Sign in with
Sign up | Sign in
Your question

Two domains, One Forest....

Last response: in Windows 2000/NT
Share
January 24, 2005 2:53:34 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The WAN connection between the 2 domains is rather slow, and when we have
users from one domain visiting the office of the other domain the
authentication takes too long. One idea was to install a DC from 1 domain
in the location of the other domain - therefore allowing visitors to
authenticate locally.

Has anyone ever tried this? Any pros and cons you might be able to pass
along? I'll be hapy to post my findings if I get the chance to try it.

Thanks,
Will

More about : domains forest

Anonymous
January 24, 2005 3:45:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

This is not really a security group question, more an active_directory
group question.
In general, if simple login is slow, if the link between the two sites
has sufficient capacity for the login, then something is not configured
correctly or at least not optimally. If this is due to a link capacity
issue then what you are proposing will only make things worse.
If your link has the capacity for the AD replication from placing
DCs into the other sites, then you would see some improvement,
but it is very possible you may see almost as much improvement
by finding what is sub-optimal (and this same may need to be
resolved anyway in order to get the replication happening efficiently).
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
<WilliamBeau> wrote in message news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
> The WAN connection between the 2 domains is rather slow, and when we have
> users from one domain visiting the office of the other domain the
> authentication takes too long. One idea was to install a DC from 1 domain
> in the location of the other domain - therefore allowing visitors to
> authenticate locally.
>
> Has anyone ever tried this? Any pros and cons you might be able to pass
> along? I'll be hapy to post my findings if I get the chance to try it.
>
> Thanks,
> Will
>
>
January 24, 2005 5:20:27 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger - didn't have any luck with a previous post to that group :-(

Thanks for your reply. I have configured the forest according to MS
documentation and have seen this configuration work in other locations (at
another company). The link is an internet VPN both offices are connected
via T1 or greater. I've spent a good deal of time investigating the issue
and replication for most AD objects (except Exchange) happens relatively
fast. However the delays are specifically related to MS products. Other
applications rarely exhibit the same delays.
One example of the delays is using ADUC while logged into a DC from the
second domain with an account from the first. ADUC enumerates the structure
of the parent domain as well as the local domain - this takes time. Users
notice delays when they use applications (like MSOffice) and have default
printers assigned in domain 1. They also see delays in wireless
authentication as the user accounts and groups IAS references are also in
domain 1. From some network traffic sniffing we found that the basic
problem is that everything Microsoft insists on doing multiple network
transactions within the domain that the user account is registered.

I'm open to any solutions at this point. I've been working with Microsoft
products for a good deal of time and in particular AD structures.

Thanks!

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uQIaJzkAFHA.1452@TK2MSFTNGP11.phx.gbl...
> This is not really a security group question, more an active_directory
> group question.
> In general, if simple login is slow, if the link between the two sites
> has sufficient capacity for the login, then something is not configured
> correctly or at least not optimally. If this is due to a link capacity
> issue then what you are proposing will only make things worse.
> If your link has the capacity for the AD replication from placing
> DCs into the other sites, then you would see some improvement,
> but it is very possible you may see almost as much improvement
> by finding what is sub-optimal (and this same may need to be
> resolved anyway in order to get the replication happening efficiently).
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> <WilliamBeau> wrote in message
news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
> > The WAN connection between the 2 domains is rather slow, and when we
have
> > users from one domain visiting the office of the other domain the
> > authentication takes too long. One idea was to install a DC from 1
domain
> > in the location of the other domain - therefore allowing visitors to
> > authenticate locally.
> >
> > Has anyone ever tried this? Any pros and cons you might be able to pass
> > along? I'll be hapy to post my findings if I get the chance to try it.
> >
> > Thanks,
> > Will
> >
> >
>
>
Related resources
Anonymous
January 24, 2005 6:13:32 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In addition to Roger's advice the slowness may also be due to Group Policy
applied to the user logging on including scripts, offline files synching at
logon, and/or maybe roaming profiles being loaded. All of that can be
modified using Group Policy to modify what is applied to a user logging on
over a "slow link" or you can use it to change what is defined as a slow
link in the case that you connection is just above the threshold considered
a slow link. The link below explains more. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;227260

<WilliamBeau> wrote in message news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
> The WAN connection between the 2 domains is rather slow, and when we have
> users from one domain visiting the office of the other domain the
> authentication takes too long. One idea was to install a DC from 1 domain
> in the location of the other domain - therefore allowing visitors to
> authenticate locally.
>
> Has anyone ever tried this? Any pros and cons you might be able to pass
> along? I'll be hapy to post my findings if I get the chance to try it.
>
> Thanks,
> Will
>
>
Anonymous
January 24, 2005 7:53:42 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Do you have GCs in both locations?

Are you sure that your site definitions are correct, and
that the DC of the "other" domain selected in DNS as
the site-coverage domain for the site without presence
of DCs of that "other" domain are the best choices?
(these are the DCs listed in DNS under the _sites area)

It sounds like you have been diligent on your homework,
so I assume you have reason for use of VPN even though
it sounds you have leased T1 (or better). But, if you do
have private link the VPN is added overhead if you have
no explicit requirement for it.

Are you staging all DNS zones to both domains so that
there is no internal DNS query resolution that has to go
over the WAN link? (Could remove some of the roundtrips).

Is this a true statement: You have members of both domains
located at each site, but you have at each site DCs of only
one domain?

--
Roger Abell

<WilliamBeau> wrote in message news:e9sbKqlAFHA.2932@TK2MSFTNGP10.phx.gbl...
> Roger - didn't have any luck with a previous post to that group :-(
>
> Thanks for your reply. I have configured the forest according to MS
> documentation and have seen this configuration work in other locations (at
> another company). The link is an internet VPN both offices are connected
> via T1 or greater. I've spent a good deal of time investigating the issue
> and replication for most AD objects (except Exchange) happens relatively
> fast. However the delays are specifically related to MS products. Other
> applications rarely exhibit the same delays.
> One example of the delays is using ADUC while logged into a DC from the
> second domain with an account from the first. ADUC enumerates the
structure
> of the parent domain as well as the local domain - this takes time. Users
> notice delays when they use applications (like MSOffice) and have default
> printers assigned in domain 1. They also see delays in wireless
> authentication as the user accounts and groups IAS references are also in
> domain 1. From some network traffic sniffing we found that the basic
> problem is that everything Microsoft insists on doing multiple network
> transactions within the domain that the user account is registered.
>
> I'm open to any solutions at this point. I've been working with Microsoft
> products for a good deal of time and in particular AD structures.
>
> Thanks!
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uQIaJzkAFHA.1452@TK2MSFTNGP11.phx.gbl...
> > This is not really a security group question, more an active_directory
> > group question.
> > In general, if simple login is slow, if the link between the two sites
> > has sufficient capacity for the login, then something is not configured
> > correctly or at least not optimally. If this is due to a link capacity
> > issue then what you are proposing will only make things worse.
> > If your link has the capacity for the AD replication from placing
> > DCs into the other sites, then you would see some improvement,
> > but it is very possible you may see almost as much improvement
> > by finding what is sub-optimal (and this same may need to be
> > resolved anyway in order to get the replication happening efficiently).
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > <WilliamBeau> wrote in message
> news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
> > > The WAN connection between the 2 domains is rather slow, and when we
> have
> > > users from one domain visiting the office of the other domain the
> > > authentication takes too long. One idea was to install a DC from 1
> domain
> > > in the location of the other domain - therefore allowing visitors to
> > > authenticate locally.
> > >
> > > Has anyone ever tried this? Any pros and cons you might be able to
pass
> > > along? I'll be hapy to post my findings if I get the chance to try
it.
> > >
> > > Thanks,
> > > Will
> > >
> > >
> >
> >
>
>
Anonymous
January 24, 2005 8:08:09 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I reread your reply, I believe I have answered some of my questions.
Since you mentioned AD replication between the two being fine,
I will assume that you do have a GC in each (i.e. you were not just
talking about the relatively static schema and configuration partitions).

I see you are using VPN because it is not a leased T1 or better but
rather to the internet, within which you tunnel.

Are your client machines all uplevel, not Win9x/NT4?

What Steve mentions, GPOs with User section enabled,
login scripting, and roaming profiles, can all play a part
in some of the sluggishness, but this would be mostly only
initially at login. You seem to say that things remain poor,
as with your mention of Office app usage, etc..

--
Roger
<WilliamBeau> wrote in message news:e9sbKqlAFHA.2932@TK2MSFTNGP10.phx.gbl...
> Roger - didn't have any luck with a previous post to that group :-(
>
> Thanks for your reply. I have configured the forest according to MS
> documentation and have seen this configuration work in other locations (at
> another company). The link is an internet VPN both offices are connected
> via T1 or greater. I've spent a good deal of time investigating the issue
> and replication for most AD objects (except Exchange) happens relatively
> fast. However the delays are specifically related to MS products. Other
> applications rarely exhibit the same delays.
> One example of the delays is using ADUC while logged into a DC from the
> second domain with an account from the first. ADUC enumerates the
structure
> of the parent domain as well as the local domain - this takes time. Users
> notice delays when they use applications (like MSOffice) and have default
> printers assigned in domain 1. They also see delays in wireless
> authentication as the user accounts and groups IAS references are also in
> domain 1. From some network traffic sniffing we found that the basic
> problem is that everything Microsoft insists on doing multiple network
> transactions within the domain that the user account is registered.
>
> I'm open to any solutions at this point. I've been working with Microsoft
> products for a good deal of time and in particular AD structures.
>
> Thanks!
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uQIaJzkAFHA.1452@TK2MSFTNGP11.phx.gbl...
> > This is not really a security group question, more an active_directory
> > group question.
> > In general, if simple login is slow, if the link between the two sites
> > has sufficient capacity for the login, then something is not configured
> > correctly or at least not optimally. If this is due to a link capacity
> > issue then what you are proposing will only make things worse.
> > If your link has the capacity for the AD replication from placing
> > DCs into the other sites, then you would see some improvement,
> > but it is very possible you may see almost as much improvement
> > by finding what is sub-optimal (and this same may need to be
> > resolved anyway in order to get the replication happening efficiently).
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > <WilliamBeau> wrote in message
> news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
> > > The WAN connection between the 2 domains is rather slow, and when we
> have
> > > users from one domain visiting the office of the other domain the
> > > authentication takes too long. One idea was to install a DC from 1
> domain
> > > in the location of the other domain - therefore allowing visitors to
> > > authenticate locally.
> > >
> > > Has anyone ever tried this? Any pros and cons you might be able to
pass
> > > along? I'll be hapy to post my findings if I get the chance to try
it.
> > >
> > > Thanks,
> > > Will
> > >
> > >
> >
> >
>
>
January 26, 2005 2:29:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Again thank you both for your replies.

> I see you are using VPN because it is not a leased T1 or better but
> rather to the internet, within which you tunnel.

Correct - no leased lines T1 to internet VPN tunnel via internet.

> Are your client machines all uplevel, not Win9x/NT4?

All clients are Win2K or WinXP

> What Steve mentions, GPOs with User section enabled,
> login scripting, and roaming profiles, can all play a part
> in some of the sluggishness, but this would be mostly only
> initially at login. You seem to say that things remain poor,
> as with your mention of Office app usage, etc..

I have looked in to this as well. Many of the options as you mention
correctly can help with startup or logon slowness but do not play a role in
continuing performance for instance with applications such as Office. We
have our templates on a file server but have copied them local for those
travelling to this office to avoid the standard read/write operations to
normal.dot when using Word. We do not use roaming profiles.

> Are you sure that your site definitions are correct, and
> that the DC of the "other" domain selected in DNS as
> the site-coverage domain for the site without presence
> of DCs of that "other" domain are the best choices?
> (these are the DCs listed in DNS under the _sites area)

Not sure I understand this question but if I'm reading what I think you are
asking then Yes all local DCs show themselves as reference points for other
sites to avoid searching for the nearest replica set as the DC in that
remote office with domain 2 is a GC.

