Question regarding DC utilisation

Posted on 2009-04-30
Medium Priority
Last Modified: 2013-12-24
Hi All

We are running Windows XP clients in a number of sites, along with Windows 2003 DC's.  We have a large HQ which has multiple DC's, and some other medium size sites around Europe.

Some sites don't have their own dedicated DC, espcially ones close to HQ, so their subnet is defined as part of being in the HQ site in Sites and Services.

We have just run a tool that shows the number of authentications on DC's per minute. For some reason,  one of the DC's in HQ (one DC out of 6) has a lot more authentications. These aren't peaks either, it's generally uniform across the day.

Is there anyway to check why this is?

Many thanks in advance!
Question by:Joe_Budden
LVL 13

Expert Comment

ID: 24272625

it might because of the DNS.
When the client tries to authenticed to a domain, it will ask the DNS server for service records which point to LDAP, DC and GC server. It micht happen that the DNS server taking part in this authentication scenario preferably sends records pointing to this particular DC.
If you want to change it, you can edit the resource records in your DNS zone, so that the "overloaded" server will get less priority.

LVL 13

Expert Comment

ID: 24272637
One more idea...maybe it would be fine to check if this server in question is not the only (or one of few Global Catalogs).
LVL 58

Assisted Solution

tigermatt earned 400 total points
ID: 24272648

What is your Global Catalog configuration in the HQ site? If that particular server is the only GC, I would expect the utilisation to be higher than the others. Also, where are the FSMO roles located? Some actions are performed directly on or replicated immediately to the PDC Emulator for backwards compatibility, which could also be an explanation.

Just so as you are aware, your current configuration whereby sites without a DC have their subnet associated with their nearest site is the recommended configuration: http://technet.microsoft.com/en-us/library/cc736820.aspx.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


Author Comment

ID: 24272929
Hi All,

Sorry, I should have mentioned that ALL DC's in the HQ site are GC's.

The DNS priority theory sounds interesting - how would I be able to check the priority of that resource record? And what would the resource record be called? I wasn't aware that the DC resource record had a priority setting?
LVL 13

Accepted Solution

martin_babarik earned 1200 total points
ID: 24273375
Well when you open the DNS console, you will see 2 zones:
- domain.com
- _msdsc.domain.com

The second one contains the service resource records. There is quite rich structure of these records and they don't seem to be very intuitive and easy to read, but you should check the columns named "Priority" and "Weight".
I think that by default priority and weight are all the same and in this case verify, if the records of the DC in question are in first place. To be honest I don't know the low level mechanizm "how the client will choose one of the offerec records, when all of them have the same priority and weight". My guess would be "alphabetical order".
You can either modify the priority in the properties of this record or you can change the weight.

On the screenshot attached you can see an example of such a resource record. See the "Data" column. The first number is priority, second one is weight. In this example I've got only one DC, but you will see 6 of them.

Author Comment

ID: 24273654
Thanks, great explanation.

Just one final question - we also have a bunch of apps that carry out LDAP queries, need Kerberos authentication etc. They all need a LDAP server/Kerberos server entered, which is one of the other DC's.

Is there any way to set this up so that they try all the DC's listed in the AD DNS SRV records?

Also, would LDAP queries be classed as "authentications" to a DC, and therefore affect our chart? I am wondering if someone has set up a bunch of apps to use the affected DC as the LDAP server?

LVL 13

Expert Comment

ID: 24273760
If the application needs to have configured exact name of LDAP and Kerberos server, I don't think it's possible.

LDAP queries are not classed as authentication themselves, but to perform an LDAP query, you need to be authenticated, so actually yes, it might affect the chart.
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 400 total points
ID: 24277421

> They all need a LDAP server/Kerberos server entered, which is one of the other DC's

For those performing LDAP queries you could create a pool of servers for them to use to spread the load out.

For instance, if you create a Host (A) Record called "ldap.yourdomain.com" for each of the servers in the pool the system performing the query will rotate through the list rather than being reliant on a single server.


ldap.yourdomain.com.  A   ; DC1
ldap.yourdomain.com.  A   ; DC2
ldap.yourdomain.com.  A   ; DC6

You won't be able to account for servers going down, DNS won't help you there, but it would spread the load out a bit.

For a process to use the Service Records it must be taught how. Windows Logon knows, as do many of the processes associated with AD, but there's no simple way to make an application use those service records.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I’ll look at how you can use a backup to start a secondary instance for MongoDB.
In today's business world, data is more important than ever for informing marketing campaigns. Accessing and using data, however, may not come naturally to some creative marketing professionals. Here are four tips for adapting to wield data for insi…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question