Group Policy Processing over Slow Links
Applying and updating Group Policy to the client from Domain controller will check the network bandwidth, depends on the bandwidth Group Policy will be processed and the default value defines a rate slower than 500 Kbps as a slow link.
If the client from the site without DC and the site bandwidth below 500 Kbps then this will be considered as a slow link, below Group Policy extensions are processed over a slow link
Default Settings for Group Policy Processing over Slow Links
Security Settings ON (cannot be turned off)
IP Security ON
Software Restriction Policies ON
Administrative Templates ON (cannot be turned off)
Software Installation OFF
Folder Redirection OFF
IE maintenance ON
How system will determine whether a link is fast or slow how it’s calculating the network bandwidth?
How Group Policy Processing measures link speed?
1. Ping the server with 0 bytes of data and time the number of milliseconds. This value is time#1. If it is less than 10 ms, exit (assume a fast link).
2. Ping the server with 2 kilobytes (KB) of uncompressible data, and time the number of milliseconds. This value is time#2. The algorithm uses a compressed .jpg file to ping the server.
3. DELTA = time#2 – time#1. This removes the overhead of session setup, with the result being equal to the time to move 2 KB of data.
4. Calculate Delta three times, adding to TOTAL each DELTA value. Use the following calculations:
5. TOTAL/3 = Average of DELTA in milliseconds.
6. 2 * (2 KB) * (1000 ms/sec) / DELTA Average ms = X
7. X = (4000 KB/sec) / DELTA Average
8. Z Kbps = ((4000 KB) / DELTA Average) *(8 bits/byte)
9. Z Kbps = 32000 kbps/Delta Average.
Two KB of data have moved in each direction (this is represented by the leading factor two on the left side in step six) through each modem, Ethernet card, or other device in the loop once. The resulting Z value is evaluated against the policy setting. A default of less than 500 Kbps is considered a slow link; faster than 500 Kbps is a fast link.
If Z is less than 500 Kbps the connection is considered slow, otherwise it is considered fast.
You can set the default value of 500 Kbps in the Group Policy console under < Group Policy object name >/Computer Configuration/Administrative Templates/System/Group Policy/Group Policy slow link detection.
To specify policy settings for Group Policy slow link detection for computers, you use the Computer ConfigurationAdministrative TemplatesSystemGroup Policy node. To set this policy for users, you use the User ConfigurationAdministrative TemplatesSystemGroup Policy node.
For User Profiles, the Slow network connection time-out for user profiles policy is located in the Computer ConfigurationAdministrative TemplatesSystemLogon node. The user profile code first tries to contact (or ping) the server. If the server does not have IP support, it falls back to measuring the file system’s performance. You specify a threshold connection speed in kilobits per seconds, and a threshold transit time in milliseconds, when configuring this policy setting.
Note: Let say if the client from VPN site and ICMP protocol blocked or In VPN sites Router denies
oversized ICMP traffic (MTU size less then 2k)
Workstations at remote site should ping the server with 2048k* Send buffer size in order to update the Group policy, if it’s failed to ping then GPO will not update and you will be getting Event ID: 1000 and 1054 on the workstations, how to resolve this issue and GPO update issue with VPN site will be covering in Part2 article series