Policy-based Quality of Service (QoS)
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
As traffic increases on a network, it becomes increasingly important for IT departments to balance network performance with the cost of service. However, network traffic is not easily prioritized and managed. Mission critical and latency-sensitive applications must compete for bandwidth against lower priority traffic. At the same time, some users and computers with specific network performance requirements might require differentiated service levels.
Such challenges of providing cost-effective, predictable network performance levels often first appear over wide area network (WAN) connections or with latency-sensitive applications like voice over IP (VoIP) and video. However, the end-goal of providing predictable network service levels applies to any network environment (for example, an enterprises’ local area network), and to more than VoIP applications, such as your company's custom line-of-business applications.
For computers running Windows Server® 2008 R2, Windows® 7, Windows Server® 2008, and Windows Vista®, you can use Policy-based Quality of Service (QoS) to manage traffic in order to offer better end-user experiences, control bandwidth costs, or more finely negotiate service levels with bandwidth providers or business departments. Policy-based QoS provides network control based on applications, users, and computers. Applications do not need to be written for specific application programming interfaces (APIs), allowing use with existing applications. Additionally, Policy-based QoS also takes advantage of your existing management infrastructure, because Policy-based QoS is built into Group Policy.
You can specify QoS (QoS) policies that define priority through a Differentiated Services Code Point (DSCP) value. The DSCP applies a value (0 - 63) within the Type of Service (TOS) field in an IPv4 packet's header and within the Traffic Class field in IPv6. This DSCP value allows classification at the Internet Protocol (IP) level, which routers can use to decide queuing behavior. You can also limit an application's outbound network traffic by specifying a throttle rate.
For example, an you can configure routers to place packets with specific DSCP values into one of three queues: high-priority, best effort, or lower than best effort. Therefore, mission-critical network traffic gets preference before other traffic. The QoS policy defining throttling limits the rate of outbound network traffic. For example, an IT department might implement a service level agreement that specifies a file server can never provide downloads beyond a specific rate, in order to manage WAN costs.
You can also use Policy-based QoS to apply DSCP values and throttle rates for outbound network traffic to the following:
Sending application and directory path
Source and destination IP addresses, including support for address prefixes
Source and destination ports and port ranges
Protocol (TCP and UDP)
Specific groups of users or computers (through deployment in Group Policy)
By using these controls, you can specify a QoS policy with a DSCP value of 46 for a VoIP application, allowing routers to place those packets in a low-latency queue, or you can use a QoS policy to throttle a set of servers' outbound traffic to 512 KBps when sending from TCP port 443. Or, as in the expanded example in the next section, QoS policy can be applied to a particular application that has special bandwidth requirements.
Policy-based QoS enables IT administrators to configure and enforce QoS policies that cannot be configured on routers and switches.
Level of detail: It is difficult to create user-level QoS policies on routers or switches, especially if the user’s computer is either configured by using dynamic IP address assignment, or the computer is not connected to fixed switch or router ports, as is frequently the case with portable computers. In contrast, Policy-based QoS enables you to easily configure a user-level QoS policy on a domain controller and propagate it to the user’s computer, regardless of where or how the computer connects to the network. For example, you can configure a user-level QoS policy that will apply to a computer no matter where the user logs on, for example, in either a main office or in a branch office. Similarly, the same user level QoS policy will apply no matter how the user connects to the network, for example, by either the wired Ethernet network or by Wi-Fi.
Security: If your IT department encrypts users’ traffic from end to end using IPSec, then you cannot classify the traffic on routers based on any information above the IP layer in the packet (for example, a TCP port). However, by using Policy-based QoS, you can classify packets at the end device to indicate the priority of the packets in the IP header before the IP payloads are encrypted and the packets sent out.
Performance: Some QoS functions, such as throttling, are better performed when they are closer to the source. Policy-based QoS moves such QoS functions to where they can be closest to the source.
Manageability: Policy-based QoS enhances the network manageability in two ways:
First, because it is based on Group Policy, Policy-based QoS allows you to configure and manage a set of user/computer QoS policies whenever necessary, and on one central domain-controller computer.
Second, Policy-based QoS facilitates user/computer configuration by allowing you to specify policies by URL, as opposed to specifying policies based on the IP addresses of each of the servers where QoS policies need to be applied.
For example, assume your network has a cluster of servers that share a common URL. By using Policy-based QoS, you need only to create one policy based on that common URL, as opposed to creating one policy for each server in the cluster, with each policy based on the IP address of each server.
In this scenario, an IT department adds QoS to provide better network performance for a key set of users and its mission critical applications but needs to minimize the WAN link costs. The IT department decides to prioritize specific applications by using DSCP values to classify network traffic and to configure its routers to provide preferential treatment for the higher priority traffic. Later, they might consider using this classification to negotiate service levels for the leased WAN links.
