We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


DNS setup in Remote Office that's an OU

Medium Priority
Last Modified: 2010-03-18
Ok so started a new Networking Job and the network is as follow: there is a domain name labs.com  which has dc1.labs.com as the PDC emulator as well as all other FSMO roles and then SLC.labs.com and Houston.labs.com (both remote offices) there is a site for each one of the remote offices since they are in different subnets. The problem that I’m having is the fact that traveling from one office to the other trough our leased T1 is not as fast as it should be and I think is due to miss-configuration of DNS and AD replication maybe?
DNS is installed in each office as well as DHCP but the funny thing is that when I check each one of the DNS they all have the same info (A records, NS, etc) they are all Primary AD integrated. Now if I am wrong and please correct me if I’m wrong I think this is generating a lot of the traffic I have in my Network ( I used Wireshark and see a lot of ARP traffic).

I have a vague Idea as to how to fix it but not quite sure if it’s a good one. I thought about setting up a primary zone in each remote DC pointing to it’s self and then creating a secondary zone that will point to the server that holds all the FSMO roles. Once these are setup and I’m able to transfer from master just go ahead and delete the Primary zone that was setup in the remote server that is actually an identical copy of the PDC. Then of course create a secondary zone in my PDC that will point to the primary zone of each zone in the Remote Offices.

Please advice and let me know if there is anymore info you need.
Watch Question

Bradley FoxLAN/WAN Systems Administrator

If they are all in the same AD domain then they will hold all of the same records.  A DNS zone is for each domain and should be replicated to all DNS servers.  This replication traffic should be very minimal.  If you had say 100,000 records (this would be a huge network) you would be looking at less than 5MB of replicated traffic.

I would not change your zones or your clients will experience a very long delay when trying to do intersite DNS queries as they will have to query the AD at another site.  This will also create much more traffic on your T1 than replication.

Now with that said this doesn't mean that AD isn't replicating a huge directory partition from one DC to the other and clogging up your T1.  Take a look at how your security groups are setup.  You want to make sure you put users in Global Groups then place the Global Groups in Domain Local Groups.  The Domain Local group is the group you want to add to directory security on a File Share server.

In AD Sites and Services you can set the replication intervals as well as times AD is allowed to replicate.  Try changing these times to only allow replication during off hours.  See if this alleviates your T1 traffic.  If it doesn't then it's not AD causing your issues, if it does then you can look into it further but I can almost guarentee it's not DNS.

A couple other things you might want to look at:
1. Do phone systems link up over these T1s?  My phone system is setup so that when I dial 8+"remote site ext" I am actually making a call across my T1. (free call but takes bandwidth)

2. Are any sites sharing your internet?  Users may be browsing the internet across the T1.  You can check this easily by tracert google.com and see if it hops any of your T1 routers.

3. Are there database servers at the main site that are being accessed from remote sites?  Terminal Services applications?

4. Are all the clients receiving the Local DC as their Primary DNS?  If they are using a remote DC as their primary DNS then all DNS queries are going across the T1.


Very helpful information!

To answer you question
1) yes we do have voip and yes it is going through the same pipe, but isn't it true that you can actually set a bandwidth size for that given traffic? How and with what device?

2) I did a tracert to google.com on each Remote site and it looks like after tweaking DNS so that they point to them self the tracert t results show that they are first coming to the local gateway and then they go trough our ISP which has about 7 hops before they actually get the site.

3) Yes there is a database that gets access through telnet for proprietary software.

4) This is one of the first things I fixed when I started assessing DNS about 1 week ago, so yes they are pointing to their local DNS.

Replication intervals where set at 60 minutes so I changed that to 90 (default) once I get comfortable I will want to do it @ night.

Any ideas of how I can address the items described above?
LAN/WAN Systems Administrator
1) Well there are a couple ways voice over a T1 can be setup.  It can be setup with dedicated channels or as VOIP.  Either way you can throttle the bandwidth.  Chances are though the VOIP traffic has priority over data.  This is because voice is very sensitive to latency and even a little causes dropped calls.  You have 2 best practices options for throttling this bandwidth (only 1 if you are using dedicated channels)

1a) If using dedicated channels or VOIP you can limit the number of simultaneous calls that travel over this T1.  This would be done either at your phone switch (PBX) or at the router level.  This would have to be setup on both ends as calls probably go both ways.
1b) If using VOIP you can add compression to the packets.  With 2-1 compression you will not loose much quality but it reduces the packet size from 64k to 32k.  The more compression you add the more echo and scratchyness you are going to get.  You would have to test by adding compression and make a call to see if it's quality is good enough.

3) Telnet across a T1 shouldnt cause too much traffic and there isn't much you can do about it anyway.

4) I have replication set to 120 minutes across VPN and 90 across T1 (some of my WAN links are VPN).

5) My guess is they are probably accessing email through this T1 as well.  You might be able to alleviate some of this traffic by having users use a web based verson like OWA (if exchange) or Groupwise WebAccess (if Groupwise).  

6) Also if you have the ability to setup VPN (All of my T1 connected sites have VPN as a backup.  A couple static route changes at the router and they are using VPN in the event of an outage.) you can send some traffic over VPN.  For example if your T1 router is, your Internet gateway is, your App Server is and clients use as their default gateway you can add a static route to the server's IP that's hosting this app to send that traffic over VPN.  The following route would be added at the T1 router (Cisco format)
"IP Route"

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


very well thanks for all the info
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.