Re: Two domains, One Forest....
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/27/05
- Next message: Freaky: "Re: Terminal Server out of Licenses!!!! But I have 10 available??! Help, thanks."
- Previous message: Roger Abell [MVP]: "Re: network scanner for windows patch KB835732"
- In reply to: WilliamBeau: "Re: Two domains, One Forest...."
- Next in thread: Steven L Umbach: "Re: Two domains, One Forest...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 00:29:56 -0700
Yes, I believe that clears most things up.
You obviously have net traced what is happening, as you said
<quote>
>From some network traffic sniffing we found that the basic
problem is that everything Microsoft insists on doing multiple network
transactions within the domain that the user account is registered.
<\quote>
I believe we have just covered most of the things that could
whittle down the latency by nickles and dimes.
Placing DCs of (in your case) both domain is both locations
is certainly something that people do, as far as your initial
question . There is a certain amount of cross domain traffic
to be expected with accounts from one domain logging in on
and using resource of another domain. Remember that the
user is getting their Kerberos tickets with involvment of
the KDC of their domain.
However, I am skeptical whether that would actually gain
you all that much if the network link is as fast as you have
implied. Rather, I would hope to discover something from
the network traces which we have not yet hit on here. Also,
if you are using L2TP tunnel for the VPN, you might eek
some speed if you had encrypting ethernet cards on the
tunnel endpoint servers (whether this gains a nickle or
a quarter depends on what you see for CPU utilization on
those machines now when there is heavy VPN traffic).
Bottom line to me sounds like : if the link is fast and with
extra capacity, then its latency is not large, so removing
this latency by making site local DCs would not have a
large impact on the observed slowness.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA <WilliamBeau> wrote in message news:ucm$uT9AFHA.3016@tk2msftngp13.phx.gbl... > Again thank you both for your replies. > > > I see you are using VPN because it is not a leased T1 or better but > > rather to the internet, within which you tunnel. > > Correct - no leased lines T1 to internet VPN tunnel via internet. > > > Are your client machines all uplevel, not Win9x/NT4? > > All clients are Win2K or WinXP > > > What Steve mentions, GPOs with User section enabled, > > login scripting, and roaming profiles, can all play a part > > in some of the sluggishness, but this would be mostly only > > initially at login. You seem to say that things remain poor, > > as with your mention of Office app usage, etc.. > > I have looked in to this as well. Many of the options as you mention > correctly can help with startup or logon slowness but do not play a role in > continuing performance for instance with applications such as Office. We > have our templates on a file server but have copied them local for those > travelling to this office to avoid the standard read/write operations to > normal.dot when using Word. We do not use roaming profiles. > > > Are you sure that your site definitions are correct, and > > that the DC of the "other" domain selected in DNS as > > the site-coverage domain for the site without presence > > of DCs of that "other" domain are the best choices? > > (these are the DCs listed in DNS under the _sites area) > > Not sure I understand this question but if I'm reading what I think you are > asking then Yes all local DCs show themselves as reference points for other > sites to avoid searching for the nearest replica set as the DC in that > remote office with domain 2 is a GC. > > Are you staging all DNS zones to both domains so that > there is no internal DNS query resolution that has to go > over the WAN link? (Could remove some of the roundtrips). > > Yes all DC's carry information for both namespaces and reverse zones. > > Is this a true statement: You have members of both domains > located at each site, but you have at each site DCs of only > one domain? > > Correct. > > Hopefully this clears up any confusion for both of us :-) I'll keep looking > for ways to improve this. Isn't there always some long forgotten or unseen > or undocumented regsitry entry somewhere that magically fixes problems like > these? :o) > >
- Next message: Freaky: "Re: Terminal Server out of Licenses!!!! But I have 10 available??! Help, thanks."
- Previous message: Roger Abell [MVP]: "Re: network scanner for windows patch KB835732"
- In reply to: WilliamBeau: "Re: Two domains, One Forest...."
- Next in thread: Steven L Umbach: "Re: Two domains, One Forest...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
