gpo backup - computer configuration & delegation - query

after configuring the 'wmi filter & rsop' on windows 2003, i also ran a backup of gpo as per this 'url':

http://www.petri.co.il/backing-up-group-policy-objects.htm

- i created a folder on a spare partitioned drive on my domain controller and shared specifically for 'administrator account'.

- i then opened selected to 'view' my specific gpo settings, which allows me to narrow down and troubleshoot a specific issue with maybe one of my gpo settings. - ok

i am curious to understand in more detail the following:

'gp slow link detection':

"also see the 'do not detect slow network connections' and related policies in computer configuration\administrative templates\system user profile.  note if the profile server has ip connectivity, the connection speed setting is used.  if the profile server does no have ip connectiivity, the smb timing is used"!!!!

my comment:

question 1.  im assuming if after configuring my gpo's on my domain controller which also linked to remote/geographical locations to other other child domain controllers for example.

meaning the child domain controller which would be set with a static ip address but connected via my isp/internet connection back to my 'master dc', then im assuming if i had a 't1' line for example the value would be: 1544 ?

there are 3 types of t1: (i have gone to far in depth i do realise)!!!

- data t1 line
- voice t1 line
- primary Rate Interface T1 Line - usually referred to as PRI T1 - probably the most preferable to use if a company relies on phonecalls aswell and is more popular.  it is also particularly well suited to Small to Medium Sized Business that have geographically separate offices by using a service called Hosted VoIP

after reading this link then unless i require 100% upload/download then a t1 line is not needed: http://www.whichvoip.com/whichvoip-what-is-t1.htm -

delegation of same gpo as above:

question 2.  if i also click on the 'delegation' tab it shows a list of default settings which i understand that all the 'admin/enterprise need access ie:

- cogs\domain admins - ok understood
- cogs\enterprise admins - presumably linking via an isp to another geographic office
- nt authority\authenticated users - not sure as 'everyone' does same !!!!!???
- nt authority\enterprise domain controllers - i assume it means additional dc's
- nt authority\system - not sure

if i only have 1 master dc in with all the network linked locally would or should i remove any of the above ?
mikey250Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

markdmacCommented:
Slow link detection is used to prevent a GPO from taking forever to apply when connectivity is insufficient over a WAN.  Having a T1 should be good, however you don't say what kind of traffic you normally have going over your network.  Even a fast connection can appear as slow if say you had an IP based camera system that was transmitting video over your data lines and eating up 99% of your bandwidth.

In general you need to do a little experimentation.  If you have policies not applying, then you want to ignore slow link detection to try and get your polices to apply.  If that does not resolve your issue then you will want to consider putting a DC locally on the other side of the WAN connection so local machines can authenticate and get polices locally.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
ok yes i understand!! but if i was to use a 't1', would the value be '1544' for eg as not sure what the heighest value allows in terms of the max shown as an example ?

and as you say another domain controller so if the network was part of the same domain then  i could add a 'child dc' or an 'additional dc'. :)
0
markdmacCommented:
Yes, you would use 1544 unless you were using a fractional T1 in which case you would need to subtract for the loss of channels.

All DCs are peers since Windows 2000.  There are no child or backup domain Controllers anymore.  Some DCs can also be FSMO role holders, or you can also have Read Only Domain Controllers.
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

mikey250Author Commented:
im on windows 2003 which can do child dc/additonal dc but no im not using anyway as was just curiosity when going through the gpo stuff!!

when i do a migration sometime then i will look further into the fsmo roles as i have seen them but never passed one of those roles to another machine or even no why i would!!

yes i understand if using a fractional 't1 line' ie 2 x channels at 64kbps = 128kbps!!!

ive read that if i had a complete full 't1 line' it could provide internet service for around 50 employees.  so what i did was use calculator and do: 1544mbps / 50 = 30.88mbps but this value does not make sense to me after taking into consideration the below values, unless it was averaged or something that users dont continously always use the same amount of bandwidth at the same time, hence coming up with 50 employees, so would this be a correct assumption ?

just trying to get my head around:

1 kilobyte (KB)  1,024 bytes - ok
1 megabyte (MB)  1,048,576 bytes - 1024 x 1024 - ok
1 gigabyte (GB)  1,073,741,824 bytes - 1048,576 x 1024 - ok
1 terabyte (TB)  1,099,511,627,776 bytes  - 1,099,511,627 x 1024 - ok
1 petabyte (PB)  1,125,899,906,842,624 bytes  - 1,125,899,906,842,624 x 1024 - ok

when i look at say the top 10 broadband providers in the (uk) and the comparison sites showing 10mb or 20 mb for example rather that what i expect to see ie 10gb or 20 gb for eg which confuses me as i always thought i actually had 10 gb not mb!!!!!!!!

so going back to my previous comments above about the 't1' line then i assume 30.88 mbps is quite sufficient ?
0
markdmacCommented:
You are confusing baud with bytes. Take a look at this article for a better explanation than I can give.  http://searchnetworking.techtarget.com/definition/Mbps

It is just semantics but a pet peeve of mine regarding the DC.  As I said before, since the era of Windows 2000 all DCs are peers.  You can have a DC be a member of a child domain, but all the DCs in that domain are also peers.  

You can read about FSMO placement and why you would want to separate the roles here: http://support.microsoft.com/kb/223346
0
mikey250Author Commented:
i assume you mean 'bits with bytes' not 'baud with bytes'..!! yes ive read:

Mbps stands for millions of bits per second or megabits per second and is a measure of bandwidth - means same thing.

all dc's are peers - yes i agree

you can have a dc be a member of a child domain - or "i assume you mean a 'child dc to be a member of a dc" but yes the child dc's are still peers of the dc. - yes understood makes sense!

what about the 't1' line being able to take around 50 users and how much connection would an employee get roughly ?
0
markdmacCommented:
I've had offices with 75 people working off of a T1, all depends on what they do as to how well it will work.

You need more data, how much traffic for file shares, web browsing and email is needed for each person based on current work loads?
0
mikey250Author Commented:
ok nice to know i was reading this site:  http://www.whichvoip.com/whichvoip-what-is-t1.htm

yes i realise depending on what a company is doing may allow less than 50 or more than to use the internet at any one time although you have had 75.  ok!!!!

so 1544 /50 = 30.88mbps - for each user
so 1544 /75 = 20.59mbps - for each user

my internet connection at home is only 10mbps it appears so this is enough for me.  so assuming im on the right path of thought the above is still considerable.

am i understanding as just trying to get my practical head around it ?
0
markdmacCommented:
I think you are thinking along the right track, this thread might be of interest to you:
http://www.dslreports.com/forum/remark,6391632

Regarding my experience, we had the 75 users on T1, as a legal office they didn't do a lot of Internet traffic except to connect to the court systems and they would typically have 4-6 people working remotely into the office with RDP connections.
0
mikey250Author Commented:
yes thanks for that a bit more clearer!!:))
0
mikey250Author Commented:
what about my 2nd question in my main thread as shown again below:

question 2.  if i also click on the 'delegation' tab it shows a list of default settings which i understand that all the 'admin/enterprise need access ie:

- cogs\domain admins - ok understood
- cogs\enterprise admins - presumably linking via an isp to another geographic office
- nt authority\authenticated users - not sure as 'everyone' does same !!!!!???
- nt authority\enterprise domain controllers - i assume it means additional dc's
- nt authority\system - not sure

if i only have 1 master dc in with all the network linked locally would or should i remove any of the above ?
0
markdmacCommented:
Regarding the security for the GPO, I always prefer to look at it the "old school" way.  from within the GPO, right click the name of the GPO int he tree on the left.  Choose Properties then click the security tab.  Here you have a more granular view.

The most important setting is the Apply GPO and Deny GPO which you have to scroll down to just below the default viewable range.

Whenever I create a GPO that has any form of restrictions to it, I make sure I explicitly set the Deny checkbox to make sure that my domain admin accounts don't get accidentally locked out of features.

I leave any system settings in place but depending on the GPO I will remove Domain Users or Authenticated Users if that is what is needed for security or targeting.  For example if I am applying a GPO that will be used to host a startup script, then I remove any security that applies the GPO to a user and I add in Domain Computers since a startup script is a machine based and not a user based script.
0
mikey250Author Commented:
ok thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.