MNSCUG June Meeting Notes
Fred's Notes from the Active Directory Best Practices from Robert Wakefield with NowMicro:
Backup of group policies via GPMC or script. Most GP admins do not backup group policy objects.
It's not a bad idea to backup directly from the GPMC
Use PowerShell to backup GPOs, this can be scheduled. Group policy backup via PS doesn't get links or security, etc. Only the object itself.
Use a central store to gather and distribute ADMX files.
Don't use loopback processing -
Create a single loopback processing policy (loopback policy) the only setting in that GPO is loopback processing.
What is loopback processing? An ability to apply user settings to a computer. Merge mode and replace mode.
Do: Group policy preferences. Replace login scripts, use for printers, and items level targeting.
Use GPO preferences to replace logon scripts.
Item Level targeting - you can build a filter to determine the target of the GPO. Useful when you have multiple filters. Security filter cannot do multiple filters. This was introduced in 2008.
If you do a forest migration the SIDs change, you have to be sensitive to this and update each preference with the new SID(s).
To clean up printers mapped via item targeting, make the first policy delete all printers. This prevents printer buildup.
For group policy trouble shooting, use the console and gpresult from there. It's more verbose than the gpresult command line.
Group policy management console has a group an event viewer.
Don't use WMI filters. Too many can impact performance of startup and logon. Using WMI filter in conjunction with group policy preference.
LDAP queries should be avoided, they are expensive. Use sparingly.
DO: Advanced group policy management. Medium sized or larger companies. At the very least us a change management model. AGPM has user change tracking. (change control and versioning)
Do Consolidate similar preferences. (i.e. on GPO for all mapped drives) printers, i.e. setting also.
Don't modify default domain policy.
Do use security filtering and filter out users and computer that this should not apply to. Don't apply each GPO to all authenticated users.
Do disable unneeded GPO section s. i.e. if there are no computer settings be sure to disable them.
Don't use block policy inheritance or enforce.
Fred's Notes for SQL Configuration for ConfigMgr by John Nelson:
Off boxing SQL is generally a bad idea. There is no need for it in most environments today.
Max Degree of Parallism:
- If hyperthreading is enabled, set MAXDOP equal to count of CPU/2
- If hyperthreading is disabled, set MAXDOP equal to count of CPUs up to 8 maximum (never set higher than 8).
Add multiple tempdb data file per processor core and limit the number of tempdb data files up to 8 if you have more than 8 CPU core.
TempDB is critical. Sort, joins and merges are all done in the tempDB. It's important to keep your temp DB performing well.
Turn off SQL/CM indexing. Use the maintenance solution from http://ola.hallengren.com/ This must be scheduled. Steve Thompson has a version that creates schedules for this tool. This is used by Microsoft internally.
- Created on .