Solved

DNS setup in Remote Office that's an OU

Posted on 2006-10-26
4
171 Views
Last Modified: 2010-03-18
Ok so started a new Networking Job and the network is as follow: there is a domain name labs.com  which has dc1.labs.com as the PDC emulator as well as all other FSMO roles and then SLC.labs.com and Houston.labs.com (both remote offices) there is a site for each one of the remote offices since they are in different subnets. The problem that I’m having is the fact that traveling from one office to the other trough our leased T1 is not as fast as it should be and I think is due to miss-configuration of DNS and AD replication maybe?
DNS is installed in each office as well as DHCP but the funny thing is that when I check each one of the DNS they all have the same info (A records, NS, etc) they are all Primary AD integrated. Now if I am wrong and please correct me if I’m wrong I think this is generating a lot of the traffic I have in my Network ( I used Wireshark and see a lot of ARP traffic).

I have a vague Idea as to how to fix it but not quite sure if it’s a good one. I thought about setting up a primary zone in each remote DC pointing to it’s self and then creating a secondary zone that will point to the server that holds all the FSMO roles. Once these are setup and I’m able to transfer from master just go ahead and delete the Primary zone that was setup in the remote server that is actually an identical copy of the PDC. Then of course create a secondary zone in my PDC that will point to the primary zone of each zone in the Remote Offices.

Please advice and let me know if there is anymore info you need.
0
Comment
Question by:AugustMack
  • 2
  • 2
4 Comments
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
If they are all in the same AD domain then they will hold all of the same records.  A DNS zone is for each domain and should be replicated to all DNS servers.  This replication traffic should be very minimal.  If you had say 100,000 records (this would be a huge network) you would be looking at less than 5MB of replicated traffic.

I would not change your zones or your clients will experience a very long delay when trying to do intersite DNS queries as they will have to query the AD at another site.  This will also create much more traffic on your T1 than replication.

Now with that said this doesn't mean that AD isn't replicating a huge directory partition from one DC to the other and clogging up your T1.  Take a look at how your security groups are setup.  You want to make sure you put users in Global Groups then place the Global Groups in Domain Local Groups.  The Domain Local group is the group you want to add to directory security on a File Share server.

In AD Sites and Services you can set the replication intervals as well as times AD is allowed to replicate.  Try changing these times to only allow replication during off hours.  See if this alleviates your T1 traffic.  If it doesn't then it's not AD causing your issues, if it does then you can look into it further but I can almost guarentee it's not DNS.

A couple other things you might want to look at:
1. Do phone systems link up over these T1s?  My phone system is setup so that when I dial 8+"remote site ext" I am actually making a call across my T1. (free call but takes bandwidth)

2. Are any sites sharing your internet?  Users may be browsing the internet across the T1.  You can check this easily by tracert google.com and see if it hops any of your T1 routers.

3. Are there database servers at the main site that are being accessed from remote sites?  Terminal Services applications?

4. Are all the clients receiving the Local DC as their Primary DNS?  If they are using a remote DC as their primary DNS then all DNS queries are going across the T1.
0
 

Author Comment

by:AugustMack
Comment Utility
Very helpful information!

To answer you question
1) yes we do have voip and yes it is going through the same pipe, but isn't it true that you can actually set a bandwidth size for that given traffic? How and with what device?

2) I did a tracert to google.com on each Remote site and it looks like after tweaking DNS so that they point to them self the tracert t results show that they are first coming to the local gateway and then they go trough our ISP which has about 7 hops before they actually get the site.

3) Yes there is a database that gets access through telnet for proprietary software.

4) This is one of the first things I fixed when I started assessing DNS about 1 week ago, so yes they are pointing to their local DNS.

Replication intervals where set at 60 minutes so I changed that to 90 (default) once I get comfortable I will want to do it @ night.

Any ideas of how I can address the items described above?
0
 
LVL 21

Accepted Solution

by:
mcsween earned 500 total points
Comment Utility
1) Well there are a couple ways voice over a T1 can be setup.  It can be setup with dedicated channels or as VOIP.  Either way you can throttle the bandwidth.  Chances are though the VOIP traffic has priority over data.  This is because voice is very sensitive to latency and even a little causes dropped calls.  You have 2 best practices options for throttling this bandwidth (only 1 if you are using dedicated channels)

1a) If using dedicated channels or VOIP you can limit the number of simultaneous calls that travel over this T1.  This would be done either at your phone switch (PBX) or at the router level.  This would have to be setup on both ends as calls probably go both ways.
1b) If using VOIP you can add compression to the packets.  With 2-1 compression you will not loose much quality but it reduces the packet size from 64k to 32k.  The more compression you add the more echo and scratchyness you are going to get.  You would have to test by adding compression and make a call to see if it's quality is good enough.

3) Telnet across a T1 shouldnt cause too much traffic and there isn't much you can do about it anyway.

4) I have replication set to 120 minutes across VPN and 90 across T1 (some of my WAN links are VPN).

5) My guess is they are probably accessing email through this T1 as well.  You might be able to alleviate some of this traffic by having users use a web based verson like OWA (if exchange) or Groupwise WebAccess (if Groupwise).  

6) Also if you have the ability to setup VPN (All of my T1 connected sites have VPN as a backup.  A couple static route changes at the router and they are using VPN in the event of an outage.) you can send some traffic over VPN.  For example if your T1 router is 192.168.1.2, your Internet gateway is 192.168.1.1, your App Server is 192.168.2.5 and clients use 192.168.1.2 as their default gateway you can add a static route to the server's IP that's hosting this app to send that traffic over VPN.  The following route would be added at the T1 router (Cisco format)
"IP Route 192.168.2.5 255.255.255.255 192.168.1.1"
0
 

Author Comment

by:AugustMack
Comment Utility
very well thanks for all the info
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Speed up DNS resolution 19 56
cant access shared folders 22 46
Suddenly lost internet connection on network 44 95
sync conflicts 1 20
Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now