-----Original Message-----
That would be intrasite I believe, and if so , then it
looks like I have a problem. Here's the scenario....I add
a user to a group in a child domain. In order for the user
to obtain the group membership (and the file privileges it
provides), it takes about 25 to 30 minutes. This is tested
every 5 minutes after a log out then back in. It appears
to me that the replication of the changes takes that long.
I'm just guessing here that that is the problem, but is
there something else wrong? By the KB articles, it should
take 5 minutes if all goes well.
I my particular child domain, there are over 35000 users,
a few hundred groups, nine domain controllers. Below the
parent there are two other child domains with a lot less
AD items. I haven't tried this in the other childs yet.
Tony
rv
.
Tony,
Let's crack this nut and solve it! What I would like to
do is have you "draw" me - and everyone else in this NG -
a picture of how your network looks.
Let's start at the top. I am going to call it
YOURDOMAIN.COM. How many DCs are in the YOURDOMAIN.COM
Domain Tree? How many users ( this is less important )?
This is an important domain tree as it is the first in
the Forest! If this Domain goes bye-bye then your entire
structure is hosed!
I am going to call your two child domains
CHILD01.YOURDOMAIN.com and CHILD02.YOURDOMAIN.COM. How
many DCs are in each of these two domains? How many
users in each ( again, not so terribly important! )?
I am sorry, but I am a bit confused in your description
about 35,000 users and nine DCs. Not sure that I follow
which Domain that is.
Secondly, I would like to know about the physical layout
of your environment. Are all of your users located in
one physcial building? If yes, that would indicate that
all three domains ( read: Domain Controllers ) are in
that same building ( probably! ). So, that means that we
are talking about one Site. Please understand that when
I use the term "Site" I am talking about Active Directory
Sites. I do not mean another word for 'physical
location'.
If you have users scattered all over the place ( which I
pretty much suspect to be the case - but not necessarily
100% ) then we are obviously talking about multiple
physical locations ( hey! and my wife says that I can not
grasp the obvious ). This does not, however, have to
mean that we have multiple AD Sites. It would *probably*
be the case, but does not have to be 100%! Should this
be true, have you set up all the Sites in the Active
Directory Sites and Services MMC, created all of the
Subnets and then associated each and every Subnet with
the appropriate Site? Are all the DCs properly located
in the appropriate Site? Please bear in mind that
*NORMALLY* a DC is located in one and only one Site.
However, it is very possible to have one DC located in
multiple Sites. It is not all that common, though.
I would also like to ask you to install the Support Tools
on each and every Server ( Exchange Server, File Server,
Domain Controller, etc. ). It will take only a moment to
do so hopefully it will not present too much of a problem
for you. There are some very useful utilities that are a
part of the Support Tools. BTW - the Support Tools are
located in two places: on the WIN2000 Server CD in the
Support | Tools folder or on the WIN2000 Service Pack CD
in the Support | Tools folder. I would opt for the
Service Pack CD if possible.
Once installed I would like to ask you to go to a command
prompt and run 'netdiag /fix' and then 'dcdiag /v'. If
you so desire, you can direct the output to a text file.
that might not be such a bad idea!
Also, please let us know what DCs are Global Catalog
Servers and how your DNS is set up!
This should give us a good start and better understanding
of what exactly is going on.
I will then briefely explain how AD Replication takes
place ( big picture, then maybe some more detailed
info ). The fact that you have nine DCs in one domain is
interesting.
Tony, do not worry. We will get to the bottom of this!
Cary