In addition to DSCP values, the QoS policies can specify a throttle rate. Throttling limits all outbound traffic that matched the QoS policy to a specific send rate.
The first mission critical application to use Policy-based QoS is a company-wide enterprise resource planning (ERP) application. The ERP application is hosted on several computers running Windows Server 2008 R2 or Windows Server® 2008 in the datacenter, which are part of a organization unit (OU) for computers. While many groups within the company access the ERP application, the finance group requires differentiated performance, because the finance group depends on this application when dealing with customers. The client-side component for the ERP application is installed on computers running Windows 7 and Windows Vista.
The following example illustrates the clients and servers in a prioritization scenario. The subsequent section titled "Configuring Policy-based QoS" walks through the wizard steps for creating QoS policies. In this example, the IT administrator selects the Group Policy object (GPO) on which the QoS policy will be deployed. Through the QoS policy wizard, the IT administrator creates a QoS Policy for the group of servers called "Server LOB policy" that specifies a high priority DSCP value of 44 for all applications, any IP address, TCP and UDP, and port number. The QoS policy is applied only to the LOB servers by linking the GPO to the OU containing only these servers, via the GPMC tool. This initial Server LOB policy applies the high priority DSCP value whenever the computer sends network traffic. This QoS policy can later be edited (in the Group Policy Object Editor tool) to include the ERP application's port numbers, which limits the policy to apply only when the specified port number is used.
To ensure the finance group can support their customers, a QoS policy needs to classify these users' traffic as higher priority. However, the policy should not apply when members of the finance group use applications other than the ERP application. Thus, the IT department defines a second QoS policy called "Client LOB policy" in the Group Policy Object Editor tool that applies a DSCP value of 60 when the finance user group runs the ERP application.
A separate backup application is running on all computers. To ensure the backup application's traffic does not use all available network resources, a backup data policy is created. This backup policy specifies a DSCP value of 1 based on the executable name for this backup application, backup.exe. A third Group Policy object is created and deployed for all client computers in the domain. Whenever the backup application sends data, the low priority DSCP value is applied, even if it originates from computers in the finance department.
Note that traffic without a QoS policy sends with a DSCP value of 0.
The following table summarizes the QoS policies for this scenario.
Policy name |
DSCP value |
Throttle rate |
Applied to organization units |
Description |
[No policy] |
0 |
None |
[No deployment] |
Best effort (default) treatment for unclassified traffic. |
Backup data |
1 |
None |
All clients |
Applies a low-priority DSCP value for this bulk data. |
Server LOB |
44 |
None |
Computer OU for ERP servers |
Applies high-priority DSCP for ERP server traffic |
Client LOB |
60 |
None |
Finance User Group |
Applies high-priority DSCP for ERP client traffic |
Note
DSCP values are represented in decimal form.
With QoS policies defined and applied by using Group Policy, outbound network traffic receives the policy-specified DSCP value. Routers then provide differential treatment based on these DSCP values, by using queuing. For this IT department, the routers are configured with four queues: high priority, middle priority, best effort, and low priority.
When traffic arrives at the router with DSCP values from "Server LOB policy" and "Client LOB policy," the data is placed into high priority queues. Traffic with a DSCP value of 0 receives a best effort level of service. Whereas packets with a DSCP value of 1 (from the backup application) receive lower priority treatment.
To complete this task, ensure that you meet the following requirements:
The computers involved are running Windows Vista or Windows Server 2008.
The computers involved are members of an Active Directory domain so that they can be controlled by using Group Policy.
TCP/IP networks are set up with routers configured for DSCP (RFC 2474).
Administrative credentials requirements are met.
To complete this task, you must be able to create and deploy Group Policy objects.
To set up the test environment, complete the following tasks:
Create an Active Directory domain controller with clients and users grouped into organization units.
Configure the routers to differentially queue based on DSCP values. For example, DSCP value 44 gets enters a 'Platinum' queue and all others are weighted-fair-queued.
Note
DSCP values can be viewed by using network captures such as tools like NetMon and by observing the "Type of Service" (TOS) field.
To prioritize a line of business application, complete the following tasks:
Create and link a Group Policy object (GPO) with a QoS policy.
Configure the routers to differentially treat a line of business application (by using queuing) based on the selected DSCP values. The procedures of this task will vary depending upon the type of routers you have.
Many enterprise applications are developed for, and hosted on IIS web servers. Typically, the application is accessed from browsers on client computers. For these deployments, it is beneficial for an IT department to be able to prioritize the network traffic associated with web-based applications. In Windows 7 and Windows Server 2008 R2, Policy-based QoS provides a new feature, know as URL-based Policies, which enables administrators to place HTTP responses -- to applications that are built on top of HTTP -- subject to QoS control.
