Re: Two domains, One Forest....

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/25/05

  • Next message: ---DGI972---: "SFTP & SSH2" 
    Date: Mon, 24 Jan 2005 17:08:09 -0700

    I reread your reply, I believe I have answered some of my questions.
    Since you mentioned AD replication between the two being fine,
    I will assume that you do have a GC in each (i.e. you were not just
    talking about the relatively static schema and configuration partitions).

    I see you are using VPN because it is not a leased T1 or better but
    rather to the internet, within which you tunnel.

    Are your client machines all uplevel, not Win9x/NT4?

    What Steve mentions, GPOs with User section enabled,
    login scripting, and roaming profiles, can all play a part
    in some of the sluggishness, but this would be mostly only
    initially at login. You seem to say that things remain poor,
    as with your mention of Office app usage, etc.. 

    -- 
Roger
<WilliamBeau> wrote in message news:e9sbKqlAFHA.2932@TK2MSFTNGP10.phx.gbl...
> Roger - didn't have any luck with a previous post to that group :-(
>
> Thanks for your reply.  I have configured the forest according to MS
> documentation and have seen this configuration work in other locations (at
> another company).  The link is an internet VPN both offices are connected
> via T1 or greater.  I've spent a good deal of time investigating the issue
> and replication for most AD objects (except Exchange) happens relatively
> fast.  However the delays are specifically related to MS products.  Other
> applications rarely exhibit the same delays.
> One example of the delays is using ADUC while logged into a DC from the
> second domain with an account from the first.  ADUC enumerates the
structure
> of the parent domain as well as the local domain - this takes time.  Users
> notice delays when they use applications (like MSOffice) and have default
> printers assigned in domain 1.  They also see delays in wireless
> authentication as the user accounts and groups IAS references are also in
> domain 1.  From some network traffic sniffing we found that the basic
> problem is that everything Microsoft insists on doing multiple network
> transactions within the domain that the user account is registered.
>
> I'm open to any solutions at this point.  I've been working with Microsoft
> products for a good deal of time and in particular AD structures.
>
> Thanks!
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uQIaJzkAFHA.1452@TK2MSFTNGP11.phx.gbl...
> > This is not really a security group question, more an active_directory
> > group question.
> > In general, if simple login is slow, if the link between the two sites
> > has sufficient capacity for the login, then something is not configured
> > correctly or at least not optimally.  If this is due to a link capacity
> > issue then what you are proposing will only make things worse.
> > If your link has the capacity for the AD replication from placing
> > DCs into the other sites, then you would see some improvement,
> > but it is very possible you may see almost as much improvement
> > by finding what is sub-optimal (and this same may need to be
> > resolved anyway in order to get the replication happening efficiently).
> > -- 
> > Roger Abell
> > Microsoft MVP (Windows  Security)
> > MCSE (W2k3,W2k,Nt4)  MCDBA
> > <WilliamBeau> wrote in message
> news:uE$zFYkAFHA.2316@TK2MSFTNGP15.phx.gbl...
> > > The WAN connection between the 2 domains is rather slow, and when we
> have
> > > users from one domain visiting the office of the other domain the
> > > authentication takes too long.  One idea was to install a DC from 1
> domain
> > > in the location of the other domain - therefore allowing visitors to
> > > authenticate locally.
> > >
> > > Has anyone ever tried this?  Any pros and cons you might be able to
pass
> > > along?  I'll be hapy to post my findings if I get the chance to try
it.
> > >
> > > Thanks,
> > > Will
> > >
> > >
> >
> >
>
>
  • Next message: ---DGI972---: "SFTP & SSH2"

    Relevant Pages

    • RE: SQL Server Errorlog login Failure
      ... the login error. ... If your replication agents are proper, ... agent startup account etc to resolve it. ... ||I have an Windows account that runs all my SQL Server ...
      (microsoft.public.sqlserver.replication)
    • Re: merge replication - user (null)
      ... Looking for a SQL Server replication book? ... Login failed for user ''. ... How can I change the replication connection to use SQL security since I ...
      (microsoft.public.sqlserver.replication)
    • Re: DSQUERY - [WP]
      ... The pwdLastSet attribute is replicated, so the same value is saved on all ... it would greatly increase replication traffic. ... excel template that dumps all user accounts, last login and last password, ... date and keeps the most recent and also fetches the last password change. ...
      (microsoft.public.windows.server.active_directory)
    • Re: DFS replication of user profiles and home directories
      ... There were just some delays while ... waiting for AD changes to replicate to both domain controllers, ... replication seems to happen fairly quickly. ...
      (microsoft.public.win2000.active_directory)
    • Need help urgently - Replication ERROR 18456
      ... The server has always been in mixed mode and I can login to query ... account which runs the distribution agent amongst other things. ... Replication was working correctly until I detached and copied the db to ...
      (microsoft.public.sqlserver.replication)