a computer. The results of the analysis will highlight areas in which the current settings don’t match those in the template. This is useful to determine whether security settings have changed over time. You can access the security snap-ins by completing the following steps: 1. Click Start, type mmc into the Search box, and then press Enter. 2. In the Microsoft Management Console, choose File and then choose Add/Remove Snap-In. 3. In the Add Or Remove Snap-Ins dialog box, select Security Templates and then click Add. 4. Select Security Confi guration And Analysis and then click Add. Click OK. 5. By default, the Security Templates snap-in looks for security templates in the %SystemDrive%\Users\%UserName%\Documents\Secur ity\Templates folder. To add other search paths select New Template Search Path on the Action menu. 6. Select the template location to add from the Browse For Folder dialog box, such as %SystemRoot%\Security\Templates. Click OK. You can create a new template by following these steps: 1. In the Security Templates snap-in, right-click the search path where the template should be created and then select New Template. 2. Type a name and description for the template in the text boxes provided. 3. Click OK to create the template. The template will have no settings confi gured, so you will need to modify the settings carefully before the template is ready for use. Applying Security Templates You use the Security Templates snap-in to view existing templates or to create new tem- plates. After you’ve created a template or determined that you want to use an existing template, you can then confi gure and analyze the template by completing the following steps: 1. Access the Security Confi guration And Analysis snap-in. Right-click the Security Confi guration And Analysis node, and then select Open Database. This displays the Open Database dialog box. 2. Type a new database name in the File Name fi eld, and then click Open. The Import Template dialog box is displayed next. Select the security template that you want to use, and then click Open. 3. Right-click the Security Confi guration And Analysis node, and then choose Analyze Computer Now. When prompted to set the error log path, type a new path or click OK to use the default path. Applying Group Policy Through Security Templates 1267 Chapter 36 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 4. Wait for the snap-in to complete the analysis of the template. Afterward, review the fi ndings and update the template as necessary. You can view the error log by right-clicking the Security Confi guration And Analysis node and choosing View Log File. 5. When you’re ready to apply the template, right-click the Security Confi guration And Analysis node, and choose Confi gure Computer Now. When prompted to set the error log path, click OK. The default path should be fi ne. 6. View the confi guration error log by right-clicking the Security Confi guration And Analysis node and choosing View Log File. Note any problems and take action as necessary. Maintaining and Troubleshooting Group Policy Most Group Policy maintenance and troubleshooting tasks have to do with determining when policy is refreshed and applied and then changing the refresh options as appro- priate to ensure that policy is applied as expected. Thus, maintaining and troubleshoot- ing Group Policy requires a keen understanding of how Group Policy refresh works and how it can be changed to meet your needs. You also need tools for modeling and view- ing the GPOs that would be or have been applied to users and computers. The Group Policy Management Console provides these tools through the Group Policy Modeling and Group Policy Results Wizards, which can be used instead of the running the Resul- tant Set Of Policy (RSoP) Wizard in logging mode or planning mode. Group Policy Refresh Computer policies are applied when a computer starts, and user policies are applied when a user logs on. After they are applied, Group Policy settings are automatically refreshed to ensure that they are current. The default refresh interval for domain con- trollers is every 5 minutes. For all other computers, the default refresh interval is every 90 minutes with up to a 30-minute variation to avoid overloading the domain controller with numerous client requests at the same time. Change the Refresh Interval Through Group Policy You can change the Group Policy refresh interval if desired. The related policies are stored in the Computer Confi guration\Administrative Templates\System\Group Policy folder. To set the refresh interval for domain controllers, confi gure the Group Policy Refresh Interval For Domain Controllers policy. Select Enabled, set the refresh interval, and then click OK. To set the refresh interval for all other computers, confi gure the Group Policy Refresh Interval For Computers policy. Select Enabled, set the refresh interval and random offset, and then click OK. Change the Refresh Interval Through Group Policy You can change the Group Policy refresh interval if desired. The related policies are stored in the Computer Confi guration\Administrative Templates\System\Group Policy folder. To set the refresh interval for domain controllers, confi gure the Group Policy Refresh Interval For Domain Controllers policy. Select Enabled, set the refresh interval, and then click OK. To set the