In this scenario, assume you manage a set of IIS servers that host training videos for all your organization’s employees. Your objective is to ensure the traffic from these video servers won’t overwhelm your network, and ensure that video traffic is differentiated from voice and data traffic on the network. The task is similar to the task in Scenario 1. You will design and configure the traffic management settings such as the DSCP value for the video traffic and the throttling rate the same as you would for the line of business applications. Only when specifying the traffic, instead of providing the application name you need only to enter the URL to which your HTTP server application will respond; for example https://hrweb/training.
Note
URL–based QoS policies apply only to computers running Windows 7, Windows Server 2008 R2, and possibly to subsequent releases of the Windows operating system. You cannot use URL-based QoS policies to prioritize network traffic for computers running Windows operating systems that were released prior to Windows 7 and Windows Server 2008 R2.
All the following URLs are valid and can be specified in Policy-based QoS and applied simultaneously to a computer or a user:
https://video
https://*/ebooks
But which one will receive precedence? The rules are simple. URL based policies are prioritized in a left-to-right reading order. So from the highest priority to the lowest priority, the URL fields are:
1. URL Scheme
2. URL Host
3. URL Port
4. URL Path
Details are as follows:
https:// has a higher priority than https://.
From the highest priority to the lowest, they are:
Hostname
IPv6 address
IPv4 address
wildcard
In the case of Hostname, a hostname with more dotted elements (more depth) has a higher priority than a hostname with fewer dotted elements. For example, among the following hostnames:
video.internal.training.hr.mycompany.com (depth = 6)
selfguide.training.mycompany.com (depth = 4)
training (depth = 1)
library (depth = 1)
video.internal.training.hr.mycompany.com has the highest priority, and selfguide.training.mycompany.com has the next highest priority. Training and library share the same lowest priority.
A specific or an implicit port number has a higher priority than a wildcard port.
Like a hostname, a URL path may consist of multiple elements. The one with more elements always has a higher priority than the one with less. For example, the following paths are listed by priority:
/ebooks/tech/windows/networking/qos
/ebooks/tech/windows/
/ebooks
/
If a user chooses to include all subdirectories and files following a URL path then this URL path will have a lower priority than it would have were the choice not made.
A user may also choose to specify a destination IP address in a URL based policy. The destination IP address has a lower priority than any of the four URL fields described above.
A Quintuple policy is specified by protocol ID, source IP address, source port, destination IP address, and destination port. A Quintuple policy always has a higher precedence than any URL based policy. If a Quintuple policy is already applied for a user, a new URL based policy will not cause conflicts on any of that user’s client computer.
Based on the line of business application example above, you can see that QoS for networks is an industry-wide set of standards and mechanisms for ensuring high-quality performance for mission critical applications. By using QoS mechanisms, network administrators can use existing resources efficiently and ensure the required level of service without reactively expanding or over-provisioning their networks.
In Windows, Policy-based QoS combines the functionality of standards-based QoS with the manageability of Group Policy. Configuration of this combination allows for easy application of QoS policies to Group Policy objects. Windows includes a Policy-based QoS Wizard to help you:
Create a QoS policy
View, edit, or delete a QoS policy
Before you create a QoS policy, it is important that you understand the two key QoS controls used to manage network traffic:
DSCP value
Throttle rate
As noted in the line of business application example above, you can define the priority of outbound network traffic by using Specify DSCP Value to configure a QoS policy with a specific Differentiated Services Code Point (DSCP) value. As described in RFC 2474, DSCP allows values from 0 to 63 to be specified within the Type of Service (TOS) field of an IPv4 packet and within the Traffic Class field in IPv6. Network routers use the DSCP value to classify network packets and to queue them appropriately.
Note
By default, Windows traffic has a DSCP value of 0.
The number of queues and their prioritization behavior needs to be designed as part of your organization's QoS strategy. For example, your organization may choose to have five queues: latency-sensitive traffic, control traffic, business critical traffic, best effort traffic, and bulk data transfer traffic.
Along with DSCP values, throttling is another key control for managing network bandwidth. As mentioned earlier, you can use the Specify Throttle Rate setting to configure a QoS policy with a specific throttle rate for outbound traffic. By using throttling, a QoS policy limits the outgoing network traffic to a specified throttle rate. Both DSCP marking and throttling can be used together to manage traffic effectively.
Note
By default, the Specify Throttle Rate check box is not selected.
To create a QoS policy, edit the settings of a Group Policy object (GPO) from within the Group Policy Management Console (GPMC) tool. GPMC then opens the Group Policy Object Editor.
QoS policy names must be unique. Behavior depends on where the QoS policy is stored in the Group Policy Object Editor:
A QoS policy in Computer Configuration\Windows Settings\Policy-based QoS applies to computers, regardless of the user that is currently logged on. You typically use computer-based QoS policies for server computers.
