Active Directory overhead

I was wondering if someone could tell me what type of overhead AD produces in a LAN and across a WAN.  I know background Policy Refreshes occur in a LAN every so often.  Does this cause any significant impact on bandwidth?

What about when DCs replicate? Does this take up much bandwidth?

Any best practices? (ie: Use only high speed links in between sites)?

Thanks
dissolvedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rafael_accCommented:
Active Directory doesn't take too much bandwidth. It might take during replication. The good thing here is that you can configure when you want replication to occur - this can be done if you have multiple sites, however. In a single site, replication schedules cannot be customized.

About overhead on the WAN ... Well ...  can you be more specific? What kind of AD WAN interaction are you talking about? What is the configuration are you talking about?

Best practices ??
Try to use good links between sites! This is for WAN.
In a LAN try to follow the recommended practices on designing your LAN physical and logical infrastructure considering:

 - Topology
 - Hardware devices (switches, routers, network cards)

Additionally consider some best practices on configuring and designing AD infrastructure
  - How many DCs should you have
  - How to setup the master roles for each DC
  - How to setup your logical access - OUs, Sites, Domains
  - Keep it as simple as possible (for example, don't use two domains just because you have different sites - Use a single domain spanning both sites instead - This is just an example).

If you give some more detail on the configuration and services you want to deploy it might help in giving you some advice.

Cheers.
0
rafael_accCommented:
Active Directory design, is also highly dependent on the business structure itself. So again, more detail on this could help a bit more.

Sorry for the dbl post.

Cheers.
0
dissolvedAuthor Commented:
Well we have a few sites across the country. Connected via Frame Relay (point to point, not full mesh). We are thinking about having all of our users authenticate at headquarters. (including DNS querys).  I know of a few places that have setups like this:

Headquarters (Maryland)
   Main Router
       |         |
       |         |
       |         |
 Arizona    Chicago


Arizona and Chicago all authenticate at Headquarters (including DNS requests). It works for them.

Thinking about deploying something similar and wanted to hear views.  They will not be really running any applications across the WAN. Just doing authentication, GPO refreshes etc..

What do you think about a DNS server at the remote sites. Yay or nay ?  If I did this, it would have to be active directory integrated DNS server right? (which means the box will also have to be a DC!). Would it be primary or secondary?
thanks
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

rafael_accCommented:
My personal oppinion is that some services should be installed locally. If you want to go for a remote location, you might consider also that you want to have some redundancy for the same service. Right? So ... you still have to configure a local DNS server, isn't it?

Additionaly, whenever you have AD in place, always go for a integrated DNS solution. This means that it would need a DC there. Don't forget to configure secure updates, specially if you are going for a remote solution. However, there's no primary or secundary DNS server ... It's like all of them were primary. There is a primary and a secondary dns server if you had a non Active Directory integrated DNS solution.

Now, about the WAN stuff ... well, the path you might choose also depends on what network design you have in place, you see. Im not clear about what authentication are u talking about? Is this about login/logout or just services authentication?


Cheers.
0
dissolvedAuthor Commented:
so you think i should throw a DC up at each site. Good idea about secure updates (DNS that is).
Will there be any need to configure secondary Zones?  I'm assuming Ill only need to do this if I employ child domains or merge with another domain tree?
0
rafael_accCommented:
Yes. A DC per site is not bad! Carefull consider also the distribution of the Active Directory DC's Roles. There are 5 of them. Check this article (http://support.microsoft.com/kb/197132). Do not avoid the NOTE there, at the bottom of the page. There are two exception to that note:
1. If all DCs are global catalog servers (consider having a global catalog server per remote site - in your case)
2. If you are running a single domain

About secondary zones ... From what I remember now, there are no Primary and Secondary DNS zones when talking about AD integrated zones. If you have multiple domains (not recomended - keep it as simple as possible), you might need to delegate some zones (http://www.winnetmag.com/ActiveDirectory/Article/ArticleID/42687/ActiveDirectory_42687.html).

Cheers.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dissolvedAuthor Commented:
Thats a good idea to keep it simple.
By default, the first DC has all 5 roles right? Is it necessary to disperse the roles amongst the different DCs? Or can I leave all 5 roles on one of the DCs?
0
rafael_accCommented:
It's not required but you should. However there are some rules (recommandations). Take also a look at these articles in order listed in order of prefference (some more info):
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd04.mspx#EEAA
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/Windows2000DomainControllerOperationsMasterRoles.html 

Actually, in the first article you have all you need.

Cheers
0
dissolvedAuthor Commented:
Would it be wise to have a DHCP server at every site too?  Or is it possible to pull it from headquarters (is DHCP a lot of trafifc?)

From your recommendations, it looks as if I should do the following:

-Have one domain tree. This way, any child domains have transitive trust
-Have an additional DC at every site (will replicate from DC at headquarters)
-Have a DNS server at every site
-Every DNS should be AD integrated

If I employ a DNS server at every site, what type of configuration needs to be done to the DNS servers? Under their  TCP/IP properties, do I make them point to themselves. Or do I make them point to Headquarter's DNS. Or do I use the forwarder tab to accomplish this?

Thanks!
0
rafael_accCommented:
Clients use broadcasts when communicating to a dhcp server. Before you enable this configuration you would have to configure an IP Helper address (or use a DHCP relay agent - Microsoft Terminology) in order to allow broadcasts to be propagated on the network. Of course you can put one dhcp server per subnetwork.

So as you can see, this also depends on your network design and on the physical device you are using. For instance, if you are using a cisco router acting like a dhcp server then you have to configure an ip helper address. if you are using a windows dhcp server, then you would have to configure a dhcp relay agent. For either cases, the idea is the same: allowing broadcasts!!!

To answer your question ... usually you would have at least two routers between the both remote connections, right?! Then the answer is: Yes, it is possible to install a single dhcp server for both locations. But I wouldn't recomend that. Better way to go is to install a dhcp server for each remote location. Now for each location, if you have several subnets and you want all of them to use a dhcp server, you have 2 options:

1. Install an additional dhcp server for each subnetwork
2. allow broadcasts
3. (That's a bit wired - that's why I said you have only 2 options) Eliminate the subnets :)


About the recommandations resume now. Your conclusions are PERFECTLY RIGHT! But incomplete:
1. Configure a site for each location - This is the only way you would be able to customize AD replication schedule
2. Install the master roles at the headquarters or wherever is your IT administration team located - consider administration ease.

One more note on dns: The nice thing about dhs integrated zones is that you can use secure zone updates!!! This is realy a nice feature. Additionally, you don't have to worry with zones updates from each other as they belong to AD and are part of the AD replication process ;)

I might have miss some information but these are the most important ones...


Take care man,
Cheers.
0
rafael_accCommented:
Sorry for dbl post:

Configure a site for each location is not the same as configuring a domain for each site!! You can have a domain spanning two sites or two domains on the same site, for example.

Designing your AD infrastructure consdiering your business needs. What I mean is that in the future you might want to take full advantage of AD and use group policies to apply security policies in your environment, even remotely. Therefore it's important to carefully desing your OUs, Sites, Domains, Groups.


That's it.
0
dissolvedAuthor Commented:
Thanks.  So it is important to create my sites. Because creating "sites" dictates the way replication can occur?  This is the main purpose of defining sites?
0
dissolvedAuthor Commented:
So the main reason to add sites in the Sites snap in, is so you can dictate when and how they replicate? Is that the main reason for it?
0
PsiCopCommented:
The trouble with AD is that when it performs replication, it replicates the ENTIRE OBJECT. Got a Group with 1000 members? Add ONE user to that Group, and the ENTIRE object gets sent when the change gets replicated. Pretty much defines "inefficiency", huh?

So the overhead from AD will grow as your environment grows, and the RATE of growth in AD overhead will also grow.

Also, if you have site-based administration, don't forget that changes made to a Multi-Valued Attribute object (like a Group) made on one DC can potentially be OVERWRITTEN by changes made to the same object on another DC, if both changes are made between replications. So much for "multi-master replication" (not to mention reliability)....AD is really "master-slave" if you implement it like you need to in order to avoid that little problem.
0
dissolvedAuthor Commented:
thanks guys
0
rafael_accCommented:
Actually, windows 2003 doesn't do that anymore (on replication).
And Yes! The main purpose on defining site is to control replication through slow links (wan links - better said).
Have fun.
0
dissolvedAuthor Commented:
thanks guys. thanks again rafael
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.