5.10 Migrating GPOs

GPA allows you to migrate a GPO in the GP Repository from one domain to another. For example, you can migrate a GPO from a production domain in the GP Repository to a test domain in the GP Repository. You can then modify and evaluate the GPO in the test domain before you implement the GPO in your production Active Directory environment. You migrate GPOs between GP Repository domains with the GPO Migration wizard. You can also map the source domains from which you want to migrate GPOs before you start the GPO Migration wizard. For more information about mapping source domain information, see Mapping Source Domain Information.

One of the key challenges when migrating GPOs from one domain to another is that some information in the GPO is specific to the domain to which the GPO is linked. When you transfer the GPO to a new domain, it may not be possible to use the same settings. Settings that are specific to a domain include references to Universal Naming Convention (UNC) paths, GPO links to a specific container, and security principals such as users, groups, and computers.

You can use a single GP Repository to manage GPOs from multiple domains. Most organizations with Active Directory implementations maintain separate test and production domains for their regular operations. They carry out changes to GPOs in their test environments and then move the tested GPOs into the production domains. For more information about test and production domains, see Understanding Test and Production Environments.

5.10.1 Understanding Migration Tables

A migration table allows you to map references to GPO settings from the source GPO to new values in the destination GPO. A migration table consists of one or more mapping entries. Each mapping entry consists of a type, source reference, and destination reference.

Migration tables store the mapping information in XML format and have the file name extension .migtable. You can create migration tables using the Migration Table Editor (MTE) that is available with GPMC. The MTE is a convenient tool for viewing and editing migration tables if you are not familiar with XML.

5.10.2 Mapping Source Domain Information

You can map source domain information to the target domain using the information available in migration tables. The migration table allows you to map all default settings from the source domain to the target domain.

After you map the default settings, you do not need to again map this information during migration of GPOs between domains. For more information about migrating GPOs between domains, see Migrating a GPO Between GP Repository Domains.

To map source domain information:

  1. Log on to the GPA Console computer with an account that has GPA Security or GPO Editor permissions.

  2. Start the GPA Console in the NetIQ Group Policy Administrator program folder.

  3. In the left pane, expand GP Repository to the domain you want to map, and then select the domain.

  4. On the Action menu, click Properties.

  5. If you want to add mapping information from another migration table, on the Map tab, click Load.

    1. Browse to and select the migration table you want to use.

    2. Click Open.

  6. If you want to save the changes to the migration table locally, on the Map tab, click Save.

    1. Browse to the folder where you want to save the migration table.

    2. Click Save.

  7. Click Apply, and then click OK.

5.10.3 Migrating a GPO Between GP Repository Domains

The GP Repository supports the following migration scenarios:

  • Migrating GPOs between trusted domains in the same or different forests

  • Migrating GPOs between untrusted domains in the same or different forests

GPA stores GPO mapping information in the GP Repository. You only need to define the mapping information the first time you migrate a GPO. During subsequent migrations, you only need to update the mapping information as required.

To migrate a GPO from one GP Repository domain to another with the GPO Migration wizard:

  1. Log on to the GPA Console computer with an account that has permissions to migrate GPOs.

  2. Start the GPA Console in the NetIQ Group Policy Administrator program group.

  3. Expand GP Repository to the level of the GPO you want to migrate.

  4. Select the source GPO you want to migrate.

  5. On the Action menu, click Migrate GPO.

  6. Select whether you want to create a new GPO or update an existing GPO, and then click Next.

  7. Specify the target domain and category information. If you are updating an existing GPO, you must also specify the GPO to replace.

    NOTE:If you are migrating a GPO to an untrusted domain, you need to provide user credentials in the untrusted domain that have the permission to create GPOs.

  8. If you want to modify an existing domain map or add a new domain map, click Edit Domain Map, modify the map for each tab as appropriate, and then click OK:

    • To modify a mapping, double-click any entry you want to modify, and then follow the instructions on the window.

    • To delete a mapping, select the entry and click Clear.

    • To reset all mappings to the default, click Reset.

      NOTE:If you are modifying the AD links mapping, ensure both the source and target domains are the same.

  9. Click Next.

  10. Review the summary information to confirm you have not left any portions of the GPO unmapped.

    NOTE:

    • Be sure you have not left any security account unmapped. If a source GPO contains a security account you have not mapped to a corresponding target account, the migration process ignores that particular security account and proceeds with the rest of the migration. Important security information could be lost in the process, which could cause problems when exporting the GPO to Active Directory.

    • Any Active Directory object that does not have corresponding mapping information in the target domain is not linked in the target domain.

  11. Click Finish.

GPOs you have migrated to a production domain in the GP Repository you can then export directly to the corresponding Active Directory production domain.