Overview

This article describes a method to support the installation of multiple versions of SYNERGIX AD Client Extensions in an Active Directory domain environment. Working knowledge of Active Directory Domain Services, Group Policy Objects, Security Filtering, WMI Filtering, Delegation and use of GPMC console is required.

 

Purpose

SYNERGIX AD Client Extensions continues to evolve with additional features.   Current customers may be interested in first piloting the new release ( see announcements )  and then, deploying it in a phased manner in their production environment, where previous release of AD Client Extensions 2012 is already deployed.

All versions of SYNERGIX AD Client Extensions are fully managed using the Administrative Template. For the purpose of configuring a GPO, you must always use the matching Administrative Template file that is provided with the package.  This can present bit of a challenge when you wish to have multiple versions deployed in the same Active Directory domain environment and must manage two GPOs, one for current version and  another in preparation of deployment of new version.

This article outlines an approach using Group Policy Objects and implementing Security Filtering or WMI Filtering.  Customers may device alternate methods, as long as it is ensured that specific version of the software is operating with matching Administrative Template file.

  

Scenario

For the purpose of this implementation, we will make references to various objects in Active Directory.  

 

	Forest Root Domain		SYNERGIX.DS
	Child Domain ( 1 )		AMRS.SYNERGIX.DS
	Child Domain ( 2 )		EMEA.SYNERGIX.DS
	Current GPO name		SYNERGIX ADCE Managed Computers Policy
	Current GPO Security Filtering Option		SYNERGIX ADCE Managed Computers
	New GPO name		SYNERGIX ADCE 14 Managed Computers Policy
	New GPO Security Filtering Option		SYNERGIX ADCE 14 Managed Computers

 

Implementation

 

Create new Security Group

1. Login to a domain computer that has RSAT installed.  Your account must have permission to create and to edit a security group.
2. Launch DSA.MSC
3. Create a security group called "SYNERGIX ADCE 14 Managed Computers".  You may choose to leave the group type as default i.e. 'Domain Global Group"

Create new Group Policy Object

1. Launch GPMC.MSC
2. Select the domain container or an OU that contains computer objects that fall within scope of AD Client Extensions deployment
3. Create a linked GPO called "SYNERGIX ADCE 14 Managed Computers"

Optionally, you can start by selecting the "Group Policy Objects" container in GPMC and create an unlinked GPO.  The unlinked GPO can be linked later on to the domain container or OU(s)

1. Select the newly created GPO
2. Under the 'Security Filtering' section, click on Add button
3. Type the name of the new security group name created in previous step i.e. 'SYNERGIX ADCE 14 Managed Computers".  Click on 'Check Names' to validate the security group name entry. Click on OK.
4. Under the 'Security Filtering' section, select 'Authenticated Users' entry and then, click on Remove button.
5. Edit the Group Policy Object
6. Under Computer Configuration, expand the Administrative Templates branch and then, navigate down to SYNERGIX AD Client Extensions settings
7. Minimally, configure the Product Activation Key and any other setting that you wish to begin your deployment with.

The above changes will ensure that the new GPO settings will only apply to domain computers that are member of the 'SYNERGIX ADCE 14 Managed Computers' group. 

 

Configure GPO Link Order

Next, we have to ensure that the current GPO i.e. "SYNERGIX ADCE Managed Computers Policy" does not apply to domain computers that will have the AD Client Extensions software upgraded.  This can be managed by using the GPO Link Order.

1. Select the OU that has both the policy objects "SYNERGIX ADCE Managed Computers" and the new "SYNERGIX ADCE 14 Managed Computers" linked.
2. Select the "Linked Group Policy Objects" tab.  Notice the 'Link Order'.
3. Using the down arrow or the up arrow control image on the left, ensure the new GPO "SYNERGIX ADCE 14 Managed Computers Policy" is higher on the list i.e. lower GPO Link Order number on the list as compared to current GPO "SYNERGIX ADCE Managed Computers Policy"

Validation 

1. Login to a domain computer that has prior release of SYNERGIX AD Client Extensions installed
2. Run GPUPDATE /FORCE. This should bring down the policy settings.
3. Run RSOP.MSC or GPRESULT  /VERBOSE and verify that the new GPO "SYNERGIX ADCE 14 Managed Computers" has been filtered out

 

1. Login to a domain computer that will have SYNERGIX AD Client Extensions latest version installed
2. Run GPUPDATE /FORCE. This should bring down the policy settings.
3. Run RSOP.MSC or GPRESULT /VERBOSE and verify that the new GPO "SYNERGIX ADCE 14 Managed Computers" is applied.

Upon validating that only the selected computers are receiving new GPO settings, you may begin to upgrade AD Client Extensions software on them. When upgrading to next major version, it is highly recommended that you first remove prior version completely and then, install the latest version.

 

For additional support on this article, please open a support incident via our product support portal