Avatar of Stephen Hopkins
Stephen Hopkins
Flag for United States of America asked on

Ping Response over VPN for Active Directory and Exchange

I have a Server 2012 Domain Controller server and a Exchange 2013 server at one site.   I have client stations at a remote site.   A vendor has implemented a hardware VPN between the two sites using a Fortinet 60D.   I am planning the join to domain for all the clients at the remote site (about 5 computers).   I am used to response times over a VPN to be under 20ms with very few if any dropouts.   This VPN Channel provides a response time 226ms to 2660ms with a dropout rate of 1 to 2 percent.  

My understanding is the following for requests from clients to a domain controller:

When a client tries to locate a domain controller after it has received the IP address from DNS, it varies the time it waits for a response based on the number of domain controllers it has already pinged. For the first five domain controllers, it waits for 0.4 seconds, and for next five domain controllers, it waits for 0.2 seconds. After 10 domain controllers have been pinged, the client uses a 0.1 second wait for the remaining requests.

So at best the response time over the VPN is .2 seconds.  It seems to me that under load of 5 clients and the load of the Exchange Server 2013 / client traffic this VPN channel will not suffice and provide poor performance.   I am also concerned that any "failed" handshakes, communication, etc. will impact the flow of data on the VPN channel, at the primary office and the remote office.   I am expecting that once I join a remote client to the domain, I will effectively bring the performance of both sites down considerably.

I searched the Microsoft TechNet and MSDN areas and could not find much in the way of definitive references to minimum response performance requirements for a VPN in a Active Directory environment.   I am expecting that the answer is 1) the response time is too slow and 2) there should be a domain controller and DNS at each location regardless of the VPN response time.

I have found several notes online of claims that VPNs are insensitive to ping response tests.  I can understand that with a VPN in isolation, but my tests are from client to server which is a representation of how data would flow once the client is joined to the domain.

I did look at netdiag, but not sure how I can use at the remote site since those machines are all clients.

I am looking to confirm:
1.  Is the current response time is way too slow?
2.  Should the response time be less than 20ms?
3.  Are there any specification references regarding VPN performance to support Active Directory?
4,  Is it really just best practice to have a DC / DNS at both sites or Should that be treated as a requirement?
4.a.  Given that the former (servers at both sites) is the requirement, should that be the same for Exchange Server?
Active DirectoryExchangeWindows Server 2012Windows NetworkingVPN

Avatar of undefined
Last Comment
Stephen Hopkins

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Will Szymkowski

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Vince Glisson

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Stephen Hopkins

ASKER
Will be testing again on 10/20.  Will post results.
Stephen Hopkins

ASKER
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes