Gil, Thanks for the direction: I'm leaving for the weekend but Monday morning I hope everyone is around to continue this topic.
Each client is setup with their closest DC's dns ip as primary and the furtherest as their secondary. I haven't verified the logonserver environment but I did verify through Outlook that each client is using their closest DC as their GC. Each DC has a foward zone for the same domain - companyname.com and a revers zone for the same subnets IE: Foward Zone on PA-FILE-01 (Office A) companyname.com IE: Foward Zone on PA-FILE-02 (Office B) companyname.com The reverse zones are identical containing the same information regarding their own and their distant subnets. Both servers are primaries (not sure if I'm using the correct term) DNS is AD integrate -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 3:59 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Design Guidance Well, the first thing to do would be to clean up DNS... Ain't nobody happy until DNS is happy :) Usually piggy authentication is due to clients authenticating with inappropriate DCs, e.g. the ones on the other side of the link. There are two things to verify: Are the clients communicating with the correct DNS service, and when they locate a DC through DNS, are they selecting the correct DC? Make sure that subnets in the two sites are defined appropriately, such that the DHCP service in each site is passing on addresses and preferred/secondary DNS servers that correspond to the subnets defined for the clients' respective sites. That should ensure that the clients are communicating with the appropriate DNS service. Make sure that the clients are selecting the appropriate DC for authentication. The SRV records in DNS define which DC each client will select, so they have to be right. You can check the "LOGONSERVER" environment variable on some of the slow clients to see which DC they've selected. DCDIAG /s:<DC host name> /test:connectivity /test:advertising /v will check to make sure that each DC has published the correct SRV records. The invalid DNS update thing is curious. Can you say more about how your DNS is configured? How are the zones set up, e.g. primary/secondary, secure updates only, AD-integrated, etc. HTH -gil -----Original Message----- From: Friese, Casey [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 1:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Design Guidance Marc, 1. Yes, both locations are setup as separate sites 2. The DNS Event log on the DC in Office B reports 5509 events often, received an invalid DNS update from 10.64.3.2 (Master in Office A) - packet rejected 3. No Directory Service Errors but there are numerous FRS errors showing issues with replicating from Office A to Office B The File Replication Service is having trouble enabling replication from PA-FILE-01 (Office A) to PA-FILE-02 (Office B) for c:\winnt\sysvol\domain using the DNS name PA-FILE-01.penncolor.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name PA-FILE-01.penncolor.com from this computer. [2] FRS is not running on PA-FILE-01.penncolor.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This warning as well: The File Replication Service has enabled replication from PA-FILE-01 to PA-FILE-02 for c:\winnt\sysvol\domain after repeated retries. 4. The DC's don't "act" bogged down while physically at them. They're noticably bogged down from the client end with regards to accessing resources. -----Original Message----- From: Marc Zukerman [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 3:20 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD Design Guidance Another few questions Casey: 1. Are the different locations set up as separate sites? 2. How healthy is DNS? WINS? Are there any errors? What's the topology? 3. Are there any errors in the Directory Services logs on the domain controller? 4. Are the DCs bogged down? Marc Zukerman Senior Network Engineer Greenwich Technology Partners ----- Original Message ----- From: "Friese, Casey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, February 28, 2003 2:34 PM Subject: RE: [ActiveDir] AD Design Guidance Gil, thanks for the questions, here are the answers: Number of clients in Office A is ~25 Number of clients in Office B is ~250 There are a mix of 9x, 2000 and XP client, most are 2000. The symptoms show across all clients I'm not sure about the bandwidth It's a native Win2k domain. Hope this fills thing out. -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Design Guidance A couple of questions to fill out the picture: How many clients at each site? What kinds of clients (ME/98, NT4, W2K, XP, etc) Do you have any idea of how much _available_ bandwidth there is on the link? Where is the PDC emulator? I'm guessing it is in office A where the first DC lives. -gil -----Original Message----- From: Friese, Casey [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 12:00 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD Design Guidance I have uncovered what I believe is a problem with our Active Directory design. I'm looking for assurance that it is indeed a problem judging from the symptoms that I am seeing and I'm also looking for recommendations on how to correct it. I've walked into the company just weeks after a consultant started implementing the AD design. Now, 8 months later and 10 servers later I believe that the design is flawed. Here are my symptoms: Any administration activity done on the servers such as setting permissions/re-writing permissions, opening property sheets within Exchange System Manager, Viewing properties sheets of OU objects/group policies, etc. All of these tasks take a long period of time to complete or display. >From the client end we see hanging connections - one moment a share is >available, the next permission is denied or the connection can't be >made. Opening files from the network sluggish and at times dhcp >settings are lost. We have 2 offices: Our HQ is in office A Our Datacenter is in office B Office A has 1 Windows 2000 Server and was the first server built in the Forest. This server is doing File/Print, DHCP, WINS, DNS for it's location among doing it's specialized tasks for the domain. Office B has 9 Windows 2000 Servers - among those 9 is a DC, 1 is an E2K server and 1 is an ISA server. The DC provides file/print, DHCP, WINS, DNS for it's location. The E2K server is the mail server for both locations and the ISA server is the Firewall for both locations. Office A is connected to Office B via 256kbps Split T1 used for both voice and data. Office B is connected to the internet via full T1 which is responsible for handling all internet requests. Both sites, office A and B, belong to the same parent domain - company.com with each client's dns set as clientname.company.com First questions: Are there any flaws with the above design? The most noticeable thing to me is that Office A and B communicate of a 256kbps shared line. I'm not an expert with AD, in fact, It's new to me but from what I understand anything done in Office B has to go to the Head Server in Office A. These is where I believe my problems lie. What I would like to do is break these two sites apart and have officeA.company.com and officeB.company.com - I think this is the correct approach but I'm not sure. My main concern is our Exchange 2000 Server and out ISA server because they're both linked heavily into the AD so totally redoing the design is a bit tough. Alternatively, I have started entertaining the idea of moving the server in Office A to the Office B location making Office B the root domain and any new sites child domains. I apologize for the length and if I've confused anyone - I'm confused myself. I just want to know if I'm blaming the symptoms on the right thing and how I should proceed. Thanks, Casey List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
