书名：Mastering Windows Group Policy
作者名：Jordan Krause
本章字数：904字
更新时间：2021-06-10 18:47:53

Installing the GPMC on another server

At first glance, this heading might not make any sense. If all of my Group Policy data is stored on the DCs, and the GPMC gets installed by default on my DCs, why would I need to worry about installing the GPMC somewhere else? Won't I just log into a DC and launch the GPMC? Easy peasy, right?

DCs are critically important servers, arguably the most important servers in any network. They contain information that would be considered "keys to the kingdom," and security teams are turning more and more time and effort into making sure that their directory servers (DCs) are locked down and accessed only on an as-needed basis. In the past, pretty much anyone who worked in IT had a domain admin account that allowed them to log into anything, and do anything on those systems. While I still see many organizations operating under this mentality (please stop!), everyone really should consider this to be a terrible security practice, and put much more effort into making sure that user accounts are locked out of the things that they don't need to access. This includes IT user accounts.

All that to say—you may not have access to log into a DC server, even if you are an Active Directory administrator within a company. If that turns out to be the case now or in the near future, you'll still need a way to perform your daily duties within Active Directory and Group Policy, and this is where we start discussing the launching of the GPMC on a device other than a DC server.

Fortunately, tapping into Group Policy from a non-domain controller is super easy. Do you remember back when we prepped the test lab? When we were specifying that we wanted to install the Active Directory Domain Services role, we double-checked on the next screen (the Features screen) that there was an automatic checkmark placed next to Group Policy Management. That feature is all that is required to install and use the Group Policy Management Console on any domain-joined Windows server within your network.

I just spun up a new server in my test lab. This one is called WEB1, because perhaps someday I will use it as a web server. For now, I am simply going to use it as a management box to tap into Group Policy settings. After installing the operating system on WEB1, I gave it an IP address (making sure to specify DC1's IP as the Preferred DNS server, just as I did on my LAPTOP1), and then I joined it to the mydomain.local domain.

Now inside Add Roles and Features, I proceed on to the Select features screen, and check the box next to Group Policy Management. This is the only piece needed to manage Group Policy settings from this WEB1 server:

Figure 2.10

Once the feature finishes installing, the Group Policy Management Console is now fully capable on WEB1 and I can launch it in any of the standard ways, via Start menu, Server Manager, snapping it into the MMC or even running GPMC.MSC. Since I joined WEB1 to the domain, when we launch the GPMC, it automatically communicates with the domain, and knows that it needs to pull information from DC1:

Figure 2.11

An alternative to running through the Add Roles and Features wizard would be opening up a PowerShell prompt on this server and issuing the following command in order to quickly install the GPMC: Add-WindowsFeature GPMC

In an environment where you are running multiple DCs, it is sometimes necessary to connect the GPMC to a particular DC, or at least to a particular site to check the information that exists in that site. Active Directory (and therefore Group Policy) information gets automatically replicated between DCs, including across geographical sites, but sometimes this replication process takes a number of minutes or even hours, depending on the site construction of your network. There may be cases where you want to launch the GPMC and connect it directly to a particular DC, for example, if you are inputting some settings for a branch office and you want computers in that office to start receiving those settings immediately. Inputting the new settings on a DC in your primary site will eventually make their way over to the branch office, but if there is a DC in the branch office that you can connect directly to that DC, make the changes, and they will replicate out from there instead. This puts those changes "closer to home" right off the bat, so the client computers in the branch office can start receiving those settings sooner.

To force the GPMC to connect to a particular DC, open it up and then expand out the tree until you can see the Domains folder, with the name of your domain listed underneath. Simply right-click on the name of your domain, and choose the option for Change Domain Controller...:

Inside the Change Domain Controller screen, you have a number of options for connecting to other DCs within your domain network. The easiest way to select a particular server is seen at the bottom of the following screenshot, under the This domain controller section. As you can see, I still only have one DC in my test lab, but if there were any additional DCs in my environment, they would be listed here automatically: