Moving to correct forum.
If you are going to be using Macs then it is also worth bearing in mind that .local domains cause a few issues too.
Moving to correct forum.
With our rebuild we did the following which we found helped us....
1) We tried to create individual policies for different settings. Only the Student and Staff Default policies have multiple settings ..
2) Label each GP clearly. All computer policies begin with (C) computer, (U) user or (L) for loopback. Then the general area and then description of the GP, e.g....
"(C) - SW INSTALL - Install Flash player"
If they call a script add (Script) on the end.
3) Not sure if this helps with performance but disable the USER section on all COMPUTER policies and vice versa.
While looking for an answer to my own question I found the successor to the information I read when first doing this...
and the grand daddy of AD design documents:
Best Practice Active Directory Design for Managing Windows Networks
karlr (6th February 2014)
I've got a document I will share from the new build of one I did last year if I can find an electronic copy of it.
That being said, the Mac user has had such a miserable time with the Mac and lack of our support I think we scared everyone back into windows.
(Old captive portal used old java which apple blocked... He had no internet access for months... Fortunately for him we were in middle of replacing the whole system anyways and now it does SSO if a domain user)
1. Inability to bind to AD domain or losing the AD domain bind. This seems occur periodically with various releases on both the Mac and Windows server side
2. VERY, VERY, VERY slow network account logins, sometimes exceeding 5 minutes on the LAN, and taking over 20 minutes for logging onto mobile (network) accounts off the LAN due to the number of timeouts that occur.
3. VERY slow mounting of network drives, slow copying to said drives.
4. VERY slow printing to network printers
5. Major bonjour issues, including for AirPrint and AirPlay on iOS devices.
Some links with discussions about these sort of issues commonly faced in .local domains. As I said, .local domains were a cruel joke played on the world by being in Microsoft's "Best Practice" documentation that was then espoused by MS technicians the world over.
OS X 10.7, Lion, and ".local" domains | Thursby Software
Dmitry Dulepov: OS X Lion and local DNS issues
active directory - Painfully slow login to AD bound Mac OS X Leopard machine when off home network - Server Fault
MordyT (6th February 2014)
why do you feel .local for a domain is not acceptable? I see mention of .internal and I don't understand what the difference would be. Anyone care to explain?
@Out_of_Sync see .local - Wikipedia, the free encyclopedia
@burgemaster Our current GPOs are set up similar to this. Each individual software package has its own GPO object, and even individual settings like "always wait for network" seem to have their own dedicated GPO. I can certainly see some of the appeal to doing this, but I believe it goes against Microsoft best practise. IIRC you should avoid having more than 9 GPOs active on a single scope. In a previous school I created GPOs containing all of our general settings, and then assigned to them to the root of the Computers/Users OU. Then each layer down would contain a GPO containing the more specialized settings (e.g. "Student Computer Policy"), and so on.
Software installation can be done from a single or maybe a few high level GPOs, and then computers added into security groups to enable that software for them (another big thing we want to do is have all file server permissions controlled by groups, e.g. "Student Share RW" or "Student Share RO" rather than granting permissions to groups like "Students" or even directly to users).
@psydii hm, that doc does seem to suggest that two DCs are the recommendation for a single domain/site.
thanks for the info.
Another big concern is user profiles; We currently use roaming profiles for staff and this leads to an awful lot of problems. No doubt Win 7+ will handle this better, with increased support for redirection etc, but it's still a worry. I'm also not able to find any proper, clear guidance from Microsoft on this.
Edit: Actually I did bookmark and plan to read through http://www.grouppolicy.biz/2010/08/b...irtualization/ - but what are you guys doing in terms of profiles?
Last edited by karlr; 6th February 2014 at 05:02 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)