refresh interval for all other computers, confi gure the Group Policy Refresh Interval For Computers policy. Select Enabled, set the refresh interval and random offset, and then click OK. Chapter 36 1268 Chapter 36 Managing Group Policy Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. During Group Policy refresh, the client contacts an available domain controller in its local site. If one or more of the GPOs defi ned in the domain have changed, the domain controller provides a list of all the GPOs that apply to the computer and to the user that is currently logged on, as appropriate. The domain controller does so regardless of whether the version numbers on all the listed GPOs have changed. By default, the computer processes the GPOs only if the version number of at least one of the GPOs has changed. If any one of the related policies has changed, all of the poli- cies have to be processed again. This is required because of inheritance and the inter- dependencies within policies. Security Settings are a noted exception to the processing rule. By default, Security Settings are refreshed every 16 hours (960 minutes) regardless of whether GPOs contain changes. Additionally, if the client computer detects that it is connecting over a slow network connection, it tells the domain controller this and only the Security Settings and Administrative Templates are transferred over the network, which means only the Security Settings and Administrative Templates are applied. Modifying Group Policy Refresh Group Policy refresh can be changed in several ways. First, client computers determine that they are using a slow network connection by pinging the domain controller to which they are connected with a zero-byte packet. If the response time from the domain controller is more than 10 milliseconds, the computer then pings the domain controller three times with a 2-kilobyte (KB) message packet to determine if it is on a slow net- work. The computer uses the average response time to determine the network speed. By default, if the connection speed is determined to be less than 500 kilobits per second (Kbps), the computer interprets that as having a slow network connection, in which case it notifi es the domain controller of this. As a result, only the Security Settings and Administrative Templates in the applicable GPOs are sent by the domain controller. You can confi gure slow link detection using the Group Policy Slow Link Detection policy, which is stored in the Computer Confi guration\Administrative Templates\Sys- tem\Group Policy folder. To confi gure this policy, follow these steps: 1. Start the Group Policy Object Editor. In the Group Policy Management Console, right-click the Group Policy object you want to modify, and then select Edit. 2. Double-click the Group Policy Slow Link Detection policy in the Computer Confi guration\Administrative Templates\System\Group Policy folder. 3. Defi ne the policy by selecting Enabled, as shown in Figure 36-15, and then use the Connection Speed combo box to specify the speed that should be used to determine whether a computer is on a slow link. For example, if you want connections less than 128 Kbps to be deemed “slow connections,” you’d type 128. If you want to disable slow link detection, you’d type 0 in the Connection Speed box. Maintaining and Troubleshooting Group Policy 1269 Chapter 36 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 36-15 Configure slow link detection as necessary. 4. Click OK. This policy is supported by all computers running Windows 2000 or later. If there is any area of Group Policy for which you want to confi gure refresh, you can do this in the Group Policy Object Editor. The related policies are stored in the Computer Confi guration\Administrative Templates\System\Group Policy folder and include Applications Policy Processing, Data Sources Policy Processing, Devices Policy Process- ing, Disk Quota Policy Processing, Drive Maps Policy Processing, EFS Recovery Policy Processing, Environment Policy Processing, and several dozen other specifi c areas of policy processing. Note You use Registry Policy Processing to control the processing of all other Registry-based extensions. To confi gure the refresh of an extension, follow these steps: 1. Start the Group Policy Object Editor. In the Group Policy Management Console, right-click the Group Policy object you want to modify, and then select Edit. 2. Double-click the policy in the Computer Confi guration\Administrative Templates\System\Group Policy folder. Note You use Registry Policy Processing to control the processing of all other Registry-based extensions. Chapter 36 1270 Chapter 36 Managing Group Policy Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 3. Defi ne the policy by selecting Enabled, as shown in Figure 36-16. The options you have differ slightly depending on the policy selected and include the following:  Allow Processing Across A Slow Network Connection—Select this option to ensure that the extension settings are processed even on a slow network.  Do Not Apply During Periodic Background Processing—Select this option to override refresh when extension settings change after startup or logon.  Process Even If The Group Policy Objects Have Not Changed—Select this option to force the client computer to process the extension settings during refresh even if the settings haven’t changed.  