Ping Response over VPN for Active Directory and Exchange

Stephen Hopkins
Stephen Hopkins used Ask the Experts™
on
I have a Server 2012 Domain Controller server and a Exchange 2013 server at one site.   I have client stations at a remote site.   A vendor has implemented a hardware VPN between the two sites using a Fortinet 60D.   I am planning the join to domain for all the clients at the remote site (about 5 computers).   I am used to response times over a VPN to be under 20ms with very few if any dropouts.   This VPN Channel provides a response time 226ms to 2660ms with a dropout rate of 1 to 2 percent.  

My understanding is the following for requests from clients to a domain controller:

When a client tries to locate a domain controller after it has received the IP address from DNS, it varies the time it waits for a response based on the number of domain controllers it has already pinged. For the first five domain controllers, it waits for 0.4 seconds, and for next five domain controllers, it waits for 0.2 seconds. After 10 domain controllers have been pinged, the client uses a 0.1 second wait for the remaining requests.

So at best the response time over the VPN is .2 seconds.  It seems to me that under load of 5 clients and the load of the Exchange Server 2013 / client traffic this VPN channel will not suffice and provide poor performance.   I am also concerned that any "failed" handshakes, communication, etc. will impact the flow of data on the VPN channel, at the primary office and the remote office.   I am expecting that once I join a remote client to the domain, I will effectively bring the performance of both sites down considerably.

I searched the Microsoft TechNet and MSDN areas and could not find much in the way of definitive references to minimum response performance requirements for a VPN in a Active Directory environment.   I am expecting that the answer is 1) the response time is too slow and 2) there should be a domain controller and DNS at each location regardless of the VPN response time.

I have found several notes online of claims that VPNs are insensitive to ping response tests.  I can understand that with a VPN in isolation, but my tests are from client to server which is a representation of how data would flow once the client is joined to the domain.

I did look at netdiag, but not sure how I can use at the remote site since those machines are all clients.

I am looking to confirm:
1.  Is the current response time is way too slow?
2.  Should the response time be less than 20ms?
3.  Are there any specification references regarding VPN performance to support Active Directory?
4,  Is it really just best practice to have a DC / DNS at both sites or Should that be treated as a requirement?
4.a.  Given that the former (servers at both sites) is the requirement, should that be the same for Exchange Server?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
Any remote site that has more than 200ms back to the Authenticating server will definitely have issues (especially if there is also dropped packets).

Anything over 200ms you might want to consider putting a R/W DC at that site.

The response time does not need to be 20ms or less. If you had 100ms then that would be sufficent.

VPN to VPN is supported with active directory authentication.

Having a DC at a remote site should only be placed there if the following are true...
- you have 50 users or more
- extreamly slow wan link back to authenticating server
- application requires local authentication
- If you are looking to host exchange in a remote site then you are required to have a R/W DC/GC and DNS server

Will.
Commented:
1.  Is the current response time is way too slow?
     Faster is better, but DC's will be able to handle slow connections as you can configure when they replicate to each other.

2.  Should the response time be less than 20ms?
     Faster response times usually = more money to get the increased speed from your ISP.
 
3.  Are there any specification references regarding VPN performance to support Active Directory?
     I have a similar setup as to what you are proposing, one end of the VPN is on a 1.5/1.5 T1 and has 25 computers running Win 7 on it.

3.  Are there any specification references regarding VPN performance to support Active Directory?
     Not really, as you can run it on a dial up connection. It's not replicating huge amounts of data.

4.  Is it really just best practice to have a DC / DNS at both sites or Should that be treated as a requirement?
     You should absolutely have a DC on each end, the subnet should be different on each end also so all requests to resolve are first handed local to the DC and not sent out through your VPN. The local DC will handle all the logins for your users at that site, security, file sharing, network shares, etc etc. treat this as an absolute requirement.

4.a.  Given that the former (servers at both sites) is the requirement, should that be the same for Exchange Server?
     no you only need 1 exchange server, i would put it on the side that has the biggest bandwidth.
Stephen HopkinsLead Cybersecurity Engineer

Author

Commented:
Will be testing again on 10/20.  Will post results.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial