Domain Controller Question

  • Thread starter Thread starter Clayton Sutton
  • Start date Start date
C

Clayton Sutton

Hey everyone,

We are running a Windows 2003 domain. We had two DCs (DC01 and DC02). DC01
has all of the FSMO rolls.

Here's the issue that we are having:

We added a thired (older server) domain controller to our DR site (DC03) and
made it a GC server. Looking at "Performance Monitor" is looks like DC03 is
doing ALL of the work. This is NOT what we want. DC03 is an OLDER system
we put in the DR site just as a backup, and we don't want it to be doing all
of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of the
work. Anyone know of a way to change that?

Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
pulling from DC03.


TIA,


Clayton
 
Hi!

Do you have only one domain in your forest? If so, than you shold make ALL
domain controllers in your domain global catalogs. You can balance the load
of GC in _msdsc.domainname.com zone with priority on SRV resource records.

Toni
 
Hi,

What exactly do you mean by the new DC doing all the work? User
authentication?
The FSMO roles really are not at "work" all the time.
If you do not want Exchange to pull from this DC, do not make it a GC

Of all the operations master roles, the PDC emulator role has the
highest impact on the performance of the domain controller hosting that
role

PDC Emulator:
PDC Emulator is the root time server for synchronizing the clocks of
all Windows computers in your forest.
Another function of the PDC Emulator is that it is the domain
controller to which all changes to Group Policy are initially made
Finally, all password changes and account lockout issues are handled by
the PDC Emulator to ensure that password changes are replicated
properly and account lockout policy is effective.

RID Master:
The purpose of this role is to replenish the pool of unused relative
IDs (RIDs) for the domain and prevent this pool from becoming
exhausted. RIDs are used up whenever you create a new security
principle (user or computer account) because the SID for the new
security principle is constructed by combining the domain SID with a
unique RID taken from the pool.
So the only time the RID Master is "working" is when a DC runs out of
RIDS

Infrastructure Master:
Its purpose is to ensure that cross-domain object references are
correctly handled. For example, if you add a user from one domain to a
security group from a different domain, the Infrastructure Master makes
sure this is done properly. As you can guess however, if your Active
Directory deployment has only a single domain, then the Infrastructure
Master role does no work at all, and even in a multi-domain environment
it is rarely used except when complex user administration tasks are
performed, so the machine holding this role doesn't need to have much
horsepower at all.

Schema Master:
The purpose of this role is to replicate schema changes to all other
domain controllers in the forest. Since the schema of Active Directory
is rarely changed however, the Schema Master role will rarely do any
work. Typical scenarios where this role is used would be when you
deploy Exchange Server onto your network, or when you upgrade domain
controllers from Windows 2000 to Windows Server 2003, as these
situations both involve making changes to the Active Directory schema.

Domain Naming Master:
The Domain Naming Master role processes all changes to the namespace,
for example adding the child domain vancouver.mycompany.com to the
forest root domain mycompany.com requires that this role be available,
so you can't add a new child domain or new domain tree, check to make
sure this role is running properly.

What you can do is to adjust the priority or weight in the DNS
environment.
If you want to proportionately reduce the number of client
authentication requests received by a DC, adjust its weight. If you
want to ensure that the DC does not receive any client authentication
requests, adjust its priority.

306602 How to Optimize the Location of a Domain Controller or Global
Catalog
http://support.microsoft.com/?id=306602

Configure Operations Master Roles
http://technet2.microsoft.com/Windo...d551-44da-8412-9fd4e6d5c9111033.mspx?mfr=true

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
 
Hi Clayton.

Looks like there are options in DNS (see other posts) - alternatively if the
"DR" domain controller can be put (or is already based) on a separate subnet
to your other DC's and PC's then you could also create a second site in AD
sites and services put the DR domain controller in there. As long as your
clients are on the main DC's subnet then they should only use those DC's for
authentication (unless they find them unreachable).

You need to make sure you have the subnets created in the AD sites and
services and that they're assigned to the appropriate site - Just a thought.

T.
 
By the way - it's also a good idea to have your FSMO's distributed across
your DC's - there's plenty of articles on the MS website about this.
 
Not really no.

Initially MSFT pushed this idea and then backed off of it considerably.
The only time this is really necessary is if the load of the FSMO roles
together over taxes a single DC. I can say that I never spread the roles
out, I pretty much always keep them on a single DC in each domain of the
forest and the forest roles sit with whatever DC in the root domain that
has all of those domain's roles. This has worked fine in forests I have
managed with hundreds of thousands of users.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
I am monitoring (from my XP workstation) the following "Performance objects"
in Windows Performance Monitor on my three DCs:

Memory - Pages/sec
Paging File - % Usage (_Total)
PhysicalDisk - % Disk Time (_Total)
PhysicalDisk - Avg. Disk Queue Length (_Total)
Processor - % Processor Time (_Total)

The graghs for DC01 and DC02 (my NEW Dell 2850 servers) are flat lined (they
don't show any activity going on). However, DC03 (which is an OLD Dell 2550
out in my DR site) looks to be doing everything. I have "some" activity on
ALL of the graghs for DC03. However, I just put this server online just to
be a backup DC. ALL of the FSMO roles are on DC01, so why is ALL of the
activity on DC03? DC03 is an old "slow" server, that's why we just made it
a backup DC. Now it looks like it's doing most of the work. (ALL DCs are
GCs in one site. We have two domains in the forest and I am working with
the root domain). Any ideas?

