ad replication

[Guest]

I am currently planning for a pan european design for AD 2003 in 110
countries and have a question regarding AD replication and link speeds etc.

Does anybody know the smallest link size that AD can use to transfer
directory based replication??? Are there any official stats or any
recommendations that you know of?

Thanks in advance
Adam Trutwein

 

[Herb Martin]

I am currently planning for a pan european design for AD 2003 in 110
countries and have a question regarding AD replication and link speeds

etc.

You need to run some tests for anything like that.

I didn't think there were 110 countries in Europe.

Does anybody know the smallest link size that AD can use to transfer
directory based replication??? Are there any official stats or any
recommendations that you know of?

There is no technical limit, but eventually you
will have trouble with the (default) RPCs.

RPCs suffer more from LATENCY (than raw
bandwidth issues) and from poor quality (noisy)
lines with high error rates.

In theory at least a (high quality, probably dedicated)
9600 BPS line can replicate AD, but only IF the
latency is relatively low. Even in Eastern Europe,
I hope you are not having to use anything THAT
slow -- and note for those older phone systems it
is probably the error rates that will get you.

Once you have it working, their will of course need
to be enough bandwidth to support the actual data
transfers but AD is extremely efficient at replication
so most people are surprised at the (low) levels.

Also note, that if you are willing to have separate
domains you can use SMTP as the replication
protocol and this means that you can replicate
basically anywhere you can transfer email reliably.

SMTP is very foregiving of errors and low bandwidth.

 

[Gary Simmons]

Latency is the filler for Domain NC replication..

If you use SMTP replication it will only replicate Schema and Config
NC, so you are going to need to use multiple domains ie one for each
site you create..

However in doing so you will constrain users from logging into their
own site only, as the potential WAN speeds between each site (as u
indicate) will be low so cross iste authentication will be very slow.

Even with one domain per site model you still will get RPC replication
happening for GC replication between the domains, which could be large
with many domains..

As indicated you need to test this out in order to understand where
the balance in replication against availability is..

Cheers
Gary Simmons

(e-mail address removed)

 

[Herb Martin]

Latency is the filler for Domain NC replication..

Is that killer? (I agree).

Also noise/errors on the line. RPC don't recover
errors well.

If you use SMTP replication it will only replicate Schema and Config
NC, so you are going to need to use multiple domains ie one for each
site you create..

As I mentioned, it will require a separate domain
across any link (to a location) which uses SMTP.

GCs can however replicate across this:

Google: [ gc "replication * smtp" | "smtp * replication" domain forest ]

However in doing so you will constrain users from logging into their
own site only, as the potential WAN speeds between each site (as u
indicate) will be low so cross iste authentication will be very slow.

If you replicate the GC it should allow for the login.

Even with one domain per site model you still will get RPC replication
happening for GC replication between the domains, which could be large
with many domains..

See above...

As indicated you need to test this out in order to understand where
the balance in replication against availability is..

Yes, testing is definitely in order -- very few people
have actually used SMTP replication in serious
production settings.

 

[Gary Simmons]

Hi..

Yes fair comment on the GC over SMTP, however I'm yet to come across
any environments that actually use SMTP for replication - so the point
was easily missed..

In order to authticate correctly a home DC is required - GC on its
own is not enough.. GCs dont hold Domain Local Groups, so any AGLP
nesting would not be fully satisified if only a GC from a foreign
domain is used for authtication.. The GC requirement is there in
order to resolve Universal Group memberships..

Oh yes and I do mean Killer for RPC

Cheerio
Gary Simmons

(e-mail address removed)

Latency is the filler for Domain NC replication..

Is that killer? (I agree).

Also noise/errors on the line. RPC don't recover
errors well.

If you use SMTP replication it will only replicate Schema and Config
NC, so you are going to need to use multiple domains ie one for each
site you create..

As I mentioned, it will require a separate domain
across any link (to a location) which uses SMTP.

GCs can however replicate across this:

Google: [ gc "replication * smtp" | "smtp * replication" domain forest ]

However in doing so you will constrain users from logging into their
own site only, as the potential WAN speeds between each site (as u
indicate) will be low so cross iste authentication will be very slow.

If you replicate the GC it should allow for the login.

Even with one domain per site model you still will get RPC replication
happening for GC replication between the domains, which could be large
with many domains..

See above...

As indicated you need to test this out in order to understand where
the balance in replication against availability is..

Yes, testing is definitely in order -- very few people
have actually used SMTP replication in serious
production settings.

 

[Guest]

Thanks for your posts... I am currently working with the US on this and they
have final say so on the design and we have been told that there can be only
1 domain for EMEA (the design is not just Europe now...!). I have
implemented SMTP style replication before as we had a country in Bahrain
using a 64KB sat link... it works, but its a pain in the a55 to setup and get
working correctly.

The types of links that i'm thinking is probably going to be 64KB links or
worse to countries like Kazakhstan.

Point taken about transmission errors and other overheads. Is there any
point to which RPC errors will just fail and totally stop sending, if it
can't send the info in 1MB chunks? Or will it continually keep on trying
until it does send the info or doesn't?

Granted testing will need to be completed to find out the true nature of
link speeds, over heads and the testing of the AD replication.

I would have thought Microsoft would have produced some documentation as to
what a minimum or recommended link speed would be to transfer AD replication
though? But I guess this does have quite a lot of dependencies

Thanks
Adam

Hi..

Yes fair comment on the GC over SMTP, however I'm yet to come across
any environments that actually use SMTP for replication - so the point
was easily missed..

In order to authticate correctly a home DC is required - GC on its
own is not enough.. GCs dont hold Domain Local Groups, so any AGLP
nesting would not be fully satisified if only a GC from a foreign
domain is used for authtication.. The GC requirement is there in
order to resolve Universal Group memberships..

Oh yes and I do mean Killer for RPC

Cheerio
Gary Simmons

(e-mail address removed)

Latency is the filler for Domain NC replication..

Is that killer? (I agree).

Also noise/errors on the line. RPC don't recover
errors well.

If you use SMTP replication it will only replicate Schema and Config
NC, so you are going to need to use multiple domains ie one for each
site you create..

As I mentioned, it will require a separate domain
across any link (to a location) which uses SMTP.

GCs can however replicate across this:

Google: [ gc "replication * smtp" | "smtp * replication" domain forest ]

However in doing so you will constrain users from logging into their
own site only, as the potential WAN speeds between each site (as u
indicate) will be low so cross iste authentication will be very slow.

If you replicate the GC it should allow for the login.

Even with one domain per site model you still will get RPC replication
happening for GC replication between the domains, which could be large
with many domains..

See above...

As indicated you need to test this out in order to understand where
the balance in replication against availability is..

Yes, testing is definitely in order -- very few people
have actually used SMTP replication in serious
production settings.

 

[Herb Martin]

implemented SMTP style replication before as we had a country in Bahrain

using a 64KB sat link... it works, but its a pain in the a55 to setup and get
working correctly.

Gosh I am glad you mentioned Bahrain and
Kazakhstan -- Since you claimed a 100+
pan-European deployment and there aren't
that many countries IN EUROPE, I was

Point taken about transmission errors and other overheads. Is there any
point to which RPC errors will just fail and totally stop sending, if it
can't send the info in 1MB chunks? Or will it continually keep on trying
until it does send the info or doesn't?

There is no "technical limit" if the RPCs
work and that HAS worked down to 9600
bps on high quality, low latency (probably
only dedicated/pinned) lines.

At you your 64kbs (available?) you will get
through most of the time (which is probably
good enough) IF the lines are good enough
but you still have to test.

Granted testing will need to be completed to find out the true nature of
link speeds, over heads and the testing of the AD replication.

I would have thought Microsoft would have produced some documentation as to
what a minimum or recommended link speed would be to transfer AD replication
though? But I guess this does have quite a lot of dependencies

They have; it's all over the web site and in
several MS Press books -- however, I gave you
a rough summary of that and a bit of experience
but nothing like 100 countries across Eurasia
including the Middle East.



--
Herb Martin

Thanks for your posts... I am currently working with the US on this and they
have final say so on the design and we have been told that there can be only
1 domain for EMEA (the design is not just Europe now...!). I have
implemented SMTP style replication before as we had a country in Bahrain
using a 64KB sat link... it works, but its a pain in the a55 to setup and get
working correctly.

The types of links that i'm thinking is probably going to be 64KB links or
worse to countries like Kazakhstan.

Point taken about transmission errors and other overheads. Is there any
point to which RPC errors will just fail and totally stop sending, if it
can't send the info in 1MB chunks? Or will it continually keep on trying
until it does send the info or doesn't?

Granted testing will need to be completed to find out the true nature of
link speeds, over heads and the testing of the AD replication.

I would have thought Microsoft would have produced some documentation as to
what a minimum or recommended link speed would be to transfer AD replication
though? But I guess this does have quite a lot of dependencies

Thanks
Adam

Hi..

Yes fair comment on the GC over SMTP, however I'm yet to come across
any environments that actually use SMTP for replication - so the point
was easily missed..

In order to authticate correctly a home DC is required - GC on its
own is not enough.. GCs dont hold Domain Local Groups, so any AGLP
nesting would not be fully satisified if only a GC from a foreign
domain is used for authtication.. The GC requirement is there in
order to resolve Universal Group memberships..

Oh yes and I do mean Killer for RPC

Cheerio
Gary Simmons

(e-mail address removed)

Latency is the filler for Domain NC replication..

Is that killer? (I agree).

Also noise/errors on the line. RPC don't recover
errors well.

If you use SMTP replication it will only replicate Schema and Config
NC, so you are going to need to use multiple domains ie one for each
site you create..

As I mentioned, it will require a separate domain
across any link (to a location) which uses SMTP.

GCs can however replicate across this:

Google: [ gc "replication * smtp" | "smtp * replication" domain forest ]

However in doing so you will constrain users from logging into their
own site only, as the potential WAN speeds between each site (as u
indicate) will be low so cross iste authentication will be very slow.

If you replicate the GC it should allow for the login.


Even with one domain per site model you still will get RPC replication
happening for GC replication between the domains, which could be large
with many domains..

See above...


As indicated you need to test this out in order to understand where
the balance in replication against availability is..

Yes, testing is definitely in order -- very few people
have actually used SMTP replication in serious
production settings.

 

[Guest]

Cool thanks for that... yeah my teachers at school said that I was a bit
geographically challenged!!!

implemented SMTP style replication before as we had a country in Bahrain
using a 64KB sat link... it works, but its a pain in the a55 to setup and get
working correctly.

Gosh I am glad you mentioned Bahrain and
Kazakhstan -- Since you claimed a 100+
pan-European deployment and there aren't
that many countries IN EUROPE, I was

Point taken about transmission errors and other overheads. Is there any
point to which RPC errors will just fail and totally stop sending, if it
can't send the info in 1MB chunks? Or will it continually keep on trying
until it does send the info or doesn't?

There is no "technical limit" if the RPCs
work and that HAS worked down to 9600
bps on high quality, low latency (probably
only dedicated/pinned) lines.

At you your 64kbs (available?) you will get
through most of the time (which is probably
good enough) IF the lines are good enough
but you still have to test.

Granted testing will need to be completed to find out the true nature of
link speeds, over heads and the testing of the AD replication.

I would have thought Microsoft would have produced some documentation as to
what a minimum or recommended link speed would be to transfer AD replication
though? But I guess this does have quite a lot of dependencies

They have; it's all over the web site and in
several MS Press books -- however, I gave you
a rough summary of that and a bit of experience
but nothing like 100 countries across Eurasia
including the Middle East.



--
Herb Martin

Thanks for your posts... I am currently working with the US on this and they
have final say so on the design and we have been told that there can be only
1 domain for EMEA (the design is not just Europe now...!). I have
implemented SMTP style replication before as we had a country in Bahrain
using a 64KB sat link... it works, but its a pain in the a55 to setup and get
working correctly.

The types of links that i'm thinking is probably going to be 64KB links or
worse to countries like Kazakhstan.

Point taken about transmission errors and other overheads. Is there any
point to which RPC errors will just fail and totally stop sending, if it
can't send the info in 1MB chunks? Or will it continually keep on trying
until it does send the info or doesn't?

Granted testing will need to be completed to find out the true nature of
link speeds, over heads and the testing of the AD replication.

I would have thought Microsoft would have produced some documentation as to
what a minimum or recommended link speed would be to transfer AD replication
though? But I guess this does have quite a lot of dependencies

Thanks
Adam

Hi..

Yes fair comment on the GC over SMTP, however I'm yet to come across
any environments that actually use SMTP for replication - so the point
was easily missed..

