redbandana said:
Dana! Wow, I've got mail from one of my fav's too! Oh, and thanks
to you too Peter. ;>
So, as I see it, your tiny bandwidth sites are 'punished' mostly
during login and then things smooth out. Are the spokes to the
mistake 16kb hub benefiting from logging into it also? Thanks for
your response!
Could you clarify whether your customer who insists that 56K sites are
"aOK" plans to install domain controllers at these sites?
Cary's response covers the area of Group Policy processing when logins are
over "slow" links while my earlier post assumed you were considering
deploying domain controllers locally at the 56K sites.
If you are deploying local domain controllers then GP processing over slow
links is no longer an issue as the GPs and directory updates will replicate
to these domain controllers via FRS and Directory Services replication
respectively; logins at these sites will therefore be much faster than if
you were going over the WAN. The point I made earlier is that the volume of
replication traffic over the WAN (as a result of deploying DCs locally) will
in general tend to be less of an issue than authentication traffic were
local DCs not deployed.
Of course deploying domain controllers introduces additional costs and
management/support overheads. If costs are prohibitive or the number of
users at these sites are small then it may not be a cost effective option.
There is usually no point for instance in deploying a local DC at a site
where 2 users are sharing a 56K circuit
Our network is a branch office type with 2 "hub" datacentres and several
hundred remote branches linked to the datacentres by circuits ranging from
8K to 512Mb/s. Early in the AD design phase we decided that locations with <
32K circuits would have to continue to fend for themselves and logon over
the WAN, while locations > 32K would receive a local domain controller. This
ensured that we had a manageable total number of DCs in the forest and
ensured that the "bridgehead" DCs in the Data Centres could comfortably
service the inbound/outbound replication demands from the DCs in the
branches.
My experience is that the replication traffic tends to be minimal when
compared to traffic volumes of other mission critical traffic (which has
priority on the circuits BTW). If say 1000 users are added to the AD domain,
then the effect will be a one-off "blip" during the next replication cycle.
Bear in mind that replication traffic is typically compressed to up to 10%
of its original size before being sent over the wire. There are performance
monitor counters (under NTDS object) which gives you replication traffic
volumes in/out the site both before and after compression.
Bear in mind also that our AD is currently running under W2K. I understand
that the replication algorithms are even more efficient under Windows 2003
In response to your question, the network profiling reports for sites
without local domain controllers tend to follow predictable patterns with
sharp sustained spikes during the morning when users logon to the network
over the WAN. These smooth out as the day goes on. A local DC reduces the
spikes as most of the login validation traffic is constrained to the local
site. Local users at DCless sites have conditioned themselves to making a
cup of coffee during the login and returing 5 to 10 minutes later after it
has completed. LOL!
My experience of the "mistake" 16K site is that the local domain controller
has not adversely affected existing business critical traffic and the users
are benefiting from the vastly improved login times. The domain controller
in question has never once failed to replicate with the bridgeheads in the
DataCentre. The only minor negative is support - during the working day it
is virtually impossible to administer the domain controller remotely via
terminal services as the circuit is heavily utilized then. We tailored the
replicaiton to take place outside local working hours, reducing circuit
congestion at the expense of replication latency.
Finally we are slowly introducing VPN into some of our remote locations.VPN
has been a mixed bag with some locations working perfectly whereas others
have been a royal pain with oceans of red in the event logs and needing
adjustments to MTU sizes in particular. Seems to depend on which ISP is
involved
Anyway I ramble on.. Hopefully you have some food for thought now as to
whether to go with local DCs at the 56K sites or depend on your circuits for
login validation. AD replication (over low speed RPC) seems remarkably
robust even over low bandwidth connections. In the run up to our AD
migration we heard many a horror story of networks being flooded by
replication traffic and AD rollouts grinding to an ignominous halt. In
practice replication traffic has been the least of our worries.
Note finally that the Windows 2003 server deployment kit (comprehensive free
download on the MS website) quotes figures of a single AD domain with a
slowest link of 56K between DCs (of which 1% of the circuit is available to
AD replication) supporting a maximum of 10,000 users. This figure rises to
50,000 users if 5% of the bandwidth is available and 100,000 users if 10% of
the bandwidth is available.
hth
