Hi, We currently have a Windows 2008 R2 AD / DNS server at our HQ office. We have a couple of small divisions (2-3 users) connected via VPN... Workstations seems to be able to authenticate properly although every once in a while I get a "Domain is not available" at the login. I can repair the NIC and it works after this. Anyway, it seems like GPOs are not being applied to the workstations in the divisions. All the workstations at the HQ office update fairly quickly. I have deployed some firewall rules and I don't think the divisions are getting them. One of these rules is to open the firewall for the computer management from AD. I can "manage" all computers at the HQ by right-clicking the name and selecting "manage". But I get an error message when I try to do this for the remote pcs. Also, I have tried gpupdate /force and it didn't seem to apply the gpo on the remote PCs. Any suggestions? Maybe I'm missing something since they are not in the local subnet?

Please use Dcdiag.exe to check that you don't have AD replication problems. You can also have a look to eventviewer to check if there is registered errors. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

There is a group policy, or two actually, that controls how high the bandwidth must be before group policies are processed. There is one for user and one for computer. It is placed under System/Group Policy and is called "Group Policy slow link detection". Check to see if this limit might be the cause of your problems.

Hi I ran dcdiag.exe and tests passed successfully. Also, I checked event viewer and I don't see any errors that jump at me... I found the "Group Policy slow link detection" policies... they are not configured. Suggestions?

Configure it and check if it solves your problem. For more information refer to this Microsoft article. Remark: By default, when processing over a slow link, not all components of Group Policy are processed. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

What value would you recommend for it?

Ok I got a couple more questions: - It seems to me that if I configure the Group Policy with a value of 0 it should make it think that is always on a fast connection. However, I don't think the GPO will be applied because the computer thinks is on a slow link and therefore I'm basically having the same problem... is this correct? I found this: If you are trying to disable slow link detection when Group Policy is not applying (and therefore, you cannot configure the policy setting), you can manually create the registry value "GroupPolicyMinTransferRate" (DWORD) under the following keys and set each of them to 0. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Another question: I was reading something about how slow link is detected... with the Pings... and about fragmented packets. I might have this issue: ping -l 0 --> 12ms ping -l 2 --> 13ms ping -l 1024 --> 25ms ping -l 2048 --> no response. Is this an indication of fragmentation?

Update: I manually configured the registry on one remote workstation as described above and now it appear that the GPOs are applying correctly now. I can also bring up Computer Management for this computer within AD. So, is this the only way to apply my GPOs on remote computers? By manually editing the registry? I didn't think my link was that slow. We have two T1s... I also wanted to mention that I had configured the "wait for network connection" setting (or somethng like that)... does this have anything to do with the GPOs not deploying to remote offices? Please advise.

The registry edit is needed because of the catch 22 applied here, at least on existing PCs. You need to remove the limit to apply the GPO that removes/changes the limit. On new PCs the policy will be applied during deployment if you deploy PCs at a location with a DC or you can set the registry key at some point in whatever deployment solution you are using.

Thanks for your reply. I figured that's what needed to be done... luckily we can deploy a script with one of our other programs to add the registry entry. Now, I think I read somewhere that setting it to "0" could bring issues... thoughts? I really appreaciate your help!