A QoS policy in User Configuration\Windows Settings\Policy-based QoS applies to users after they have logged on, regardless of which computer they have logged on to.
- In Group Policy Object Editor, right-click either of the Policy-based QoS nodes, and then click Create a new policy.
On the first page of the Policy-based QoS wizard, you can specify a policy name and configure how QoS will control outgoing network traffic.
In Policy name, type a name for the QoS policy. The name must uniquely identify the policy.
Optionally, use Specify DSCP Value to enable DSCP marking, and then configure a DSCP value between 0 and 63.
Optionally, use Specify Throttle Rate to enable traffic throttling and configure the throttle rate. The throttle rate value must be greater than 1 and you can specify units of kilobytes per second (KBps) or megabytes per second (MBps).
Click Next.
The second page of the Policy-based QoS wizard allows you to apply the policy to all applications, to a specific application as identified by its executable name, to a path and application name, or to the HTTP server applications that handle requests for a specific URL. All applications specifies that the traffic management settings on the first page of the Policy-based QoS wizard apply to all applications. Only applications with this executable name specifies that the traffic management settings on the first page of the Policy-based QoS wizard are for a specific application. The executable file name and must end with the .exe file name extension. Only HTTP server applications responding to requests for this URL specifies that the traffic management settings on the first page of the Policy-based QoS wizard apply to certain HTTP server applications only.
Optionally, you can enter the application path. To specify an application path, include the path with the application name. The path can include environment variables. For example, %ProgramFiles%\My Application Path\MyApp.exe, or c:\program files\my application path\myapp.exe.
Note
The application path cannot include a path that resolves to a symbolic link.
The URL must conform to RFC 1738, i.e. in the form of “http[s]://<hostname>:<port>/<url-path>”. You can use a wildcard, ‘*’, for <hostname> and/or <port>, e.g. https://training.*/, https://*.*, but the wildcard cannot denote a substring of <hostname> or <port>. In other words, neither https://my*site/ nor https://*training*/ is valid. Optionally, you can check Include subdirectories and files to perform matching on all subdirectories and files following a URL. For example, if this option is checked and the URL is “https://training” then Policy-based QoS will consider requests for “https://training/video” a good match.
In This QoS policy applies to, select either All applications or Only applications with this executable name.
If you select Only applications with this executable name, specify an executable name ending with the .exe file name extension.
Click Next.
The third page of the Policy-based QoS wizard allows you to specify IP address conditions for the QoS policy, including the following:
All source IPv4 or IPv6 addresses or specific source IPv4 or IPv6 addresses
All destination IPv4 or IPv6 addresses or specific destination IPv4 or IPv6 addresses.
If you select Only for the following source IP address or Only for the following destination IP address, you must type one of the following:
An IPv4 address, such as 192.168.1.1
An IPv4 address prefix using network prefix length notation, such as 192.168.1.0/24
An IPv6 address, such as 3ffe:ffff::1
An IPv6 address prefix, such as 3ffe:ffff::/48
If you select both Only for the following source IP address and Only for the following destination IP address, both addresses or address prefixes must be either IPv4 or IPv6-based.
If you specified the URL for HTTP server applications in the previous wizard page you’ll notice that the source IP address for the QoS policy on this wizard page is grayed out. That’s because the source IP address is the HTTP server address and it is not configurable here. On the other hand, you can still customize the policy by specifying the destination IP address. This enables you to create different policies for different clients using the same HTTP server applications.
In This QoS policy applies to (source), select Any source IP address or Only for the following IP source address.
If you selected Only the following IP source address, specify an IPv4 or IPv6 address or prefix.
In This QoS policy applies to (destination), select Any destination address or Only for the following IP destination address.
If you selected Only for the following IP destination address, specify an IPv4 or IPv6 address or prefix that corresponds to the type of address or prefix specified for the source address.
Click Next.
On the fourth page of the Policy-based QoS wizard you can specify the types of traffic and the ports that are controlled by the settings on the first page of the wizard. You can specify:
TCP traffic, UDP traffic, or both
All source ports, a range of source ports, or a specific source port
All destination ports, a range of destination ports, or a specific destination port
In Select the protocol this QoS policy applies to, select TCP, UDP, or TCP and UDP.
In Specify the source port number, select From any source port or From this source port number.
If you selected From this source port number, type a port number between 1 and 65535.
Optionally, you can specify a port range, in the format of "Low:High," where Low and High represent the lower bounds and upper bounds of the port range, inclusively. Low and High each must be a number between 1 and 65535. No space is allowed between the colon (:) character and the numbers.
In Specify the destination port number, select To any destination port or To this destination port number.
If you selected To this destination port number in the previous step, type a port number between 1 and 65535.
To complete the creation of the new QoS policy, click Finish on the Protocols and Ports page of the Policy-based QoS wizard. When completed, the new QoS policy is listed in the details pane of the Group Policy Object Editor.
To apply the QoS policy settings to users or computers, link the GPO in which the QoS policies are located to an Active Directory container, such as a domain, a site, or an organizational unit (OU).
The pages of the Policy-based QoS wizard described above correspond to the properties pages that are displayed when you view or edit the properties of a policy.
Right-click the policy name in the details pane of the Group Policy Object Editor, and then click Properties.
The Group Policy Object Editor displays the properties page with the following tabs:
Policy Profile
Application Name
IP Addresses
Protocols and Ports
Right-click the policy name in the details pane of the Group Policy Object Editor, and then click Edit existing policy.
The Group Policy Object Editor displays the Edit an existing QoS policy dialog box.
- Right-click the policy name in the details pane of the Group Policy Object Editor, and then click Delete policy.
After you have applied a number of QoS policies across your organization, it may be useful or necessary to periodically review how the policies are applied. A summary of the QoS policies for a specific user or computer can be viewed by using GPMC reporting.
- In GPMC, right-click the Group Policy Results node, and then select the menu option for Group Policy Results Wizard.
After Group Policy results are generated, click the Settings tab. On the Settings tab, the QoS policies can be found under the "Computer Configuration\Windows Settings\Policy-based QoS" and "User Configuration\Windows Settings\Policy-based QoS" nodes.
On the Settings tab, the QoS policies are listed by their QoS policy names with their DSCP value, throttle rate, policy conditions, and winning GPO listed in the same row. The QoS policy's DSCP value, throttle rate, and policy conditions are also visible in GPOE. The Group Policy results view uniquely identifies the winning GPO. When multiple GPOs have QoS policies with the same QoS policy name, the GPO with the highest GPO precedence gets applied. Conflicting QoS Policies (identified by policy name) that are attached to a lower priority GPO will not get applied. Note the GPO priorities define which QoS policies get deployed in the site, domain, or OU as appropriate. After deployment, at a user or computer level, the QoS Policy Precedence Rules determine which traffic is allowed and blocked.
With Policy-based QoS, the goal is to manage traffic on an enterprise's network. In mobile scenarios, users might be sending traffic on or off the enterprise network. Because QoS policies are not relevant while away from the enterprise's network, QoS policies are enabled only on network interfaces connected to the enterprise for Windows Vista.
For example, a user might connect her portable computer to her enterprise's network via VPN from a coffee shop. For VPN, the physical network interface (such as wireless) will not have QoS policies applied. However, the VPN interface will have QoS policies applied because it connects to the enterprise. If the user later enters another enterprise's network that does not have an Active Directory trust relationship, QoS policies will not be enabled.
Note these mobile scenarios do not apply to server workloads. For example, a server with multiple network adapters might sit on the edge of an enterprise's network. The IT department might choose to have QoS policies throttle traffic that egresses the enterprise; however, this network adapter that sends this egress traffic does not necessarily connect back to the enterprise network. For this reason, QoS policies are always enabled on all network interfaces of a computer running Windows Server 2008.
Note
Selective enablement only applies to QoS policies and not to the Advanced QoS settings discussed next in this document.
Advanced QoS settings provide additional controls for IT administrators to manage computer network consumption and DSCP markings. Advanced QoS settings apply only at the computer level, whereas QoS policies can be applied at both the computer and user levels.
Click Computer Configuration, and then click Windows Settings in Group Policy.
Right-click Policy-based QoS, and then click Advanced QoS Settings.
The figure below shows the two advanced QoS settings tabs: Inbound TCP Traffic and DSCP Marking Override.
Note
Advanced QoS Settings are computer level Group Policy settings.
Inbound TCP Traffic controls the TCP bandwidth consumption on the receiver's side, whereas QoS policies affect the outbound TCP and UDP traffic. By setting a lower throughput level on the Inbound TCP Traffic tab, TCP will limit the size of its advertised TCP receive window. The affect of this setting will be increased throughput rates and link utilization for TCP connections with higher bandwidths or latencies (bandwidth delay product). By default, computers running Windows Vista and Windows Server 2008 are set to the maximum throughput level.
The TCP receive window has changed in Windows Vista and Windows Server 2008 from previous versions of Windows. Previous versions of Windows limited the TCP receive-side window to a maximum of 64 kilobytes (KB), whereas Windows Vista and Windows Server 2008 dynamically size the receive-side window up to 16 megabytes (MB). In the Inbound TCP Traffic control, you can control the inbound throughput level by setting the maximum value to which the TCP receive-window can grow. The levels correspond to the following maximum values.
Inbound throughput level |
Maximum |
0 |
64 KB |
1 |
256 KB |
2 |
1 MB |
3 |
16 MB |
The actual window size may be a value equal to or smaller than the maximum, depending on network conditions.
