Avatar of Stephen Hopkins
Stephen HopkinsFlag for United States of America

asked on 

Ping Response over VPN for Active Directory and Exchange

I have a Server 2012 Domain Controller server and a Exchange 2013 server at one site.   I have client stations at a remote site.   A vendor has implemented a hardware VPN between the two sites using a Fortinet 60D.   I am planning the join to domain for all the clients at the remote site (about 5 computers).   I am used to response times over a VPN to be under 20ms with very few if any dropouts.   This VPN Channel provides a response time 226ms to 2660ms with a dropout rate of 1 to 2 percent.  

My understanding is the following for requests from clients to a domain controller:

When a client tries to locate a domain controller after it has received the IP address from DNS, it varies the time it waits for a response based on the number of domain controllers it has already pinged. For the first five domain controllers, it waits for 0.4 seconds, and for next five domain controllers, it waits for 0.2 seconds. After 10 domain controllers have been pinged, the client uses a 0.1 second wait for the remaining requests.

So at best the response time over the VPN is .2 seconds.  It seems to me that under load of 5 clients and the load of the Exchange Server 2013 / client traffic this VPN channel will not suffice and provide poor performance.   I am also concerned that any "failed" handshakes, communication, etc. will impact the flow of data on the VPN channel, at the primary office and the remote office.   I am expecting that once I join a remote client to the domain, I will effectively bring the performance of both sites down considerably.

I searched the Microsoft TechNet and MSDN areas and could not find much in the way of definitive references to minimum response performance requirements for a VPN in a Active Directory environment.   I am expecting that the answer is 1) the response time is too slow and 2) there should be a domain controller and DNS at each location regardless of the VPN response time.

I have found several notes online of claims that VPNs are insensitive to ping response tests.  I can understand that with a VPN in isolation, but my tests are from client to server which is a representation of how data would flow once the client is joined to the domain.

I did look at netdiag, but not sure how I can use at the remote site since those machines are all clients.

I am looking to confirm:
1.  Is the current response time is way too slow?
2.  Should the response time be less than 20ms?
3.  Are there any specification references regarding VPN performance to support Active Directory?
4,  Is it really just best practice to have a DC / DNS at both sites or Should that be treated as a requirement?
4.a.  Given that the former (servers at both sites) is the requirement, should that be the same for Exchange Server?
Active DirectoryExchangeWindows Server 2012Windows NetworkingVPN

Avatar of undefined
Last Comment
Stephen Hopkins
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Vince Glisson
Vince Glisson
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Stephen Hopkins
Stephen Hopkins
Flag of United States of America image


Will be testing again on 10/20.  Will post results.

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo