Two domains, One Forest....

Archived from groups: microsoft.public.win2000.security (More info?)

The WAN connection between the 2 domains is rather slow, and when we have
users from one domain visiting the office of the other domain the
authentication takes too long. One idea was to install a DC from 1 domain
in the location of the other domain - therefore allowing visitors to
authenticate locally.

Has anyone ever tried this? Any pros and cons you might be able to pass
along? I'll be hapy to post my findings if I get the chance to try it.

Thanks,
Will
7 answers Last reply
More about domains forest
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    This is not really a security group question, more an active_directory
    group question.
    In general, if simple login is slow, if the link between the two sites
    has sufficient capacity for the login, then something is not configured
    correctly or at least not optimally. If this is due to a link capacity
    issue then what you are proposing will only make things worse.
    If your link has the capacity for the AD replication from placing
    DCs into the other sites, then you would see some improvement,
    but it is very possible you may see almost as much improvement
    by finding what is sub-optimal (and this same may need to be
    resolved anyway in order to get the replication happening efficiently).
    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    <WilliamBeau> wrote in message news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
    > The WAN connection between the 2 domains is rather slow, and when we have
    > users from one domain visiting the office of the other domain the
    > authentication takes too long. One idea was to install a DC from 1 domain
    > in the location of the other domain - therefore allowing visitors to
    > authenticate locally.
    >
    > Has anyone ever tried this? Any pros and cons you might be able to pass
    > along? I'll be hapy to post my findings if I get the chance to try it.
    >
    > Thanks,
    > Will
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Roger - didn't have any luck with a previous post to that group :-(

    Thanks for your reply. I have configured the forest according to MS
    documentation and have seen this configuration work in other locations (at
    another company). The link is an internet VPN both offices are connected
    via T1 or greater. I've spent a good deal of time investigating the issue
    and replication for most AD objects (except Exchange) happens relatively
    fast. However the delays are specifically related to MS products. Other
    applications rarely exhibit the same delays.
    One example of the delays is using ADUC while logged into a DC from the
    second domain with an account from the first. ADUC enumerates the structure
    of the parent domain as well as the local domain - this takes time. Users
    notice delays when they use applications (like MSOffice) and have default
    printers assigned in domain 1. They also see delays in wireless
    authentication as the user accounts and groups IAS references are also in
    domain 1. From some network traffic sniffing we found that the basic
    problem is that everything Microsoft insists on doing multiple network
    transactions within the domain that the user account is registered.

    I'm open to any solutions at this point. I've been working with Microsoft
    products for a good deal of time and in particular AD structures.

    Thanks!

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:uQIaJzkAFHA.1452@TK2MSFTNGP11.phx.gbl...
    > This is not really a security group question, more an active_directory
    > group question.
    > In general, if simple login is slow, if the link between the two sites
    > has sufficient capacity for the login, then something is not configured
    > correctly or at least not optimally. If this is due to a link capacity
    > issue then what you are proposing will only make things worse.
    > If your link has the capacity for the AD replication from placing
    > DCs into the other sites, then you would see some improvement,
    > but it is very possible you may see almost as much improvement
    > by finding what is sub-optimal (and this same may need to be
    > resolved anyway in order to get the replication happening efficiently).
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > <WilliamBeau> wrote in message
    news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
    > > The WAN connection between the 2 domains is rather slow, and when we
    have
    > > users from one domain visiting the office of the other domain the
    > > authentication takes too long. One idea was to install a DC from 1
    domain
    > > in the location of the other domain - therefore allowing visitors to
    > > authenticate locally.
    > >
    > > Has anyone ever tried this? Any pros and cons you might be able to pass
    > > along? I'll be hapy to post my findings if I get the chance to try it.
    > >
    > > Thanks,
    > > Will
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    In addition to Roger's advice the slowness may also be due to Group Policy
    applied to the user logging on including scripts, offline files synching at
    logon, and/or maybe roaming profiles being loaded. All of that can be
    modified using Group Policy to modify what is applied to a user logging on
    over a "slow link" or you can use it to change what is defined as a slow
    link in the case that you connection is just above the threshold considered
    a slow link. The link below explains more. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;227260

    <WilliamBeau> wrote in message news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
    > The WAN connection between the 2 domains is rather slow, and when we have
    > users from one domain visiting the office of the other domain the
    > authentication takes too long. One idea was to install a DC from 1 domain
    > in the location of the other domain - therefore allowing visitors to
    > authenticate locally.
    >
    > Has anyone ever tried this? Any pros and cons you might be able to pass
    > along? I'll be hapy to post my findings if I get the chance to try it.
    >
    > Thanks,
    > Will
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Do you have GCs in both locations?

    Are you sure that your site definitions are correct, and
    that the DC of the "other" domain selected in DNS as
    the site-coverage domain for the site without presence
    of DCs of that "other" domain are the best choices?
    (these are the DCs listed in DNS under the _sites area)

    It sounds like you have been diligent on your homework,
    so I assume you have reason for use of VPN even though
    it sounds you have leased T1 (or better). But, if you do
    have private link the VPN is added overhead if you have
    no explicit requirement for it.

    Are you staging all DNS zones to both domains so that
    there is no internal DNS query resolution that has to go
    over the WAN link? (Could remove some of the roundtrips).

    Is this a true statement: You have members of both domains
    located at each site, but you have at each site DCs of only
    one domain?

    --
    Roger Abell

    <WilliamBeau> wrote in message news:e9sbKqlAFHA.2932@TK2MSFTNGP10.phx.gbl...
    > Roger - didn't have any luck with a previous post to that group :-(
    >
    > Thanks for your reply. I have configured the forest according to MS
    > documentation and have seen this configuration work in other locations (at
    > another company). The link is an internet VPN both offices are connected
    > via T1 or greater. I've spent a good deal of time investigating the issue
    > and replication for most AD objects (except Exchange) happens relatively
    > fast. However the delays are specifically related to MS products. Other
    > applications rarely exhibit the same delays.
    > One example of the delays is using ADUC while logged into a DC from the
    > second domain with an account from the first. ADUC enumerates the
    structure
    > of the parent domain as well as the local domain - this takes time. Users
    > notice delays when they use applications (like MSOffice) and have default
    > printers assigned in domain 1. They also see delays in wireless
    > authentication as the user accounts and groups IAS references are also in
    > domain 1. From some network traffic sniffing we found that the basic
    > problem is that everything Microsoft insists on doing multiple network
    > transactions within the domain that the user account is registered.
    >
    > I'm open to any solutions at this point. I've been working with Microsoft
    > products for a good deal of time and in particular AD structures.
    >
    > Thanks!
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:uQIaJzkAFHA.1452@TK2MSFTNGP11.phx.gbl...
    > > This is not really a security group question, more an active_directory
    > > group question.
    > > In general, if simple login is slow, if the link between the two sites
    > > has sufficient capacity for the login, then something is not configured
    > > correctly or at least not optimally. If this is due to a link capacity
    > > issue then what you are proposing will only make things worse.
    > > If your link has the capacity for the AD replication from placing
    > > DCs into the other sites, then you would see some improvement,
    > > but it is very possible you may see almost as much improvement
    > > by finding what is sub-optimal (and this same may need to be
    > > resolved anyway in order to get the replication happening efficiently).
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > <WilliamBeau> wrote in message
    > news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
    > > > The WAN connection between the 2 domains is rather slow, and when we
    > have
    > > > users from one domain visiting the office of the other domain the
    > > > authentication takes too long. One idea was to install a DC from 1
    > domain
    > > > in the location of the other domain - therefore allowing visitors to
    > > > authenticate locally.
    > > >
    > > > Has anyone ever tried this? Any pros and cons you might be able to
    pass
    > > > along? I'll be hapy to post my findings if I get the chance to try
    it.
    > > >
    > > > Thanks,
    > > > Will
    > > >
    > > >
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    I reread your reply, I believe I have answered some of my questions.
    Since you mentioned AD replication between the two being fine,
    I will assume that you do have a GC in each (i.e. you were not just
    talking about the relatively static schema and configuration partitions).

    I see you are using VPN because it is not a leased T1 or better but
    rather to the internet, within which you tunnel.

    Are your client machines all uplevel, not Win9x/NT4?

    What Steve mentions, GPOs with User section enabled,
    login scripting, and roaming profiles, can all play a part
    in some of the sluggishness, but this would be mostly only
    initially at login. You seem to say that things remain poor,
    as with your mention of Office app usage, etc..

    --
    Roger
    <WilliamBeau> wrote in message news:e9sbKqlAFHA.2932@TK2MSFTNGP10.phx.gbl...
    > Roger - didn't have any luck with a previous post to that group :-(
    >
    > Thanks for your reply. I have configured the forest according to MS
    > documentation and have seen this configuration work in other locations (at
    > another company). The link is an internet VPN both offices are connected
    > via T1 or greater. I've spent a good deal of time investigating the issue
    > and replication for most AD objects (except Exchange) happens relatively
    > fast. However the delays are specifically related to MS products. Other
    > applications rarely exhibit the same delays.
    > One example of the delays is using ADUC while logged into a DC from the
    > second domain with an account from the first. ADUC enumerates the
    structure
    > of the parent domain as well as the local domain - this takes time. Users
    > notice delays when they use applications (like MSOffice) and have default
    > printers assigned in domain 1. They also see delays in wireless
    > authentication as the user accounts and groups IAS references are also in
    > domain 1. From some network traffic sniffing we found that the basic
    > problem is that everything Microsoft insists on doing multiple network
    > transactions within the domain that the user account is registered.
    >
    > I'm open to any solutions at this point. I've been working with Microsoft
    > products for a good deal of time and in particular AD structures.
    >
    > Thanks!
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:uQIaJzkAFHA.1452@TK2MSFTNGP11.phx.gbl...
    > > This is not really a security group question, more an active_directory
    > > group question.
    > > In general, if simple login is slow, if the link between the two sites
    > > has sufficient capacity for the login, then something is not configured
    > > correctly or at least not optimally. If this is due to a link capacity
    > > issue then what you are proposing will only make things worse.
    > > If your link has the capacity for the AD replication from placing
    > > DCs into the other sites, then you would see some improvement,
    > > but it is very possible you may see almost as much improvement
    > > by finding what is sub-optimal (and this same may need to be
    > > resolved anyway in order to get the replication happening efficiently).
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > <WilliamBeau> wrote in message
    > news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
    > > > The WAN connection between the 2 domains is rather slow, and when we
    > have
    > > > users from one domain visiting the office of the other domain the
    > > > authentication takes too long. One idea was to install a DC from 1
    > domain
    > > > in the location of the other domain - therefore allowing visitors to
    > > > authenticate locally.
    > > >
    > > > Has anyone ever tried this? Any pros and cons you might be able to
    pass
    > > > along? I'll be hapy to post my findings if I get the chance to try
    it.
    > > >
    > > > Thanks,
    > > > Will
    > > >
    > > >
    > >
    > >
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Again thank you both for your replies.

    > I see you are using VPN because it is not a leased T1 or better but
    > rather to the internet, within which you tunnel.

    Correct - no leased lines T1 to internet VPN tunnel via internet.

    > Are your client machines all uplevel, not Win9x/NT4?

    All clients are Win2K or WinXP

    > What Steve mentions, GPOs with User section enabled,
    > login scripting, and roaming profiles, can all play a part
    > in some of the sluggishness, but this would be mostly only
    > initially at login. You seem to say that things remain poor,
    > as with your mention of Office app usage, etc..

    I have looked in to this as well. Many of the options as you mention
    correctly can help with startup or logon slowness but do not play a role in
    continuing performance for instance with applications such as Office. We
    have our templates on a file server but have copied them local for those
    travelling to this office to avoid the standard read/write operations to
    normal.dot when using Word. We do not use roaming profiles.

    > Are you sure that your site definitions are correct, and
    > that the DC of the "other" domain selected in DNS as
    > the site-coverage domain for the site without presence
    > of DCs of that "other" domain are the best choices?
    > (these are the DCs listed in DNS under the _sites area)

    Not sure I understand this question but if I'm reading what I think you are
    asking then Yes all local DCs show themselves as reference points for other
    sites to avoid searching for the nearest replica set as the DC in that
    remote office with domain 2 is a GC.

    Are you staging all DNS zones to both domains so that
    there is no internal DNS query resolution that has to go
    over the WAN link? (Could remove some of the roundtrips).

    Yes all DC's carry information for both namespaces and reverse zones.

    Is this a true statement: You have members of both domains
    located at each site, but you have at each site DCs of only
    one domain?

    Correct.

    Hopefully this clears up any confusion for both of us :-) I'll keep looking
    for ways to improve this. Isn't there always some long forgotten or unseen
    or undocumented regsitry entry somewhere that magically fixes problems like
    these? :o)
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes, I believe that clears most things up.
    You obviously have net traced what is happening, as you said
    <quote>
    From some network traffic sniffing we found that the basic
    problem is that everything Microsoft insists on doing multiple network
    transactions within the domain that the user account is registered.
    <\quote>
    I believe we have just covered most of the things that could
    whittle down the latency by nickles and dimes.
    Placing DCs of (in your case) both domain is both locations
    is certainly something that people do, as far as your initial
    question . There is a certain amount of cross domain traffic
    to be expected with accounts from one domain logging in on
    and using resource of another domain. Remember that the
    user is getting their Kerberos tickets with involvment of
    the KDC of their domain.

    However, I am skeptical whether that would actually gain
    you all that much if the network link is as fast as you have
    implied. Rather, I would hope to discover something from
    the network traces which we have not yet hit on here. Also,
    if you are using L2TP tunnel for the VPN, you might eek
    some speed if you had encrypting ethernet cards on the
    tunnel endpoint servers (whether this gains a nickle or
    a quarter depends on what you see for CPU utilization on
    those machines now when there is heavy VPN traffic).

    Bottom line to me sounds like : if the link is fast and with
    extra capacity, then its latency is not large, so removing
    this latency by making site local DCs would not have a
    large impact on the observed slowness.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    <WilliamBeau> wrote in message news:ucm$uT9AFHA.3016@tk2msftngp13.phx.gbl...
    > Again thank you both for your replies.
    >
    > > I see you are using VPN because it is not a leased T1 or better but
    > > rather to the internet, within which you tunnel.
    >
    > Correct - no leased lines T1 to internet VPN tunnel via internet.
    >
    > > Are your client machines all uplevel, not Win9x/NT4?
    >
    > All clients are Win2K or WinXP
    >
    > > What Steve mentions, GPOs with User section enabled,
    > > login scripting, and roaming profiles, can all play a part
    > > in some of the sluggishness, but this would be mostly only
    > > initially at login. You seem to say that things remain poor,
    > > as with your mention of Office app usage, etc..
    >
    > I have looked in to this as well. Many of the options as you mention
    > correctly can help with startup or logon slowness but do not play a role
    in
    > continuing performance for instance with applications such as Office. We
    > have our templates on a file server but have copied them local for those
    > travelling to this office to avoid the standard read/write operations to
    > normal.dot when using Word. We do not use roaming profiles.
    >
    > > Are you sure that your site definitions are correct, and
    > > that the DC of the "other" domain selected in DNS as
    > > the site-coverage domain for the site without presence
    > > of DCs of that "other" domain are the best choices?
    > > (these are the DCs listed in DNS under the _sites area)
    >
    > Not sure I understand this question but if I'm reading what I think you
    are
    > asking then Yes all local DCs show themselves as reference points for
    other
    > sites to avoid searching for the nearest replica set as the DC in that
    > remote office with domain 2 is a GC.
    >
    > Are you staging all DNS zones to both domains so that
    > there is no internal DNS query resolution that has to go
    > over the WAN link? (Could remove some of the roundtrips).
    >
    > Yes all DC's carry information for both namespaces and reverse zones.
    >
    > Is this a true statement: You have members of both domains
    > located at each site, but you have at each site DCs of only
    > one domain?
    >
    > Correct.
    >
    > Hopefully this clears up any confusion for both of us :-) I'll keep
    looking
    > for ways to improve this. Isn't there always some long forgotten or
    unseen
    > or undocumented regsitry entry somewhere that magically fixes problems
    like
    > these? :o)
    >
    >
Ask a new question

Read More

Domain Windows