In Group Policy Object Editor, click Local Computer Policy, click Windows Settings, right click Policy-based QoS, and then click Advanced QoS Settings.
In TCP Receiving Throughput, select Configure TCP Receiving Throughput, and then select the level of throughput that you want.
Link the GPO to the OU.
DSCP Marking Override restricts the ability of applications to specify -- or "mark" -- DSCP values other than those specified in QoS policies. By specifying that applications are allowed to set DSCP values, applications can set non-zero DSCP values. By specifying Ignore, applications that use QoS APIs will have their DSCP values set to zero, and only QoS policies can set DSCP values. By default, computers running Windows Vista and Windows Server 2008 allow applications to specify DSCP values; applications and devices that do not use the QoS APIs are not overridden.
The Wi-Fi Alliance has established a certification for Wireless Multimedia (WMM) which defines four access categories (WMM_AC) for prioritizing network traffic transmitted on a Wi-Fi wireless network. The access categories include (in order of highest-to-lowest priority): voice, video, best effort, and background; respectively abbreviated as VO, VI, BE, and BK. The WMM specification defines which DSCP values correspond with each of the four access categories:
DSCP Value |
WMM Access Category |
48-63 |
Voice (VO) |
32-47 |
Video (VI) |
24-31, 0-7 |
Best effort (BE) |
8-23 |
Background (BK) |
In Windows Vista and Windows Server 2008, QoS policies can be created that use these DSCP values to ensure that portable computers with Wi-Fi Certified® for WMM wireless adapters receive prioritized handling when associated with Wi-Fi Certified® for WMM access points.
Similar to GPO's priorities, QoS policies have precedence rules to resolve conflicts when multiple QoS policies apply to a specific set of traffic. For outbound TCP or UDP traffic, only one QoS policy can be applied at a time; meaning, QoS policies do not have a cumulative effect, such as where throttle rates would be summed.
In general, the QoS policy with the most matching conditions wins. When multiple QoS policies apply, the rules fall into three categories: user-level versus computer-level; application versus the network quintuple; and among the network quintuple.
By network quintuple, we mean the source IP address, destination IP address, source port, destination port, and protocol (TCP/UDP).
User-level QoS policy takes precedence over computer-level QoS policy
This rule greatly facilitates network administrator's management of QoS GPOs, particularly for user group–based policies. For example, if the network admin wants to define a QoS policy for a user group, they can just create and distribute a GPO to that group. They don’t have to worry about which computers those users are logged on to and whether those computers will have conflicting QoS policies defined, because if a conflict exists, the user-level policy always takes precedence.
Note
A user-level QoS policy is only applicable to traffic generated by that user. Other users of a specific computer, and the computer itself, will not be subject to any QoS policies defined for that user.
Application specificity and taking precedence over network quintuple
When multiple QoS policies match the specific traffic, the more specific policy is applied. Among policies that identify applications, a policy that includes the sending application's file path is considered more specific than another policy that only identifies the application name (no path). If multiple policies with applications still apply, the precedence rules use the network quintuple to find the best match.
Alternatively, multiple QoS policies might apply to the same traffic by specifying non-overlapping conditions. Between the conditions of applications and the network quintuple, the policy that specifies the application is considered more specific and is applied. For example, policy_A only specifies an application name (app.exe), and policy_B specifies the destination IP address 192.168.1.0/24. When these QoS policies conflict (app.exe sends traffic to an IP address within the range of 192.168.4.0/24), policy_A gets applied.
More specificity takes precedence within the Network quintuple
For policy conflicts within the network quintuple, the policy with the most matching conditions takes precedence. For example, assume policy_C specifies source IP address "any", destination IP address 10.0.0.1, source port "any", destination port "any", and protocol "TCP". Next, assume policy_D specifies source IP address "any", destination IP address 10.0.0.1, source port "any", destination port 80, and protocol "TCP". Then policy_C and policy_D both match connections to destination 10.0.0.1:80. Because Policy-based QoS applies the policy with the most specific matching conditions, policy_D takes precedence in this example.
However, QoS policies might have an equal number of conditions. For example, several policies may each specify only one (but not the same) piece of the network quintuple. Among the network quintuple, the following order is from higher to lower precedence:
Source IP address
Destination IP address
Source port
Destination port
Protocol (TCP or UDP)
Within a specific condition such as IP address, a more specific IP address is treated with higher precedence; for example, an IP address 192.168.4.1 is more specific than 192.168.4.0/24.
Note
Generally your QoS policies should be designed as specifically as possible to simplify your organization's understanding of which policies are in effect.
