As a follow-on to my last blog post, here’s another interesting Group Policy Backup scenario to keep in mind. A user emailed that they were having problems importing a GPO backup that was created on a test Server 2008-R2 AD domain, into a Server 2003 AD domain. Theoretically this should work ok, but the user was getting non-descript errors about directory attributes not being found when they tried the import. I scratched my head for a bit on this one and then it hit me! I asked the following question, “Are you using Wired or Wireless Policy within that GPO on the 2008-R2 domain?”. His answer was a resounding “YES”, and then I knew where the problem was.
Microsoft makes decisions about where to store GP settings for each policy area (e.g. registry, security, folder redirection, etc.) based on the amount and type of data they need to store. In some cases, like registry policy, the settings are stored in files in the SYSVOL part of the GPO, called the Group Policy Template, or GPT. In other cases, liked the new Wired and Wireless policies that were first introduced in Server 2008, those settings are stored in the AD part of the GPO, called the Group Policy Container, or GPC. In order to store these settings in AD, Microsoft often introduces new schema classes and attributes to AD to accomodate the setting types. In fact, that is exactly what was happening here.
The user was creating the GPO settings in a version of AD that contained these newer schema extensions, and then tried importing those backed-up GPOs into a version of AD that did not. The result was the failure they saw. All it took to resolve was to update the Server 2003 AD schema to at least the Server 2008 version, and the import worked. There was no need to upgrade their DCs to accomodate the newer settings–all that was needed was the proper schema extensions and all was well (of course, they still need clients that can process those newer settings–in this case Vista and greater).