GPA enables you to match multiple copies of a GPO to a single GPO known as a master GPO. A master GPO is one you select to use as a controlling source for other GPOs. The GPOs you select to match the master GPO are controlled GPOs. The process of matching controlled GPOs to a master GPO is called GPO synchronization.
You can use GPO synchronization to ensure the consistency of GPOs across your Active Directory environment. Depending upon how you choose to implement Group Policy, you may need to deploy copies of a particular GPO to multiple computers, sites, domains, and OUs. Over time, these GPO copies may be modified and become inconsistent with the original GPO. By defining the original GPO as a master GPO and then making each copy a controlled GPO, you can use GPO synchronization to ensure every controlled GPO remains consistent with the master GPO.
GPA provides two other tools you can use in conjunction with GPO synchronization to help you manage GPOs:
Enterprise Consistency Check
Scheduled GPO Export wizard
The Enterprise Consistency Check identifies any difference between master and controlled GPOs so you can establish which GPOs need to be synchronized. Once you have identified and synchronized GPOs, you can use the Scheduled GPO Export wizard to export the GPOs to Active Directory automatically at a specific time.
A typical workflow for synchronizing GPOs includes the following steps:
Perform an Enterprise Consistency Check to identify controlled GPOs that are no longer synchronized to their master GPOs.
Perform a GPO synchronization to synchronize the controlled and master GPOs.
Run the Scheduled GPO Export wizard to export the synchronized GPOs to your production Active Directory environment.
For more information about the Enterprise Consistency Check report, see Section 7.5, Analyzing Multi-Domain GPOs against a Master GPO. For more information about the Scheduled GPO Export wizard, see Section 5.8.6, Scheduling GPOs for Export.
The following procedure describes how to specify master and controlled GPOs and perform a GPO synchronization to match the controlled GPOs to the master GPO. This process synchronizes controlled GPOs to master GPOs in the GP Repository only. To ensure your Active Directory environment remains synchronized, you must export the GPOs you synchronized in the GP Repository to Active Directory. For more information about exporting GPOs, see Section 5.8, Exporting GPOs.
To synchronize GPOs:
Log on to the GPA Console computer with an account that has GPO synchronization permissions.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository.
Expand the appropriate domain hierarchy to the GPO you want to identify as a master GPO, and then select the GPO.
On the Action menu, click Properties.
Click the GPO Sync Options tab.
Select the Make this GPO a master GPO check box, and then click OK.
Click the Synchronization tab in the GPO result view.
To select controlled GPOs for this master GPO, click Add.
If you want to select GPOs from the GP Repository, accept the default selection, and then click OK.
If you want to select GPOs from an Enterprise Consistency Check report XML file, select ECC Wizard XML file, and then browse to the location of the file.
If you want to determine whether the controlled GPOs are in sync with the master GPO, select the controlled GPOs you want to check, and then click Run Sync Report. GPA generates an Enterprise Consistency Check report on the master GPO and the selected controlled GPOs in the GP Repository. For more information about the Enterprise Consistency Check report, see Section 7.5, Analyzing Multi-Domain GPOs against a Master GPO.
NOTE:The GPA console disables the Run Sync Report button on the Synchronization tab for GPOs in untrusted domains in the GP Repository. However, you can generate these reports from a GPA console installed on a computer in the untrusted domain.
If you want to update the domain map for a controlled GPO and ensure the Active Directory links for these controlled GPOs are synchronized with the master GPO, select the GPO and click Update Domain Map. You do not need to perform this step for a controlled GPO if the Mapped column indicates Yes. For more information about updating domain maps, see Step 8 of Section 5.10.3, Migrating a GPO Between GP Repository Domains.
If you want to synchronize a controlled GPO with the master GPO, select the controlled GPO and click Synchronize. You do not need to perform this step if the In Sync column indicates Yes.
NOTE:
If any controlled GPOs are in untrusted domains, you must provide credentials for each untrusted domain that have domain administrator permissions.
If you want to synchronize the forest root default domain policy with the default domain controller policies, including the default domain policies in the child domains, you need to first create a custom policy in each domain and then synchronize these policies because these GPOs have the same GUID.
Use the Offline Mirror wizard to synchronize the GPO link order of repository GPOs with either the relative GPO link order in AD or the GP Repository.
NOTE:The Synchronize GPO Link Order tool, NqGPASyncLinkOrder.exe, also synchronizes link order from the command-line. GPA installs this tool in the \Tools folder under the product installation path. For more information, see Section A.10.24, Synchronize GPO Link Order.
To synchronize the GPO link order between Active Directory and the GP Repository using the wizard:
Run the Offline Mirror wizard on the domain where you have GPOs for which you want to synchronize the link order. For more information on using the Offline Mirror wizard, see Section 5.4.2, Importing All GPOs Linked to Any AD Container in an AD Domain (Creating an Offline Mirror).
Select the scope, including the domain and OUs. Select the option to import GPOs if you plan to update the repository with GPOs from on the specified domain.
On the Link Order Options window of the Offline Mirror wizard, select Sync Link Orderand specify whether you want the wizard to synchronize GPO link orders based on the GP Repository or AD.
Complete the rest of the wizard windows, then view the status of the sync link order process from the Status window.