Following are the error and event messages associated with Policy-based QoS
MessageId |
16500 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_MACHINE_POLICY_REFRESH_NO_CHANGE |
Language |
English |
Message |
Computer QoS policies successfully refreshed. No changes detected. |
MessageId |
16501 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_MACHINE_POLICY_REFRESH_WITH_CHANGE |
Language |
English |
Message |
Computer QoS policies successfully refreshed. Policy changes detected. |
MessageId |
16502 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_USER_POLICY_REFRESH_NO_CHANGE |
Language |
English |
Message |
User QoS policies successfully refreshed. No changes detected. |
MessageId |
16503 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_USER_POLICY_REFRESH_WITH_CHANGE |
Language |
English |
Message |
User QoS policies successfully refreshed. Policy changes detected. |
MessageId |
16504 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_TCP_AUTOTUNING_NOT_CONFIGURED |
Language |
English |
Message |
The Advanced QoS Setting for inbound TCP throughput level successfully refreshed. Setting value is not specified by any QoS policy. Local computer default will be applied. |
MessageId |
16505 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_TCP_AUTOTUNING_OFF |
Language |
English |
Message |
The Advanced QoS Setting for inbound TCP throughput level successfully refreshed. Setting value is Level 0 (minimum throughput). |
MessageId |
16506 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_TCP_AUTOTUNING_HIGHLY_RESTRICTED |
Language |
English |
Message |
The Advanced QoS Setting for inbound TCP throughput level successfully refreshed. Setting value is Level 1. |
MessageId |
16507 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_TCP_AUTOTUNING_RESTRICTED |
Language |
English |
Message |
The Advanced QoS Setting for inbound TCP throughput level successfully refreshed. Setting value is Level 2. |
MessageId |
16508 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_TCP_AUTOTUNING_NORMAL |
Language |
English |
Message |
The Advanced QoS Setting for inbound TCP throughput level successfully refreshed. Setting value is Level 3 (maximum throughput). |
MessageId |
16509 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_APP_MARKING_NOT_CONFIGURED |
Language |
English |
Message |
The Advanced QoS Setting for DSCP marking overrides successfully refreshed. Setting value is not specified. Applications can set DSCP values independently of QoS policies. |
MessageId |
16510 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_APP_MARKING_IGNORED |
Language |
English |
Message |
The Advanced QoS Setting for DSCP marking overrides successfully refreshed. Application DSCP marking requests will be ignored. Only QoS policies can set DSCP values. |
MessageId |
16511 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_APP_MARKING_ALLOWED |
Language |
English |
Message |
The Advanced QoS Setting for DSCP marking overrides successfully refreshed. Applications can set DSCP values independently of QoS policies. |
MessageId |
16512 |
Severity |
Informational |
SymbolicName |
EVENT_EQOS_INFO_LOCAL_SETTING_DONT_USE_NLA |
Language |
English |
Message |
Selective application of QoS policies based on domain network category has been disabled. QoS policies will be applied to all network interfaces. |
MessageId |
16600 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_TEST_1 |
Language |
English |
Message |
EQOS: ***Testing***[, with one string] "%2". |
MessageId |
16601 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_TEST_2 |
Language |
English |
Message |
EQOS: ***Testing***[, with two strings, string1 is] "%2"[, string2 is] "%3". |
MessageId |
16602 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_MACHINE_POLICY_VERSION |
Language |
English |
Message |
The computer QoS policy "%2" has an invalid version number. This policy will not be applied. |
MessageId |
16603 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_USER_POLICY_VERSION |
Language |
English |
Message |
The user QoS policy "%2" has an invalid version number. This policy will not be applied. |
MessageId |
16604 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_MACHINE_POLICY_PROFILE_NOT_SPECIFIED |
Language |
English |
Message |
The computer QoS policy "%2" does not specify a DSCP value or throttle rate. This policy will not be applied. |
MessageId |
16605 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_USER_POLICY_PROFILE_NOT_SPECIFIED |
Language |
English |
Message |
The user QoS policy "%2" does not specify a DSCP value or throttle rate. This policy will not be applied. |
MessageId |
16606 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_MACHINE_POLICY_QUOTA_EXCEEDED |
Language |
English |
Message |
Exceeded the maximum number of computer QoS policies. The QoS policy "%2" and subsequent computer QoS policies will not be applied. |
MessageId |
16607 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_USER_POLICY_QUOTA_EXCEEDED |
Language |
English |
Message |
Exceeded the maximum number of user QoS policies. The QoS policy "%2" and subsequent user QoS policies will not be applied. |
MessageId |
16608 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_MACHINE_POLICY_CONFLICT |
Language |
English |
Message |
The computer QoS policy "%2" potentially conflicts with other QoS policies. See documentation for rules about which policy will be applied. |
MessageId |
16609 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_USER_POLICY_CONFLICT |
Language |
English |
Message |
