We help IT Professionals succeed at work.
Get Started

Ping Response over VPN for Active Directory and Exchange

Last Modified: 2015-10-17
I have a Server 2012 Domain Controller server and a Exchange 2013 server at one site.   I have client stations at a remote site.   A vendor has implemented a hardware VPN between the two sites using a Fortinet 60D.   I am planning the join to domain for all the clients at the remote site (about 5 computers).   I am used to response times over a VPN to be under 20ms with very few if any dropouts.   This VPN Channel provides a response time 226ms to 2660ms with a dropout rate of 1 to 2 percent.  

My understanding is the following for requests from clients to a domain controller:

When a client tries to locate a domain controller after it has received the IP address from DNS, it varies the time it waits for a response based on the number of domain controllers it has already pinged. For the first five domain controllers, it waits for 0.4 seconds, and for next five domain controllers, it waits for 0.2 seconds. After 10 domain controllers have been pinged, the client uses a 0.1 second wait for the remaining requests.

So at best the response time over the VPN is .2 seconds.  It seems to me that under load of 5 clients and the load of the Exchange Server 2013 / client traffic this VPN channel will not suffice and provide poor performance.   I am also concerned that any "failed" handshakes, communication, etc. will impact the flow of data on the VPN channel, at the primary office and the remote office.   I am expecting that once I join a remote client to the domain, I will effectively bring the performance of both sites down considerably.

I searched the Microsoft TechNet and MSDN areas and could not find much in the way of definitive references to minimum response performance requirements for a VPN in a Active Directory environment.   I am expecting that the answer is 1) the response time is too slow and 2) there should be a domain controller and DNS at each location regardless of the VPN response time.

I have found several notes online of claims that VPNs are insensitive to ping response tests.  I can understand that with a VPN in isolation, but my tests are from client to server which is a representation of how data would flow once the client is joined to the domain.

I did look at netdiag, but not sure how I can use at the remote site since those machines are all clients.

I am looking to confirm:
1.  Is the current response time is way too slow?
2.  Should the response time be less than 20ms?
3.  Are there any specification references regarding VPN performance to support Active Directory?
4,  Is it really just best practice to have a DC / DNS at both sites or Should that be treated as a requirement?
4.a.  Given that the former (servers at both sites) is the requirement, should that be the same for Exchange Server?
Watch Question
This problem has been solved!
Unlock 2 Answers and 4 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE