Solved

gpo backup - computer configuration & delegation - query

Posted on 2012-03-12
13
596 Views
Last Modified: 2012-06-27
after configuring the 'wmi filter & rsop' on windows 2003, i also ran a backup of gpo as per this 'url':

http://www.petri.co.il/backing-up-group-policy-objects.htm

- i created a folder on a spare partitioned drive on my domain controller and shared specifically for 'administrator account'.

- i then opened selected to 'view' my specific gpo settings, which allows me to narrow down and troubleshoot a specific issue with maybe one of my gpo settings. - ok

i am curious to understand in more detail the following:

'gp slow link detection':

"also see the 'do not detect slow network connections' and related policies in computer configuration\administrative templates\system user profile.  note if the profile server has ip connectivity, the connection speed setting is used.  if the profile server does no have ip connectiivity, the smb timing is used"!!!!

my comment:

question 1.  im assuming if after configuring my gpo's on my domain controller which also linked to remote/geographical locations to other other child domain controllers for example.

meaning the child domain controller which would be set with a static ip address but connected via my isp/internet connection back to my 'master dc', then im assuming if i had a 't1' line for example the value would be: 1544 ?

there are 3 types of t1: (i have gone to far in depth i do realise)!!!

- data t1 line
- voice t1 line
- primary Rate Interface T1 Line - usually referred to as PRI T1 - probably the most preferable to use if a company relies on phonecalls aswell and is more popular.  it is also particularly well suited to Small to Medium Sized Business that have geographically separate offices by using a service called Hosted VoIP

after reading this link then unless i require 100% upload/download then a t1 line is not needed: http://www.whichvoip.com/whichvoip-what-is-t1.htm -

delegation of same gpo as above:

question 2.  if i also click on the 'delegation' tab it shows a list of default settings which i understand that all the 'admin/enterprise need access ie:

- cogs\domain admins - ok understood
- cogs\enterprise admins - presumably linking via an isp to another geographic office
- nt authority\authenticated users - not sure as 'everyone' does same !!!!!???
- nt authority\enterprise domain controllers - i assume it means additional dc's
- nt authority\system - not sure

if i only have 1 master dc in with all the network linked locally would or should i remove any of the above ?
0
Comment
Question by:mikey250
  • 7
  • 6
13 Comments
 
LVL 15

Accepted Solution

by:
markdmac earned 500 total points
ID: 37715200
Slow link detection is used to prevent a GPO from taking forever to apply when connectivity is insufficient over a WAN.  Having a T1 should be good, however you don't say what kind of traffic you normally have going over your network.  Even a fast connection can appear as slow if say you had an IP based camera system that was transmitting video over your data lines and eating up 99% of your bandwidth.

In general you need to do a little experimentation.  If you have policies not applying, then you want to ignore slow link detection to try and get your polices to apply.  If that does not resolve your issue then you will want to consider putting a DC locally on the other side of the WAN connection so local machines can authenticate and get polices locally.
0
 

Author Comment

by:mikey250
ID: 37715314
ok yes i understand!! but if i was to use a 't1', would the value be '1544' for eg as not sure what the heighest value allows in terms of the max shown as an example ?

and as you say another domain controller so if the network was part of the same domain then  i could add a 'child dc' or an 'additional dc'. :)
0
 
LVL 15

Assisted Solution

by:markdmac
markdmac earned 500 total points
ID: 37715604
Yes, you would use 1544 unless you were using a fractional T1 in which case you would need to subtract for the loss of channels.

All DCs are peers since Windows 2000.  There are no child or backup domain Controllers anymore.  Some DCs can also be FSMO role holders, or you can also have Read Only Domain Controllers.
0
 

Author Comment

by:mikey250
ID: 37715695
im on windows 2003 which can do child dc/additonal dc but no im not using anyway as was just curiosity when going through the gpo stuff!!

when i do a migration sometime then i will look further into the fsmo roles as i have seen them but never passed one of those roles to another machine or even no why i would!!

yes i understand if using a fractional 't1 line' ie 2 x channels at 64kbps = 128kbps!!!

ive read that if i had a complete full 't1 line' it could provide internet service for around 50 employees.  so what i did was use calculator and do: 1544mbps / 50 = 30.88mbps but this value does not make sense to me after taking into consideration the below values, unless it was averaged or something that users dont continously always use the same amount of bandwidth at the same time, hence coming up with 50 employees, so would this be a correct assumption ?

just trying to get my head around:

1 kilobyte (KB)  1,024 bytes - ok
1 megabyte (MB)  1,048,576 bytes - 1024 x 1024 - ok
1 gigabyte (GB)  1,073,741,824 bytes - 1048,576 x 1024 - ok
1 terabyte (TB)  1,099,511,627,776 bytes  - 1,099,511,627 x 1024 - ok
1 petabyte (PB)  1,125,899,906,842,624 bytes  - 1,125,899,906,842,624 x 1024 - ok

when i look at say the top 10 broadband providers in the (uk) and the comparison sites showing 10mb or 20 mb for example rather that what i expect to see ie 10gb or 20 gb for eg which confuses me as i always thought i actually had 10 gb not mb!!!!!!!!

so going back to my previous comments above about the 't1' line then i assume 30.88 mbps is quite sufficient ?
0
 
LVL 15

Assisted Solution

by:markdmac
markdmac earned 500 total points
ID: 37716211
You are confusing baud with bytes. Take a look at this article for a better explanation than I can give.  http://searchnetworking.techtarget.com/definition/Mbps

It is just semantics but a pet peeve of mine regarding the DC.  As I said before, since the era of Windows 2000 all DCs are peers.  You can have a DC be a member of a child domain, but all the DCs in that domain are also peers.  

You can read about FSMO placement and why you would want to separate the roles here: http://support.microsoft.com/kb/223346
0
 

Author Comment

by:mikey250
ID: 37716332
i assume you mean 'bits with bytes' not 'baud with bytes'..!! yes ive read:

Mbps stands for millions of bits per second or megabits per second and is a measure of bandwidth - means same thing.

all dc's are peers - yes i agree

you can have a dc be a member of a child domain - or "i assume you mean a 'child dc to be a member of a dc" but yes the child dc's are still peers of the dc. - yes understood makes sense!

what about the 't1' line being able to take around 50 users and how much connection would an employee get roughly ?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 15

Assisted Solution

by:markdmac
markdmac earned 500 total points
ID: 37716387
I've had offices with 75 people working off of a T1, all depends on what they do as to how well it will work.

You need more data, how much traffic for file shares, web browsing and email is needed for each person based on current work loads?
0
 

Author Comment

by:mikey250
ID: 37716472
ok nice to know i was reading this site:  http://www.whichvoip.com/whichvoip-what-is-t1.htm

yes i realise depending on what a company is doing may allow less than 50 or more than to use the internet at any one time although you have had 75.  ok!!!!

so 1544 /50 = 30.88mbps - for each user
so 1544 /75 = 20.59mbps - for each user

my internet connection at home is only 10mbps it appears so this is enough for me.  so assuming im on the right path of thought the above is still considerable.

am i understanding as just trying to get my practical head around it ?
0
 
LVL 15

Assisted Solution

by:markdmac
markdmac earned 500 total points
ID: 37716707
I think you are thinking along the right track, this thread might be of interest to you:
http://www.dslreports.com/forum/remark,6391632

Regarding my experience, we had the 75 users on T1, as a legal office they didn't do a lot of Internet traffic except to connect to the court systems and they would typically have 4-6 people working remotely into the office with RDP connections.
0
 

Author Comment

by:mikey250
ID: 37716780
yes thanks for that a bit more clearer!!:))
0
 

Author Comment

by:mikey250
ID: 37716792
what about my 2nd question in my main thread as shown again below:

question 2.  if i also click on the 'delegation' tab it shows a list of default settings which i understand that all the 'admin/enterprise need access ie:

- cogs\domain admins - ok understood
- cogs\enterprise admins - presumably linking via an isp to another geographic office
- nt authority\authenticated users - not sure as 'everyone' does same !!!!!???
- nt authority\enterprise domain controllers - i assume it means additional dc's
- nt authority\system - not sure

if i only have 1 master dc in with all the network linked locally would or should i remove any of the above ?
0
 
LVL 15

Assisted Solution

by:markdmac
markdmac earned 500 total points
ID: 37716947
Regarding the security for the GPO, I always prefer to look at it the "old school" way.  from within the GPO, right click the name of the GPO int he tree on the left.  Choose Properties then click the security tab.  Here you have a more granular view.

The most important setting is the Apply GPO and Deny GPO which you have to scroll down to just below the default viewable range.

Whenever I create a GPO that has any form of restrictions to it, I make sure I explicitly set the Deny checkbox to make sure that my domain admin accounts don't get accidentally locked out of features.

I leave any system settings in place but depending on the GPO I will remove Domain Users or Authenticated Users if that is what is needed for security or targeting.  For example if I am applying a GPO that will be used to host a startup script, then I remove any security that applies the GPO to a user and I add in Domain Computers since a startup script is a machine based and not a user based script.
0
 

Author Comment

by:mikey250
ID: 37725412
ok thanks!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now