The user QoS policy "%2" potentially conflicts with other QoS policies. See documentation for rules about which policy will be applied. |
MessageId |
16610 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_MACHINE_POLICY_NO_FULLPATH_APPNAME |
Language |
English |
Message |
The computer QoS policy "%2" was ignored because the application path cannot be processed. The application path may be invalid, contain an invalid drive letter, or contain a network mapped drive. |
MessageId |
16611 |
Severity |
Warning |
SymbolicName |
EVENT_EQOS_WARNING_USER_POLICY_NO_FULLPATH_APPNAME |
Language |
English |
Message |
The user QoS policy "%2" was ignored because the application path cannot be processed. The application path may be invalid, contain an invalid drive letter, or contain a network mapped drive. |
MessageId |
16700 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_MACHINE_POLICY_REFERESH |
Language |
English |
Message |
Computer QoS policies failed to refresh. Error code: "%2". |
MessageId |
16701 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_USER_POLICY_REFERESH |
Language |
English |
Message |
User QoS policies failed to refresh. Error code: "%2". |
MessageId |
16702 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_OPENING_MACHINE_POLICY_ROOT_KEY |
Language |
English |
Message |
QoS failed to open the machine-level root key for QoS policies. Error code: "%2". |
MessageId |
16703 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_OPENING_USER_POLICY_ROOT_KEY |
Language |
English |
Message |
QoS failed to open the user-level root key for QoS policies. Error code: "%2". |
MessageId |
16704 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_MACHINE_POLICY_KEYNAME_TOO_LONG |
Language |
English |
Message |
A computer QoS policy exceeds the maximum allowed name length. The offending policy is listed under the machine-level QoS policy root key, with index "%2". |
MessageId |
16705 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_USER_POLICY_KEYNAME_TOO_LONG |
Language |
English |
Message |
A user QoS policy exceeds the maximum allowed name length. The offending policy is listed under the user-level QoS policy root key, with index "%2". |
MessageId |
16706 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_MACHINE_POLICY_KEYNAME_SIZE_ZERO |
Language |
English |
Message |
A computer QoS policy has a zero length name. The offending policy is listed under the machine-level QoS policy root key, with index "%2". |
MessageId |
16707 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_USER_POLICY_KEYNAME_SIZE_ZERO |
Language |
English |
Message |
A user QoS policy has a zero length name. The offending policy is listed under the user-level QoS policy root key, with index "%2". |
MessageId |
16708 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_OPENING_MACHINE_POLICY_SUBKEY |
Language |
English |
Message |
QoS failed to open the registry subkey for a computer QoS policy. The policy is listed under the machine-level QoS policy root key, with index "%2". |
MessageId |
16709 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_OPENING_USER_POLICY_SUBKEY |
Language |
English |
Message |
QoS failed to open the registry subkey for a user QoS policy. The policy is listed under the user-level QoS policy root key, with index "%2". |
MessageId |
16710 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_PROCESSING_MACHINE_POLICY_FIELD |
Language |
English |
Message |
QoS failed to read or validate the "%2" field for the computer QoS policy "%3". |
MessageId |
16711 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_PROCESSING_USER_POLICY_FIELD |
Language |
English |
Message |
QoS failed to read or validate the "%2" field for the user QoS policy "%3". |
MessageId |
16712 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_SETTING_TCP_AUTOTUNING |
Language |
English |
Message |
QoS failed to read or set inbound TCP throughput level, error code: "%2". |
MessageId |
16713 |
Severity |
Error |
SymbolicName |
EVENT_EQOS_ERROR_SETTING_APP_MARKING |
Language |
English |
Message |
QoS failed to read or set the DSCP marking override setting, error code: "%2". |
For more information about Group Policy, see the Microsoft Windows Server TechCenter on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkID=17530.
For background on the Group Policy Management Console, see Enterprise Management with the Group Policy Management Console on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkID=8630.
For more information about QoS, see the Microsoft Windows Server TechCenter Web site at https://go.microsoft.com/fwlink/?LinkId=65245.
For more about Policy-based QoS, see the Cable Guy article on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=65246.
Your domain controller can be running Windows 2000 Server, Windows Server 2003, or Windows Server 2008.
Note
GPMC must be the version available in Windows Vista and Windows Server 2008.
No, Windows Server 2008 is not required. However, QoS policies only apply to users or computers running Windows Vista and Windows Server 2008.
QoS policies must be applied on the sending computer to affect its outbound traffic. In order to affect the bidirectional traffic of two computers, QoS policies need to be deployed to both computers.
If multiple policies apply, the more specific QoS policy takes precedence. For example, a policy that states a host address (192.168.4.12) gets applied instead of a network address (192.168.0.0/16). If a computer-level and user-level policy have the same specificity, the user-level QoS policy is applied instead of the computer-level QoS policy.