Are you staging all DNS zones to both domains so that
there is no internal DNS query resolution that has to go
over the WAN link? (Could remove some of the roundtrips).

Yes all DC's carry information for both namespaces and reverse zones.

Is this a true statement: You have members of both domains
located at each site, but you have at each site DCs of only
one domain?

Correct.

Hopefully this clears up any confusion for both of us :-) I'll keep looking
for ways to improve this. Isn't there always some long forgotten or unseen
or undocumented regsitry entry somewhere that magically fixes problems like
these? :o )
Anonymous
January 27, 2005 3:29:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Yes, I believe that clears most things up.
You obviously have net traced what is happening, as you said
<quote>
From some network traffic sniffing we found that the basic
problem is that everything Microsoft insists on doing multiple network
transactions within the domain that the user account is registered.
<\quote>
I believe we have just covered most of the things that could
whittle down the latency by nickles and dimes.
Placing DCs of (in your case) both domain is both locations
is certainly something that people do, as far as your initial
question . There is a certain amount of cross domain traffic
to be expected with accounts from one domain logging in on
and using resource of another domain. Remember that the
user is getting their Kerberos tickets with involvment of
the KDC of their domain.

However, I am skeptical whether that would actually gain
you all that much if the network link is as fast as you have
implied. Rather, I would hope to discover something from
the network traces which we have not yet hit on here. Also,
if you are using L2TP tunnel for the VPN, you might eek
some speed if you had encrypting ethernet cards on the
tunnel endpoint servers (whether this gains a nickle or
a quarter depends on what you see for CPU utilization on
those machines now when there is heavy VPN traffic).

Bottom line to me sounds like : if the link is fast and with
extra capacity, then its latency is not large, so removing
this latency by making site local DCs would not have a
large impact on the observed slowness.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
<WilliamBeau> wrote in message news:ucm$uT9AFHA.3016@tk2msftngp13.phx.gbl...
> Again thank you both for your replies.
>
> > I see you are using VPN because it is not a leased T1 or better but
> > rather to the internet, within which you tunnel.
>
> Correct - no leased lines T1 to internet VPN tunnel via internet.
>
> > Are your client machines all uplevel, not Win9x/NT4?
>
> All clients are Win2K or WinXP
>
> > What Steve mentions, GPOs with User section enabled,
> > login scripting, and roaming profiles, can all play a part
> > in some of the sluggishness, but this would be mostly only
> > initially at login. You seem to say that things remain poor,
> > as with your mention of Office app usage, etc..
>
> I have looked in to this as well. Many of the options as you mention
> correctly can help with startup or logon slowness but do not play a role
in
> continuing performance for instance with applications such as Office. We
> have our templates on a file server but have copied them local for those
> travelling to this office to avoid the standard read/write operations to
> normal.dot when using Word. We do not use roaming profiles.
>
> > Are you sure that your site definitions are correct, and
> > that the DC of the "other" domain selected in DNS as
> > the site-coverage domain for the site without presence
> > of DCs of that "other" domain are the best choices?
> > (these are the DCs listed in DNS under the _sites area)
>
> Not sure I understand this question but if I'm reading what I think you
are
> asking then Yes all local DCs show themselves as reference points for
other
> sites to avoid searching for the nearest replica set as the DC in that
> remote office with domain 2 is a GC.
>
> Are you staging all DNS zones to both domains so that
> there is no internal DNS query resolution that has to go
> over the WAN link? (Could remove some of the roundtrips).
>
> Yes all DC's carry information for both namespaces and reverse zones.
>
> Is this a true statement: You have members of both domains
> located at each site, but you have at each site DCs of only
> one domain?
>
> Correct.
>
> Hopefully this clears up any confusion for both of us :-) I'll keep
looking
> for ways to improve this. Isn't there always some long forgotten or
unseen
> or undocumented regsitry entry somewhere that magically fixes problems
like
> these? :o )
>
>
!