Pages

Thursday, December 5, 2013

GPOs and Slow Link Detection

Several months ago, one of my customers came to me with a concern.  It seems that certain of his users were receiving their Group Policies correctly while another group was only receiving a subset of the policies.  He wasn't sure why this would be.  The event gave me the opportunity to talk with him about Slow Link Detection as it relates to Group Policies.  Because it was helpful to share with him about this feature of Group Policies, I thought I'd briefly talk about it here as well.
What is a "Slow Link" and How Does It Affect My GPO?
Within a Group Policy there are many potential categories of settings that can be configured for your client.  Some of these settings are important enough that they will always apply no matter the conditions of your network.  Other settings are not applied if your available network bandwidth is below a preset threshold.  Out of the box, this threshold is 500 kb.  When your client is applying its Group Policies and it detects that the available bandwidth between it and the Domain Controller is less than 500 kb, it will only download and apply those settings within the GPO that are considered mandatory.
The settings that are not downloaded when a slow link is detected include the following:
  • Disk Quota
  • Scripts
  • Folder Redirection
  • Software Installation
  • Wireless Network (IEEE 802.11) Policies
  • Wired Network (IEEE 802.3) Policies
  • Internet Explorer Maintenance Extension
The good news is that if you have previously applied these settings, they won't go away just because your network bandwidth is below the Slow Link threshold when your policies are refreshing.  But it does mean that any updates to these won't be processed so long as you are at the end of a slow link.
Examples of when this is most likely to happen includes businessmen logging into their corporate environment through a VPN from a hotel's wireless network.  These networks are routinely quite slow and it's not uncommon to find that these settings don't update in this case.
Detecting a Slow Link
Early on, the way that clients detected whether a link was slow or not was by pinging the Domain Controller using the ICMP protocol.  The problem with this is that many network administrators block ICMP traffic which prevents this feature of your Group Policies from working.  To overcome this difficulty, Microsoft came out with a new tool to detect slow links, starting with Windows Vista.  This new mechanism is known as Network Location Awareness (NLA).
NLA is not something you need to configure.  It does it's job out of the box, but it is a big improvement over ICMP Ping.  Some of the reasons that this is the case include the following:
  • It notifies your client machine if network cards are unavailable, thus eliminating the traditional wait period for your cilent to detect this through other means (typically through a timeout).  This speeds up the amount of time it takes your client to start, thus getting you logged on faster.
  • If you are offline, NLA will check for a Domain Controller's availability whenever you are back online, thus reducing potential delay before policy updates will be applied.
  • Using NLA instead of ICMP Ping allows your network administrators to block ICMP traffic and improve security to your environment, if needed.
One additional nice thing about NLA is that if it detects a Domain Controller after your client has been offline (perhaps on a short plane flight), this does not necessarily mean that a background refresh of your policies will be initiated.  Instead, if NLA is able to reach a DC your client will still check to see if it has missed its last refresh cycle (if the 90-120 minute interval has passed that would signal it to do a background refresh on its policies).  If the background refresh interval has passed, the policies are processed.  If the interval has not passed, nothing will need to be processed.  This saves on bandwidth and prevents your client from unnecessarily processing its policies just because it was offline for a time.
How Can I Change My "Slow Link" Settings?
If you need to do so, you can modify the definition of what a slow link is within your environment.  This is not typically recommended unless you have a good reason to do so, but if you need to change the definition of a slow link, you can do so through a GPO that is pushed out to your clients.  To make this change, you have several options.  First, you can decide where your new policy will be linked.  For example, you may want to change this setting only for a small group of users and leave the default for everyone else.  By configuring a linking a policy specifically to the OU where those users are located, you modify this setting only for them.
Additionally, you can configure the new slow link threshold so that it only applies to Machine-side settings or User-side settings.  If you want this new threshold to apply to both machine and user settings, you'll need to make the change on both sides of your policy.
The process for making this change is as follows:
  1. Create a new GPO (or select an existing one to modify) within the Group Policy Management Console (GPMC)
  2. Edit your chosen GPO by right-clicking it and choosing Edit
  3. To modify the threshold for machine-side settings, expand the Computer Configuration node and choose Policies\Administrative Templates\System\Group Policy
  4. Within the Group Policy node, right-click Group Policy slow link detection and choose Edit
  5. Look in the Options pane and set the Connection speed (Kbps) to whatever speed you have chosen
 To make a change to the User-side settings, do the exact same thing under the User Configuration node of your GPO.
NOTE: If you want to turn off slow link detection, you can set the Connection speed to 0.  This will cause all of the settings in your policy to be processed without the advantage of testing for a slow link.  While it may sound like a good idea, the downside is that you may have clients complaining about slow processing of policies due to network conditions.
Below is a screenshot of what you'll see when configuring the Machine-side version of this policy:
Client-Side Extensions (CSEs) and Slow Links
One last thing to mention here is the idea of how Client Side Settings decide whether a particular category of policies should be processed over a slow link or not.  As I mentioned above, whether a policy is applied over a slow link will depend on what category it belongs to (for instance, security settings are always processed while Folder Redirection settings aren't).  The way to determine whether a particular category of your Group Policies will process over a slow link is to look at the Client-Side Extensions themselves.
In some of the CSEs represented in your client's registry, there will be a key called NoSlowLink.  If this key is present and its value is configured to 1, the category it belongs to will not be processed when a slow link is detected.
To check on which of your CSEs have this configured, you'll need to open your client's registry as follows:
NOTE: Making any change in the registry could potentially harm your computer, requiring a rebuild and potential significant data loss.  Do not make any changes in your registry without thoroughly understanding what you're doing and testing any changes in a non-production environment.
  1. Open the Registry Editor by going to Start/Run and typing regedit
  2. Within the Registry editor, navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\GPExtensions
  3. Within the GPExtensions, key, you will see a list of GUIDs, each representing one of the Client-Side Extensions present on your client machine
By selecting the different Client-Side Extensions, you will be able to tell whether each is configured to process when a slow link is detected.  Some of the CSEs do not have the NoSlowLink key listed.  If this is the case, the CSE will always process even if a slow link is present.
Below is an example of the NoSlowLink key as it appears within the Folder Redirection CSE.  As you can tell, it is set to a value of 1, which means it will not process if a Slow Link is detected.
In this post, I've explained what Slow Link Detection is and I've shown you how to configure a slow link threshold that is different from the default.  In the future, if you find that certain policies are not processing while others are, Slow Link Detection should always be considered as a possible explanation.

No comments: