• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2252
  • Last Modified:

WAN Traffic Between Domain Controllers and Client PC's across Sites

We have a Windows 2003 ,Single Forest and Single Domain Active Directory architecture. We have approximately 60 Domain Controllers spread across India. We have more than one Domain Controllers in some sites while on others we have single Domain Controller.Domain Controllers within sites are connected through Switch.While Domain Controller connected across sites are connected rhrough WAN link of 2 Mbps. For few months we have been noticing that huge traffic gets generated over these WAN link randomly. We donot have any application intigrated to Active Directory in our enviornment. We use wireshirk to capture the packets but those are not clear. So can anyone enlighten us as in what traffic usually should be there, and why PC's of various sites need to communicate randomly with Domain Controllers of various sites. What can be the cause of this traffic ? How do we go about rectifying the same.
0
Neo_78
Asked:
Neo_78
  • 7
  • 6
  • 4
  • +2
5 Solutions
 
Miguel Angel Perez MuñozCommented:
This may be cause by a poor AD design of sites. You need to define domain controllers per site, on this way traffic between PC and DC are local. This may help you: http://technet.microsoft.com/en-us/library/bb727051.aspx
0
 
Neo_78Author Commented:
Our Site and Domain Controller Placement is as Per Microsoft Recomendation. Sites are attached to proper subnets and Domain Controllers are placed accordingly. If there was a problem with poor AD Site design, then I would have expected this issue to come up few years back, but this has recently started.
0
 
Miguel Angel Perez MuñozCommented:
What traffic appears during sniffing?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
FemSteenkampCommented:
what is teh size of your SYSVOL an NETLOGON shares on a DC?
how often is group policies or files in either of these 2 locations changed or new ones added?

what is teh replication schedule between sites?? the default 15 min or was this chanegd to only replicate at certain times.

does the replmon tool shows that normal replication is working without problems?

0
 
Neo_78Author Commented:
The information are listed below. This WAN traffic congestion is random.
SYSVOL Size Approx - 1 GB;
Repadmin Shows no issue,
Replication Schedule within site : 15 mins
Replication with External Site : 30 Mins
Group Policy Refresh Interval : 30 mins

What else can be checked ?
0
 
Neo_78Author Commented:
We found TCP and UDP traffic on the wire. We checked the traffic with etherial and found TCP and UDP traffic mostly. Any suggestion how to minimize the same.
0
 
Mike ThomasConsultantCommented:
This may have been configured OK to start but maybe something has changed? clients will not go to another site unless they need to and this is based on availability of local DC's and the costing between other sites if local DC's cannot be found. this is all configured in sites and services.

Do you have TCP connectors configured for your Inter Site Transports with correct costing etc? were site links configured with a correct replication schedule? has someone since modified default NTDS settings which will now override this? Might not be bad design but changes made since that design was put in making the original design redundant?

Check Sites and Services and really look at what is happening as per the current configuration, not what the design documents say.

0
 
pwindellCommented:
SYSVOL Size Approx - 1 GB;

That seems excessive to me

We found TCP and UDP traffic on the wire. We checked the traffic with etherial and found TCP and UDP traffic mostly. Any suggestion how to minimize the same.


Those are just the Layer4 Protocols.  Everything is either TCP or UDP,...so knowing that is not helpful.  You need to go deeper into the upper Layers of the Protocol to see what it is. For example Http, SQL, FTP, LDAP, IMAP, SMTP, NNTP, SMB, RPC are all higher layer protocols that run over TCP or UDP.
0
 
pwindellCommented:
SYSVOL Size Approx - 1 GB;

That seems excessive to me.   By comparisson my root Sysvol 72.3MG  (that's meg, not gig)
0
 
FemSteenkampCommented:
you need to go look what is in your SYSVOL share to make it so big.

the default changelog in 2003 is quite small, so if teh replication cant keep up and teh log wraps, it will download the whole SYSVOL again, adding more traffic. so a genuine network interuption could have prevented/interupted sysvol replication for long enough for the log to wrap, or sombody dumped a large enough file into sysvol for the wrap to happen.

I would download teh sysvol replication tool and see if it is sysvol replication generating the trafiic ( which my guess is with a sysvol that size)
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=61acb9b9-c354-4f98-a823-24cc0da73b50

this explains teh journal wrap iin 2000 (http://support.microsoft.com/kb/292438) but the underlying works in 2003 is prety much the same, but with some enhancements

in any case, use MS utility to see if the SYSVOL replication is the Hassle, but you REALLY need to find why the SYSVOL is si big.
0
 
FemSteenkampCommented:
Another idea just came up.

Are you running AD integrated DNS with dynamic updaes from clients?  ( how many clients do you have?? how many sites?  average users per site?)  if for instance you are scavenging old DNS records on a weekly basis, and you have lots of clients, the large number of replication changes caused by this can cause the traffic.
0
 
FemSteenkampCommented:
do you have a lot of SYSVOL folders that have morphed files or folders

have the _NTFRS_<guidname> suffix?

e.g
FolderName_NTFRS_<guidname>
0
 
FemSteenkampCommented:
has the anti-virus been update / changed lately.

make sure that the AD database and logs are excluded from being scanned as some Anti-Virus can interfere with replication while scanning, causing replication to fail and having to be retried.  McAfee was one of the know culprits.
0
 
FemSteenkampCommented:
and lastly

use perfomrance monitor to indicate how much of the traffic from /to a server is AD related.

this article is fr 2000 but same counters used for 2003
http://technet.microsoft.com/en-us/library/bb742457.aspx
0
 
Neo_78Author Commented:
We have observed few more things. As we have already mentioned we have approox 55 Domain Controller. Spread across various site in the country. Each site is associated with proper subnet. Each site has 1 or 2 domain controller to service clients(all domain controller are GC). How ever we have noticed that the client from one site authenticates with DC of different site randomly. Given the fact that the DNS setting on those clients are configured so that those client are serviced by local DC. This across WAN authentication increases traffic largely.This is a single forest- single domain architecture. How can we restrict the client to get serviced by their local DC ?
0
 
FemSteenkampCommented:
what opperating system is the clients that is authenticating to a remote site using ?
0
 
pwindellCommented:
@ Neo_78:

Maybe you are just misinterpreting what you are seeing,...confusing other AD traffic as if it was "logon" traffic.
0
 
Neo_78Author Commented:
I just want to point one thing out here that we have checked with Network team about the architecture of network between different sites and we have found that some of the sites are connected using VPN connections of 4 mbps. There is no P2P connection between those sites. We have configured site link objects with Cost 100 and replication interval of 20 mins. Please let us know if there is any special consideration we would have to take for replication over VPN connections and if the cost and schedule is fine.

Secondly I have found about enabling Redundant mode for some slow link sites, will that help is our scenario.

0
 
pwindellCommented:
VPN connections of 4 mbps. There is no P2P connection between those sites

VPN,...IS,...a P2P (Point-to-Point) connection.  So yes,...you have P2P (Point-to-Point) connections.

If the lines are asynchronous then the VPN will lock-in and run at the slower "upload speed" of the Lines.  It will not use the faster download speed.
0
 
Neo_78Author Commented:
The solution is not acurate
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 6
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now