?
Solved

Active Directory overhead

Posted on 2004-11-23
17
Medium Priority
?
669 Views
Last Modified: 2009-12-16
I was wondering if someone could tell me what type of overhead AD produces in a LAN and across a WAN.  I know background Policy Refreshes occur in a LAN every so often.  Does this cause any significant impact on bandwidth?

What about when DCs replicate? Does this take up much bandwidth?

Any best practices? (ie: Use only high speed links in between sites)?

Thanks
0
Comment
Question by:dissolved
  • 8
  • 8
17 Comments
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12659256
Active Directory doesn't take too much bandwidth. It might take during replication. The good thing here is that you can configure when you want replication to occur - this can be done if you have multiple sites, however. In a single site, replication schedules cannot be customized.

About overhead on the WAN ... Well ...  can you be more specific? What kind of AD WAN interaction are you talking about? What is the configuration are you talking about?

Best practices ??
Try to use good links between sites! This is for WAN.
In a LAN try to follow the recommended practices on designing your LAN physical and logical infrastructure considering:

 - Topology
 - Hardware devices (switches, routers, network cards)

Additionally consider some best practices on configuring and designing AD infrastructure
  - How many DCs should you have
  - How to setup the master roles for each DC
  - How to setup your logical access - OUs, Sites, Domains
  - Keep it as simple as possible (for example, don't use two domains just because you have different sites - Use a single domain spanning both sites instead - This is just an example).

If you give some more detail on the configuration and services you want to deploy it might help in giving you some advice.

Cheers.
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12659270
Active Directory design, is also highly dependent on the business structure itself. So again, more detail on this could help a bit more.

Sorry for the dbl post.

Cheers.
0
 

Author Comment

by:dissolved
ID: 12659939
Well we have a few sites across the country. Connected via Frame Relay (point to point, not full mesh). We are thinking about having all of our users authenticate at headquarters. (including DNS querys).  I know of a few places that have setups like this:

Headquarters (Maryland)
   Main Router
       |         |
       |         |
       |         |
 Arizona    Chicago


Arizona and Chicago all authenticate at Headquarters (including DNS requests). It works for them.

Thinking about deploying something similar and wanted to hear views.  They will not be really running any applications across the WAN. Just doing authentication, GPO refreshes etc..

What do you think about a DNS server at the remote sites. Yay or nay ?  If I did this, it would have to be active directory integrated DNS server right? (which means the box will also have to be a DC!). Would it be primary or secondary?
thanks
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 11

Expert Comment

by:rafael_acc
ID: 12660175
My personal oppinion is that some services should be installed locally. If you want to go for a remote location, you might consider also that you want to have some redundancy for the same service. Right? So ... you still have to configure a local DNS server, isn't it?

Additionaly, whenever you have AD in place, always go for a integrated DNS solution. This means that it would need a DC there. Don't forget to configure secure updates, specially if you are going for a remote solution. However, there's no primary or secundary DNS server ... It's like all of them were primary. There is a primary and a secondary dns server if you had a non Active Directory integrated DNS solution.

Now, about the WAN stuff ... well, the path you might choose also depends on what network design you have in place, you see. Im not clear about what authentication are u talking about? Is this about login/logout or just services authentication?


Cheers.
0
 

Author Comment

by:dissolved
ID: 12660586
so you think i should throw a DC up at each site. Good idea about secure updates (DNS that is).
Will there be any need to configure secondary Zones?  I'm assuming Ill only need to do this if I employ child domains or merge with another domain tree?
0
 
LVL 11

Accepted Solution

by:
rafael_acc earned 1600 total points
ID: 12660688
Yes. A DC per site is not bad! Carefull consider also the distribution of the Active Directory DC's Roles. There are 5 of them. Check this article (http://support.microsoft.com/kb/197132). Do not avoid the NOTE there, at the bottom of the page. There are two exception to that note:
1. If all DCs are global catalog servers (consider having a global catalog server per remote site - in your case)
2. If you are running a single domain

About secondary zones ... From what I remember now, there are no Primary and Secondary DNS zones when talking about AD integrated zones. If you have multiple domains (not recomended - keep it as simple as possible), you might need to delegate some zones (http://www.winnetmag.com/ActiveDirectory/Article/ArticleID/42687/ActiveDirectory_42687.html).

Cheers.
0
 

Author Comment

by:dissolved
ID: 12660835
Thats a good idea to keep it simple.
By default, the first DC has all 5 roles right? Is it necessary to disperse the roles amongst the different DCs? Or can I leave all 5 roles on one of the DCs?
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12661006
It's not required but you should. However there are some rules (recommandations). Take also a look at these articles in order listed in order of prefference (some more info):
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd04.mspx#EEAA
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/Windows2000DomainControllerOperationsMasterRoles.html 

Actually, in the first article you have all you need.

Cheers
0
 

Author Comment

by:dissolved
ID: 12661182
Would it be wise to have a DHCP server at every site too?  Or is it possible to pull it from headquarters (is DHCP a lot of trafifc?)

From your recommendations, it looks as if I should do the following:

-Have one domain tree. This way, any child domains have transitive trust
-Have an additional DC at every site (will replicate from DC at headquarters)
-Have a DNS server at every site
-Every DNS should be AD integrated

If I employ a DNS server at every site, what type of configuration needs to be done to the DNS servers? Under their  TCP/IP properties, do I make them point to themselves. Or do I make them point to Headquarter's DNS. Or do I use the forwarder tab to accomplish this?

Thanks!
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12661270
Clients use broadcasts when communicating to a dhcp server. Before you enable this configuration you would have to configure an IP Helper address (or use a DHCP relay agent - Microsoft Terminology) in order to allow broadcasts to be propagated on the network. Of course you can put one dhcp server per subnetwork.

So as you can see, this also depends on your network design and on the physical device you are using. For instance, if you are using a cisco router acting like a dhcp server then you have to configure an ip helper address. if you are using a windows dhcp server, then you would have to configure a dhcp relay agent. For either cases, the idea is the same: allowing broadcasts!!!

To answer your question ... usually you would have at least two routers between the both remote connections, right?! Then the answer is: Yes, it is possible to install a single dhcp server for both locations. But I wouldn't recomend that. Better way to go is to install a dhcp server for each remote location. Now for each location, if you have several subnets and you want all of them to use a dhcp server, you have 2 options:

1. Install an additional dhcp server for each subnetwork
2. allow broadcasts
3. (That's a bit wired - that's why I said you have only 2 options) Eliminate the subnets :)


About the recommandations resume now. Your conclusions are PERFECTLY RIGHT! But incomplete:
1. Configure a site for each location - This is the only way you would be able to customize AD replication schedule
2. Install the master roles at the headquarters or wherever is your IT administration team located - consider administration ease.

One more note on dns: The nice thing about dhs integrated zones is that you can use secure zone updates!!! This is realy a nice feature. Additionally, you don't have to worry with zones updates from each other as they belong to AD and are part of the AD replication process ;)

I might have miss some information but these are the most important ones...


Take care man,
Cheers.
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12661285
Sorry for dbl post:

Configure a site for each location is not the same as configuring a domain for each site!! You can have a domain spanning two sites or two domains on the same site, for example.

Designing your AD infrastructure consdiering your business needs. What I mean is that in the future you might want to take full advantage of AD and use group policies to apply security policies in your environment, even remotely. Therefore it's important to carefully desing your OUs, Sites, Domains, Groups.


That's it.
0
 

Author Comment

by:dissolved
ID: 12661667
Thanks.  So it is important to create my sites. Because creating "sites" dictates the way replication can occur?  This is the main purpose of defining sites?
0
 

Author Comment

by:dissolved
ID: 12661727
So the main reason to add sites in the Sites snap in, is so you can dictate when and how they replicate? Is that the main reason for it?
0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 400 total points
ID: 12661929
The trouble with AD is that when it performs replication, it replicates the ENTIRE OBJECT. Got a Group with 1000 members? Add ONE user to that Group, and the ENTIRE object gets sent when the change gets replicated. Pretty much defines "inefficiency", huh?

So the overhead from AD will grow as your environment grows, and the RATE of growth in AD overhead will also grow.

Also, if you have site-based administration, don't forget that changes made to a Multi-Valued Attribute object (like a Group) made on one DC can potentially be OVERWRITTEN by changes made to the same object on another DC, if both changes are made between replications. So much for "multi-master replication" (not to mention reliability)....AD is really "master-slave" if you implement it like you need to in order to avoid that little problem.
0
 

Author Comment

by:dissolved
ID: 12665117
thanks guys
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 12665295
Actually, windows 2003 doesn't do that anymore (on replication).
And Yes! The main purpose on defining site is to control replication through slow links (wan links - better said).
Have fun.
0
 

Author Comment

by:dissolved
ID: 12667702
thanks guys. thanks again rafael
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question