Two domains, One Forest....

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

The WAN connection between the 2 domains is rather slow, and when we have
users from one domain visiting the office of the other domain the
authentication takes too long. One idea was to install a DC from 1 domain
in the location of the other domain - therefore allowing visitors to
authenticate locally.

Has anyone ever tried this? Any pros and cons you might be able to pass
along? I'll be hapy to post my findings if I get the chance to try it.

Thanks,
Will
 
This is not really a security group question, more an active_directory
group question.
In general, if simple login is slow, if the link between the two sites
has sufficient capacity for the login, then something is not configured
correctly or at least not optimally. If this is due to a link capacity
issue then what you are proposing will only make things worse.
If your link has the capacity for the AD replication from placing
DCs into the other sites, then you would see some improvement,
but it is very possible you may see almost as much improvement
by finding what is sub-optimal (and this same may need to be
resolved anyway in order to get the replication happening efficiently).
 
In addition to Roger's advice the slowness may also be due to Group Policy
applied to the user logging on including scripts, offline files synching at
logon, and/or maybe roaming profiles being loaded. All of that can be
modified using Group Policy to modify what is applied to a user logging on
over a "slow link" or you can use it to change what is defined as a slow
link in the case that you connection is just above the threshold considered
a slow link. The link below explains more. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;227260
 
Roger - didn't have any luck with a previous post to that group :-(

Thanks for your reply. I have configured the forest according to MS
documentation and have seen this configuration work in other locations (at
another company). The link is an internet VPN both offices are connected
via T1 or greater. I've spent a good deal of time investigating the issue
and replication for most AD objects (except Exchange) happens relatively
fast. However the delays are specifically related to MS products. Other
applications rarely exhibit the same delays.
One example of the delays is using ADUC while logged into a DC from the
second domain with an account from the first. ADUC enumerates the structure
of the parent domain as well as the local domain - this takes time. Users
notice delays when they use applications (like MSOffice) and have default
printers assigned in domain 1. They also see delays in wireless
authentication as the user accounts and groups IAS references are also in
domain 1. From some network traffic sniffing we found that the basic
problem is that everything Microsoft insists on doing multiple network
transactions within the domain that the user account is registered.

I'm open to any solutions at this point. I've been working with Microsoft
products for a good deal of time and in particular AD structures.

Thanks!
 
Do you have GCs in both locations?

Are you sure that your site definitions are correct, and
that the DC of the "other" domain selected in DNS as
the site-coverage domain for the site without presence
of DCs of that "other" domain are the best choices?
(these are the DCs listed in DNS under the _sites area)

It sounds like you have been diligent on your homework,
so I assume you have reason for use of VPN even though
it sounds you have leased T1 (or better). But, if you do
have private link the VPN is added overhead if you have
no explicit requirement for it.

Are you staging all DNS zones to both domains so that
there is no internal DNS query resolution that has to go
over the WAN link? (Could remove some of the roundtrips).

Is this a true statement: You have members of both domains
located at each site, but you have at each site DCs of only
one domain?
 
I reread your reply, I believe I have answered some of my questions.
Since you mentioned AD replication between the two being fine,
I will assume that you do have a GC in each (i.e. you were not just
talking about the relatively static schema and configuration partitions).

I see you are using VPN because it is not a leased T1 or better but
rather to the internet, within which you tunnel.

Are your client machines all uplevel, not Win9x/NT4?

What Steve mentions, GPOs with User section enabled,
login scripting, and roaming profiles, can all play a part
in some of the sluggishness, but this would be mostly only
initially at login. You seem to say that things remain poor,
as with your mention of Office app usage, etc..
 
Again thank you both for your replies.
I see you are using VPN because it is not a leased T1 or better but
rather to the internet, within which you tunnel.
Click to expand...

Correct - no leased lines T1 to internet VPN tunnel via internet.
Are your client machines all uplevel, not Win9x/NT4?
Click to expand...

All clients are Win2K or WinXP
What Steve mentions, GPOs with User section enabled,
login scripting, and roaming profiles, can all play a part
in some of the sluggishness, but this would be mostly only
initially at login. You seem to say that things remain poor,
as with your mention of Office app usage, etc..
Click to expand...

I have looked in to this as well. Many of the options as you mention
correctly can help with startup or logon slowness but do not play a role in
continuing performance for instance with applications such as Office. We
have our templates on a file server but have copied them local for those
travelling to this office to avoid the standard read/write operations to
normal.dot when using Word. We do not use roaming profiles.
Are you sure that your site definitions are correct, and
that the DC of the "other" domain selected in DNS as
the site-coverage domain for the site without presence
of DCs of that "other" domain are the best choices?
(these are the DCs listed in DNS under the _sites area)
Click to expand...

Not sure I understand this question but if I'm reading what I think you are
asking then Yes all local DCs show themselves as reference points for other
sites to avoid searching for the nearest replica set as the DC in that
remote office with domain 2 is a GC.

Are you staging all DNS zones to both domains so that
there is no internal DNS query resolution that has to go
over the WAN link? (Could remove some of the roundtrips).

Yes all DC's carry information for both namespaces and reverse zones.

Is this a true statement: You have members of both domains
located at each site, but you have at each site DCs of only
one domain?

Correct.

Hopefully this clears up any confusion for both of us :-) I'll keep looking
for ways to improve this. Isn't there always some long forgotten or unseen
or undocumented regsitry entry somewhere that magically fixes problems like
these? :o)
 
Yes, I believe that clears most things up.
You obviously have net traced what is happening, as you said
<quote>
From some network traffic sniffing we found that the basic
problem is that everything Microsoft insists on doing multiple network
transactions within the domain that the user account is registered.
<\quote>
I believe we have just covered most of the things that could
whittle down the latency by nickles and dimes.
Placing DCs of (in your case) both domain is both locations
is certainly something that people do, as far as your initial
question . There is a certain amount of cross domain traffic
to be expected with accounts from one domain logging in on
and using resource of another domain. Remember that the
user is getting their Kerberos tickets with involvment of
the KDC of their domain.

However, I am skeptical whether that would actually gain
you all that much if the network link is as fast as you have
implied. Rather, I would hope to discover something from
the network traces which we have not yet hit on here. Also,
if you are using L2TP tunnel for the VPN, you might eek
some speed if you had encrypting ethernet cards on the
tunnel endpoint servers (whether this gains a nickle or
a quarter depends on what you see for CPU utilization on
those machines now when there is heavy VPN traffic).

Bottom line to me sounds like : if the link is fast and with
extra capacity, then its latency is not large, so removing
this latency by making site local DCs would not have a
large impact on the observed slowness.
 
Back
Top