TIA,

Clayton
 
I am monitoring (from my XP workstation) the following "Performance objects"
in Windows Performance Monitor on my three DCs:

Memory - Pages/sec
Paging File - % Usage (_Total)
PhysicalDisk - % Disk Time (_Total)
PhysicalDisk - Avg. Disk Queue Length (_Total)
Processor - % Processor Time (_Total)

The graghs for DC01 and DC02 (my NEW Dell 2850 servers) are flat lined (they
don't show any activity going on). However, DC03 (which is an OLD Dell 2550
out in my DR site) looks to be doing everything. I have "some" activity on
ALL of the graghs for DC03. However, I just put this server online just to
be a backup DC. ALL of the FSMO roles are on DC01, so why is ALL of the
activity on DC03? DC03 is an old "slow" server, that's why we just made it
a backup DC. Now it looks like it's doing most of the work. (ALL DCs are
GCs in one site. We have two domains in the forest and I am working with
the root domain). Any ideas?

TIA,

Clayton
 
Ok it doesn't sound like you know if it is doing all of the work. You
are looking at counters that aren't busy on one DC but are on another
lesser DC, the load balancing could be equal amongst all of them and
DC03 would still show the busiest as it has the least horsepower.

I believe someone else mentioned using priority and weighting on DC DNS
records, that is what you want to look at. Alternately, put the DC in
another logical site so it is only used in a failover.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Hi!

It's hard to say which counters are appropriate in your case. If you
suspect, that one of your domain controllers is doing all the work related
to Active Directory services, check this two articles:

Active Directory monitoring in general:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=5454

Active Directory and Exchange monitoring:
http://www.microsoft.com/technet/pr...381-bdab-44bc-9df4-35e9d6192b86.mspx?mfr=true

I would check at least the following counters:
LDAP Client Sessions
LDAP Bind Time
Kerberos Authentications/sec
NTLM Authentications/sec
LDAP Successful Binds/sec
LDAP Searches/sec

It was mentioned before, that your DC3 might be the busiest server just
because it is the weakest one.

Toni
 
great info , Thanks
Harj said:
Hi,

What exactly do you mean by the new DC doing all the work? User
authentication?
The FSMO roles really are not at "work" all the time.
If you do not want Exchange to pull from this DC, do not make it a GC

Of all the operations master roles, the PDC emulator role has the
highest impact on the performance of the domain controller hosting that
role

PDC Emulator:
PDC Emulator is the root time server for synchronizing the clocks of
all Windows computers in your forest.
Another function of the PDC Emulator is that it is the domain
controller to which all changes to Group Policy are initially made
Finally, all password changes and account lockout issues are handled by
the PDC Emulator to ensure that password changes are replicated
properly and account lockout policy is effective.

RID Master:
The purpose of this role is to replenish the pool of unused relative
IDs (RIDs) for the domain and prevent this pool from becoming
exhausted. RIDs are used up whenever you create a new security
principle (user or computer account) because the SID for the new
security principle is constructed by combining the domain SID with a
unique RID taken from the pool.
So the only time the RID Master is "working" is when a DC runs out of
RIDS

Infrastructure Master:
Its purpose is to ensure that cross-domain object references are
correctly handled. For example, if you add a user from one domain to a
security group from a different domain, the Infrastructure Master makes
sure this is done properly. As you can guess however, if your Active
Directory deployment has only a single domain, then the Infrastructure
Master role does no work at all, and even in a multi-domain environment
it is rarely used except when complex user administration tasks are
performed, so the machine holding this role doesn't need to have much
horsepower at all.

Schema Master:
The purpose of this role is to replicate schema changes to all other
domain controllers in the forest. Since the schema of Active Directory
is rarely changed however, the Schema Master role will rarely do any
work. Typical scenarios where this role is used would be when you
deploy Exchange Server onto your network, or when you upgrade domain
controllers from Windows 2000 to Windows Server 2003, as these
situations both involve making changes to the Active Directory schema.

Domain Naming Master:
The Domain Naming Master role processes all changes to the namespace,
for example adding the child domain vancouver.mycompany.com to the
forest root domain mycompany.com requires that this role be available,
so you can't add a new child domain or new domain tree, check to make
sure this role is running properly.

What you can do is to adjust the priority or weight in the DNS
environment.
If you want to proportionately reduce the number of client
authentication requests received by a DC, adjust its weight. If you
want to ensure that the DC does not receive any client authentication
requests, adjust its priority.

306602 How to Optimize the Location of a Domain Controller or Global
Catalog
http://support.microsoft.com/?id=306602

Configure Operations Master Roles
http://technet2.microsoft.com/Windo...d551-44da-8412-9fd4e6d5c9111033.mspx?mfr=true

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
Click to expand...
 
Great info.. thanks
T. Uranjek said:
Hi!

It's hard to say which counters are appropriate in your case. If you
suspect, that one of your domain controllers is doing all the work related
to Active Directory services, check this two articles:

Active Directory monitoring in general:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=5454

Active Directory and Exchange monitoring:
http://www.microsoft.com/technet/pr...381-bdab-44bc-9df4-35e9d6192b86.mspx?mfr=true

I would check at least the following counters:
LDAP Client Sessions
LDAP Bind Time
Kerberos Authentications/sec
NTLM Authentications/sec
LDAP Successful Binds/sec
LDAP Searches/sec

It was mentioned before, that your DC3 might be the busiest server just
because it is the weakest one.

Toni
Click to expand...
 
Back
Top