Windows Server 2008 and Windows Vista : Architecture of Advanced Group Policy Management (part 2) - Server Installation

AGPM does require a server installation portion. This installs the AGPM Service on the selected server that communicates with the production version of the GPOs. Because AGPM provides offline editing of the GPOs, it must be able to get a copy of the GPO from the production domain controllers and then put the updated GPOs into production. The service provides this functionality.

In addition to the service, installation of AGPM on the server creates the archive for the GPOs. The default location should meet the following criteria:

• It should have enough space to archive all of the GPOs that you create and manage through AGPM.

• It should allow the AGPM service account access only.

The archive does not require, nor does it support, any SQL or database. However, there must be enough room on your AGPM server to support the historical archive. The sizing of AGPM is rather easy to determine, as long as you know how many GPOs you have (available through the GPMC) and how often you modify GPOs. Because AGPM only duplicates the Group Policy template (GPT), you can find the size of each GPO’s GPT to calculate the overall size needed.

Table 1 offers a sample calculation for sizing the archive on the AGPM server. This example focuses on a domain environment running Windows Server 2008, which does not store the .adm templates in the GPT.

Table 1. Windows Server 2008 Domain AGPM Server Sizing Example

Number of GPOs in Production	Average Size of GPOs	Average Number of Changes to GPOs in One Year	Size for Storing One Year of Changes	Size for Storing Five Years of Changes
500	5 KB	5	12.5 MB	62.5 MB

If you have a legacy Active Directory installation and are still using domain controllers running Windows 2000 or Windows Server 2003, you will still have your .adm files stored in the GPT. The calculation for the AGPM server in this case is quite different, because the size of the archive must include a copy of the .adm files for each archive point. Table 2 illustrates a sample calculation for this environment.

Table 2. Windows 2000 or Windows Server 2003 Domain AGPM Server Sizing Example

Number of GPOs in Production	Average Size of GPOs	Average Number of Changes to GPOs in One Year	Size for Storing One Year of Changes	Size for Storing Five Years of Changes
500	4 MB	5	10 GB	50 GB

These calculations are for storing only the archived GPOs. The server must also have enough disk space for the operating system and anything else that will run on it.

After sizing the server, you must consider the installation of AGPM. This involves the simple installation of a single .msi file called AGPMServer.msi. The following steps and choices must be made by a member of the Domain Admins group to install AGPM on a server:

1.	Start the installation by double-clicking the AGPMServer.msi file.
2.	The Welcome to the Setup Wizard for Microsoft Advanced Group Policy Management – Server page indicates that AGPM Server will be installed. This page clearly states that Domain Admins membership is required to install the product, as shown in Figure 2. Click Next. Figure 2. AGPM Server installation is clean and easy, driven by a standard Windows wizard. Note If a previous version of GPOVault is found, it will be uninstalled before AGPM Server is installed. The GPOVault data will be migrated to the AGPM archive. This deletion and migration is not reversible!
3.	Accept the license terms, and then click Next.
4.	On the Application Path page, select the path to install AGPM Server. The default path is C:\Program Files\Microsoft\AGPM\Server, which should work in most cases. The Application Path page, shown in Figure 3, indicates that you can select your install path or keep the default. Figure 3. For product installation, you can select the default path or specify where you want the AGPM Server files to reside and install.
5.	On the Archive Path page, select the path to the AGPM Server archive. This is the location where the GPOs will be stored for offline editing and recovery from the archived GPOs. The default location for the archive is C:\Documents and Settings\All Users\Application Data\Microsoft\AGPM, as shown in Figure . Figure 4. The path for the AGPM Server archive defaults to the All Users profile, which can be changed if you want to alter where you keep the GPO archives. Note The archive folder is accessible only to the AGPM Server account, for security reasons. This can be changed after the installation, but it is not recommended because it will defeat the delegation benefits that AGPM provides for the management and tracking of GPO updates.
6.	On the AGPM Service Account page, in the User Account box, select the AGPM service account that will be used to run the service. This user account should be a domain user account, not the Administrator account. It is always ideal to name the service account according to the service, as shown in Figure 5. Figure 5. The AGPM Server service account should be a domain account that is named appropriately for the service it is servicing. Note If you install AGPM Server on a domain controller, you can use the Local System account for the service account. Best Practices AGPM Server should be installed on a domain member server, not a domain controller. This is for no other reason than to keep the management of offline GPOs using AGPM separate from a domain controller. It is always a best practice to install services on a domain member server, rather than a domain controller, when possible.
7.	In the Archive Owner page, select the AGPM archive owner in the User Account box. This user account will be used to set up the AGPM delegation, and it will have full control over all functionality within AGPM. This should not be an existing user account; it should be a special account designed to control the setup of AGPM, as shown in Figure 6. Figure 6. The AGPM owner account will be responsible for all initial configurations of the archive and AGPM.
8.	Approve your input, and then install AGPM Server.

After you have installed AGPM Server, the foundation of AGPM is ready to go. You can verify that you have AGPM installed correctly on your server (this is always a good idea) in a couple of ways. First, you will want to ensure that the service installed, is running properly, and has the appropriate service account configured. To do this, follow these steps:

1.	On the AGPM Server, start Computer Management Console.
2.	Expand the Services and Applications node.
3.	Select the Services node.
4.	In the details pane, view the AGPM Service account, as shown in Figure 7. Figure 7. The AGPM service should be started and have the service account you selected in the installation configured to run the service.

After you confirm that the service is running and configured properly, ensure that the archive location is established. Remember that the default location of the archive is C:\Documents and Settings\All Users\Application Data\Microsoft\AGPM, as shown in Figure 8.

Figure 8. The default AGPM archive location will work in most cases, but you should confirm that the folder was created after you install AGPM Server.