so that should never be an issue. You might want to review your licensing agreements though.
Bl8ckr0uter wrote: » Basically I don't want the other admin to know I started working on this because this is suppose to be his domain but the boss came to me and told me to start working on this. I know if I mention this he is going to railroad me and start telling me how he has been doing GPOs for years and he is going to take care of it. Sigh...
Paul Boz wrote: » Dude screw your co worker. If he gives you **** tell him to take it up the chain.
Bl8ckr0uter wrote: » Here is a dumb question: When the server is cloned, does it copy the network configuration as well? So would it copy my ipconfig settings and mac address or does it strip that out since the macs should change (to the virtual mac of the virtual nic)?
Devilsbane wrote: » If you had a static address, it will stay with the clone (so make sure your first boot is without network access so you can change that without having a duplicate ip on the network. The MAC will change (unless you are MAC spoofing and then it might stay, not sure) If you have DHCP enabled, then the DHCP server will see the new MAC and assign a new IP.
Bl8ckr0uter wrote: » Lol hell yea. It may have to come to that. I am reading the STIGs now for Win7 (thanks rwmidl). I will document what out GPOs are now and what they are doing later today.
Bl8ckr0uter wrote: » That's what I thought. So when it P2Vs it does clone the network configuration. Interesting.
rwmidl wrote: » One suggestion, if you aren't doing it now, break out your GPO's to different "sections" ie account policies, file permissions, system services, system polices, etc. You end up with "more" GPO's but when you are implementing them you can manage them a bit better. If something breaks you can then turn off that one GPO while you troubleshoot which portion of it could be causing the problem. Also check out the FDCC guidelines from NIST. I believe NIST has available vhd's of FDCC compliant systems - you could download one, throw it in a VM and then load any company specific applications and see if they still work or not.
RobertKaucher wrote: » Actually it does, but since the card is no longer installed you don't see it. I have had this issue before wheere I take a server with a static IP do a P2V using some tool and then add a new network card and attempt to give it the old IP address and the sysstem complains that that address has been assigned to another card and could cause a conflict in the future. I clean it up and continue on. But it is not that the network configuration is not cloned, it's that you have essentially installed a new NIC as far as the DHCP server is concerned. Imagine if it did clone the MAC into the new NIC. It would cause hell on the LAN.
Bl8ckr0uter wrote: » My main concern is that when I put the VM in my own ESXi server it will somehow interfere with the production network. The network isn't that stable as it is so I really don't want to screw with it. We have some DNS issues which the other guy is working on (I think).
