Ping Response over VPN for Active Directory and Exchange

I have a Server 2012 Domain Controller server and a Exchange 2013 server at one site.   I have client stations at a remote site.   A vendor has implemented a hardware VPN between the two sites using a Fortinet 60D.   I am planning the join to domain for all the clients at the remote site (about 5 computers).   I am used to response times over a VPN to be under 20ms with very few if any dropouts.   This VPN Channel provides a response time 226ms to 2660ms with a dropout rate of 1 to 2 percent.  

My understanding is the following for requests from clients to a domain controller:

When a client tries to locate a domain controller after it has received the IP address from DNS, it varies the time it waits for a response based on the number of domain controllers it has already pinged. For the first five domain controllers, it waits for 0.4 seconds, and for next five domain controllers, it waits for 0.2 seconds. After 10 domain controllers have been pinged, the client uses a 0.1 second wait for the remaining requests.

So at best the response time over the VPN is .2 seconds.  It seems to me that under load of 5 clients and the load of the Exchange Server 2013 / client traffic this VPN channel will not suffice and provide poor performance.   I am also concerned that any "failed" handshakes, communication, etc. will impact the flow of data on the VPN channel, at the primary office and the remote office.   I am expecting that once I join a remote client to the domain, I will effectively bring the performance of both sites down considerably.

I searched the Microsoft TechNet and MSDN areas and could not find much in the way of definitive references to minimum response performance requirements for a VPN in a Active Directory environment.   I am expecting that the answer is 1) the response time is too slow and 2) there should be a domain controller and DNS at each location regardless of the VPN response time.

I have found several notes online of claims that VPNs are insensitive to ping response tests.  I can understand that with a VPN in isolation, but my tests are from client to server which is a representation of how data would flow once the client is joined to the domain.

I did look at netdiag, but not sure how I can use at the remote site since those machines are all clients.

I am looking to confirm:
1.  Is the current response time is way too slow?
2.  Should the response time be less than 20ms?
3.  Are there any specification references regarding VPN performance to support Active Directory?
4,  Is it really just best practice to have a DC / DNS at both sites or Should that be treated as a requirement?
4.a.  Given that the former (servers at both sites) is the requirement, should that be the same for Exchange Server?
LVL 2
Stephen HopkinsLead Cybersecurity EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Any remote site that has more than 200ms back to the Authenticating server will definitely have issues (especially if there is also dropped packets).

Anything over 200ms you might want to consider putting a R/W DC at that site.

The response time does not need to be 20ms or less. If you had 100ms then that would be sufficent.

VPN to VPN is supported with active directory authentication.

Having a DC at a remote site should only be placed there if the following are true...
- you have 50 users or more
- extreamly slow wan link back to authenticating server
- application requires local authentication
- If you are looking to host exchange in a remote site then you are required to have a R/W DC/GC and DNS server

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vince GlissonOwnerCommented:
1.  Is the current response time is way too slow?
     Faster is better, but DC's will be able to handle slow connections as you can configure when they replicate to each other.

2.  Should the response time be less than 20ms?
     Faster response times usually = more money to get the increased speed from your ISP.
 
3.  Are there any specification references regarding VPN performance to support Active Directory?
     I have a similar setup as to what you are proposing, one end of the VPN is on a 1.5/1.5 T1 and has 25 computers running Win 7 on it.

3.  Are there any specification references regarding VPN performance to support Active Directory?
     Not really, as you can run it on a dial up connection. It's not replicating huge amounts of data.

4.  Is it really just best practice to have a DC / DNS at both sites or Should that be treated as a requirement?
     You should absolutely have a DC on each end, the subnet should be different on each end also so all requests to resolve are first handed local to the DC and not sent out through your VPN. The local DC will handle all the logins for your users at that site, security, file sharing, network shares, etc etc. treat this as an absolute requirement.

4.a.  Given that the former (servers at both sites) is the requirement, should that be the same for Exchange Server?
     no you only need 1 exchange server, i would put it on the side that has the biggest bandwidth.
Stephen HopkinsLead Cybersecurity EngineerAuthor Commented:
Will be testing again on 10/20.  Will post results.
Stephen HopkinsLead Cybersecurity EngineerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.