Active Directory Suggestions Help Appreciated

  • Thread starter Thread starter rickiez
  • Start date Start date
R

rickiez

Greetings,

I have a client who has 8 sites, but 1 domain. It seems that whenever
you try to access anything having to do with AD administration in any of
the remote locations it takes forever and the network card light is
flashing like crazy. This only happens when you are physically onsite
at a remote location. If I am at the main office where the GC is and I
work in a portion of AD that pertains to a remote site or an OU that
contains users from that site it works fine. The issue seems to only
happen when the remote DC is trying to contact something. I can only
assume it's trying to reach the global catalog server. My understanding
was such that the global catalog only really needed to be contacted for
resources outside the domain, because each DC should have it's own full
copy of AD for the domain it's in................any suggestions??

Thanks!
 
Since your client's network is only one domain, make each domain controller
a GC. With only one domain, there are no Infrastructure Master issues and
all data in the directory is on all the DCs in the forest. Therefore, GCs
everywhere won't cause a problem.

-ds
 
That's what I was considering, what didn't make sense to me was why it
was always trying to query it when it should already have all the domain
information........ya know?
 
rickiez said:
That's what I was considering, what didn't make sense to me was why it
was always trying to query it when it should already have all the domain
information........ya know?
Click to expand...


There are some things, especially Universal group membership
in Native mode, that require the GC specifically.

Rule: A GC must be accessible in every site which generally
means putting a GC physically in each site (or 2+ GCs for
fault tolerance or performance in large domains/forests.)

[/QUOTE]
 
I 'd guess you are in Native mode or beyond. That requires users to contact
a GC.

-ds
 
I just inherited it so I haven't check the mode. I'll be there today
and I'll look into it. What I was weighing was GC replication traffic
vs. the traffic it's doing now by contacting all the time.......if
making them each a GC will stop that it's worth a try..........can you
think of any other reason for a DC to keep contacting another DC
everytime you are working in AD?
 
Here's the odd thing...........they are all already Global Catalog
servers...........what could they be doing every time I try and access
AD information such as editing a GPO?
 
Yes, if it's pointing to that DC for name resolution ;-)

Seriously mind, this is a common misconfiguration; DCs only configured to
point to one DNS server. You should point to yourself AND at least one
other (in any order you like).

Also, GC replication traffic will only become an issue with multiple domains
in multiple sites; especially, if there are some sites without specific
domain DCs in them.

You should also check, and then check again, that *all* subnets are
associated with the correct sites (and that there are no subnets missing).

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
I just inherited it so I haven't check the mode. I'll be there today
and I'll look into it. What I was weighing was GC replication traffic
vs. the traffic it's doing now by contacting all the time.......if
making them each a GC will stop that it's worth a try..........can you
think of any other reason for a DC to keep contacting another DC
everytime you are working in AD?
 
Heh heh.

By default (I believe), when you edit a GPO it will try and edit it in a
single-master fashion (it will go to the PDCe). This behaviour can be
changed however...


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
Here's the odd thing...........they are all already Global Catalog
servers...........what could they be doing every time I try and access
AD information such as editing a GPO?
 
ptwilliams said:
Heh heh.

By default (I believe), when you edit a GPO it will try and edit it in a
single-master fashion (it will go to the PDCe). This behaviour can be
changed however...
Click to expand...

That is correct -- is tries to do it in a very loose single
master fashion by defaulting to the PDC Emulator for the
editable copy but allowing one to edit any copy that is
accessible if it is chosen explicitly.
 
Paul,

As Herb has already confirmed, any time you do anything to a GPO ( create a
new one, edit an existing one, etc. ) AD is going to try to first write the
'changes' to the Domain Controller that holds the FSMO Role of PDC Emulator.
Naturally if this is in another Site this could cause a bit of network
activity. As both of you have correctly stated, this is the default
behavior and can be changed. There is a 'pop-up' that would appear should
the PDC Emulator not be available that gives you the three choices ( on the
DC that holds the PDCe role, on this Domain Controller, on any available
Domain Controller ). You can also change this yourself.

HTH,

Cary
 
Back
Top