Background Priority—Determines when background processing occurs. If you select Idle, background processing of related policy occurs only when the computer is idle. Other processing options are for lowest activity levels, below normal activity levels, or normal activity levels. Figure 36-16 Change the way refresh works as necessary. 4. Click OK. Viewing Applicable GPOs and Last Refresh In the Group Policy Management Console, you can view all of the GPOs that apply to a computer as well as the user logged on to that computer. You can also view the last time the applicable GPOs were processed (refreshed). To do this, you run the Group Policy Results Wizard. Maintaining and Troubleshooting Group Policy 1271 Chapter 36 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. To start the Group Policy Results Wizard and view applicable GPOs and the last refresh, follow these steps: 1. Start the Group Policy Management Console. Right-click Group Policy Results, and then select Group Policy Results Wizard. 2. When the Group Policy Results Wizard starts, click Next. On the Computer Selection page shown in Figure 36-17, select This Computer to view information for the local computer. If you want to view information for a remote computer, select Another Computer and then click Browse. In the Select Computer dialog box, type the name of the computer, and then click Check Names. After the correct computer account is selected, click OK. Figure 36-17 Select the computer to work with. 3. In the Group Policy Results Wizard, click Next. On the User Selection page, shown in Figure 36-18, select the user whose policy information you want to view. You can view policy information for any user who has logged on to the computer. Chapter 36 1272 Chapter 36 Managing Group Policy Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 36-18 Select the user whose policy information you want to view. 4. Click Next twice, and then after the wizard gathers the policy information, click Finish. The wizard then generates a report, the results of which are displayed in the details pane as shown in Figure 36-19. Figure 36-19 Use the report to view policy information. 5. On the report, click Show All to display all of the policy information that was gathered. Maintaining and Troubleshooting Group Policy 1273 Chapter 36 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Computer and user policy information is listed separately. Computer policy informa- tion is listed under Computer Confi guration Summary, as follows:  To view the last time the computer policy was refreshed, look under Computer Confi guration Summary, General for the Last Time Group Policy Was Processed entry.  To view all applicable GPOs, look under Computer Confi guration Summary, Group Policy Objects. User policy information is listed under User Confi guration Summary, as follows:  To view the last time the user policy was refreshed, look under User Confi gura- tion Summary, General for the Last Time Group Policy Was Processed entry.  To view all applicable GPOs, look under User Confi guration Summary, Group Policy Objects. The Applied GPOs entry shows all GPOs that have been applied. The Denied GPOs entry shows all GPOs that should have been applied but weren’t processed for some reason, such as because they were empty or did not contain any computer policy set- tings. The GPO also might not have been processed because inheritance was blocked. If so, the Reason Denied is Blocked Scope of Management (SOM). Modeling GPOs for Planning In the Group Policy Management Console, you can test different scenarios for modify- ing Computer Confi guration and User Confi guration settings. For example, you can model the effect of a slow link or the use of loopback processing. You can also model the effect of moving a user or computer to another container in Active Directory or add- ing the user or computer to an additional security group. To do this, you run the Group Policy Modeling Wizard. To start the Group Policy Modeling Wizard and test various scenarios, follow these steps: 1. Start the Group Policy Management Console. Right-click Group Policy Modeling, and then select Group Policy Modeling Wizard. 2. When the Group Policy Modeling Wizard starts, click Next. On the Domain Controller Selection page, as shown in Figure 36-20, under Show Domain Controllers In This Domain, select the domain for which you want to model results. Next, select either Any Available Domain Controller or This Domain Controller, and then choose a specifi c domain controller. Click Next. Chapter 36 1274 Chapter 36 Managing Group Policy Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 36-20 Select the domain controller to work with. 3. On the User And Computer Selection page, shown in Figure 36-21, select the modeling options for users and computers. Figure 36-21 Select the modeling options for users and computers. Maintaining and Troubleshooting Group Policy 1275 Chapter 36 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Typically, you’ll want to model policy for a specifi c container using user and com- puter information. In this case, the following would apply:  Under User Information, select Container, and then click Browse to display the Choose User Container dialog box, which you can use to choose any of the available user containers in the selected domain.  Under Computer Information, select Container, and then click Browse to display the Choose Computer Container dialog box, which you can use to choose any of the available computer containers in the selected domain. 4. Click Next. On the Advanced Simulation Options page, as shown in Figure 36-22, select any advanced options for slow network connections, loopback processing, and sites as necessary, and then click Next. Figure 36-22 Select advanced options as necessary. 5. On the User Security Groups page, shown in Figure 36-23, you can simulate changes to security group membership to model the results on Group Policy. Any changes you make to group membership affect the previously selected user container. For example, if you want to see what would happen if a user in the designated user container is a member of the Domain Admins group, you could add this group to the Security Groups list. Click Next to continue. Chapter 36 1276 Chapter 36 Managing Group Policy Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... following: Remove the server as a preferred bridgehead server and then specify a different preferred bridgehead server Remove the server as a preferred bridgehead server and then allow the ISTG to select the bridgehead servers that should be used Because you can designate multiple preferred bridgehead servers, you can prevent this situation simply by specifying more than one preferred bridgehead server When... there are multiple preferred bridgehead servers, the ISTG will choose one of the servers you’ve designated as the preferred bridgehead server If this server fails, it would then choose another server from the list of preferred bridgehead servers An additional consideration to make when designating preferred bridgehead servers is that you must configure a bridgehead server for each partition that needs... bridgehead servers First, after you designate a preferred bridgehead server, the ISTG will use only the preferred bridgehead server for intersite replication This means if the domain controller acting as the bridgehead server goes offline or is unable to replicate for any reason, intersite replication will stop until the server is again available for replication or you change the preferred bridgehead server. .. this would be to examine the Servers nodes for each site in Active Directory Sites And Services You can also do this by typing the following command at a command prompt: dsquery server -s DomainControllerName | dsget server -site where DomainControllerName is the fully qualified domain name of the domain controller, such as: dsquery server -s corpserver92.cpandl.com | dsget server -site The output of... Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 2 Domain controllers associated with a site are listed in the site’s Servers node To locate the domain controller that you want to move, expand the site node, and then expand the related Servers node 3 Right-click the domain controller, and then select Move This displays the Move Server dialog box 4 In the Move Server dialog... If you later want the server to stop being a preferred bridgehead, select the transport in the This Server Is A Preferred Bridgehead Server For The Following Transports list, and then click Remove Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Chapter 37 Managing Site Links and Intersite Replication 1301 Figure 37-9 Designating a preferred bridgehead server 5 Click OK Configuring... Replication traffic between sites is always sent from a bridgehead server in one site to a bridgehead server in another site Although it is the job of the ISTG to generate the intersite replication topology and designate bridgehead servers, you can manually designate bridgehead servers as well After you’ve established site links and designated bridgehead servers as necessary, you might want to change the way replication... returned Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark In situations in which you have domain controllers that are already overloaded or not equipped to possibly handle the additional load of being a bridgehead server, you might want to control which domain controllers operate as bridgehead servers You do this by designating preferred bridgehead servers in a site There... why the Group Policy Management Console is more useful than the older Group Policy tools that come with Windows Server 2008 It is also important to add that you can back up and restore GPOs only when you have installed the Group Policy Management Console Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Maintaining and Troubleshooting Group Policy 1279 You can either back... PartialName* is a partial server name that includes a wildcard to match the remainder of the server name Site:SiteName includes only domain controllers in the named site Gc: includes all global catalog servers in the enterprise Knowing this, there are many tasks you can perform using the Replication Administrator These tasks are summarized in Table 37-2 Please purchase PDF Split-Merge on www.verypdf.com to remove . Console is more useful than the older Group Policy tools that come with Windows Server 2008. It is also important to add that you can back up and restore GPOs. | dsget server -site where DomainControllerName is the fully qualifi ed domain name of the domain control- ler, such as: dsquery server -s corpserver92.cpandl.com