In order to authticate correctly a home DC is required - GC on its
own is not enough.. GCs dont hold Domain Local Groups, so any AGLP
nesting would not be fully satisified if only a GC from a foreign
domain is used for authtication.. The GC requirement is there in
order to resolve Universal Group memberships..

Oh yes and I do mean Killer for RPC

Cheerio
Gary Simmons

(e-mail address removed)

Latency is the filler for Domain NC replication..

Is that killer? (I agree).

Also noise/errors on the line. RPC don't recover
errors well.

If you use SMTP replication it will only replicate Schema and Config
NC, so you are going to need to use multiple domains ie one for each
site you create..

As I mentioned, it will require a separate domain
across any link (to a location) which uses SMTP.

GCs can however replicate across this:

Google: [ gc "replication * smtp" | "smtp * replication" domain forest ]

However in doing so you will constrain users from logging into their
own site only, as the potential WAN speeds between each site (as u
indicate) will be low so cross iste authentication will be very slow.

If you replicate the GC it should allow for the login.


Even with one domain per site model you still will get RPC replication
happening for GC replication between the domains, which could be large
with many domains..

See above...


As indicated you need to test this out in order to understand where
the balance in replication against availability is..

Yes, testing is definitely in order -- very few people
have actually used SMTP replication in serious
production settings.

 

[ptwilliams]

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Cool thanks for that... yeah my teachers at school said that I was a bit
geographically challenged!!!

implemented SMTP style replication before as we had a country in Bahrain
using a 64KB sat link... it works, but its a pain in the a55 to setup
and get
working correctly.

Gosh I am glad you mentioned Bahrain and
Kazakhstan -- Since you claimed a 100+
pan-European deployment and there aren't
that many countries IN EUROPE, I was

Point taken about transmission errors and other overheads. Is there any
point to which RPC errors will just fail and totally stop sending, if it
can't send the info in 1MB chunks? Or will it continually keep on
trying
until it does send the info or doesn't?

There is no "technical limit" if the RPCs
work and that HAS worked down to 9600
bps on high quality, low latency (probably
only dedicated/pinned) lines.

At you your 64kbs (available?) you will get
through most of the time (which is probably
good enough) IF the lines are good enough
but you still have to test.

Granted testing will need to be completed to find out the true nature of
link speeds, over heads and the testing of the AD replication.

I would have thought Microsoft would have produced some documentation as to
what a minimum or recommended link speed would be to transfer AD replication
though? But I guess this does have quite a lot of dependencies

They have; it's all over the web site and in
several MS Press books -- however, I gave you
a rough summary of that and a bit of experience
but nothing like 100 countries across Eurasia
including the Middle East.



--
Herb Martin

Thanks for your posts... I am currently working with the US on this and they
have final say so on the design and we have been told that there can be only
1 domain for EMEA (the design is not just Europe now...!). I have
implemented SMTP style replication before as we had a country in Bahrain
using a 64KB sat link... it works, but its a pain in the a55 to setup
and get
working correctly.

The types of links that i'm thinking is probably going to be 64KB links
or
worse to countries like Kazakhstan.

Point taken about transmission errors and other overheads. Is there any
point to which RPC errors will just fail and totally stop sending, if it
can't send the info in 1MB chunks? Or will it continually keep on
trying
until it does send the info or doesn't?

Granted testing will need to be completed to find out the true nature of
link speeds, over heads and the testing of the AD replication.

I would have thought Microsoft would have produced some documentation as to
what a minimum or recommended link speed would be to transfer AD replication
though? But I guess this does have quite a lot of dependencies

Thanks
Adam

Hi..

Yes fair comment on the GC over SMTP, however I'm yet to come across
any environments that actually use SMTP for replication - so the point
was easily missed..

In order to authticate correctly a home DC is required - GC on its
own is not enough.. GCs dont hold Domain Local Groups, so any AGLP
nesting would not be fully satisified if only a GC from a foreign
domain is used for authtication.. The GC requirement is there in
order to resolve Universal Group memberships..

Oh yes and I do mean Killer for RPC

Cheerio
Gary Simmons

(e-mail address removed)

Latency is the filler for Domain NC replication..

Is that killer? (I agree).

Also noise/errors on the line. RPC don't recover
errors well.

If you use SMTP replication it will only replicate Schema and
Config
NC, so you are going to need to use multiple domains ie one for
each
site you create..

As I mentioned, it will require a separate domain
across any link (to a location) which uses SMTP.

GCs can however replicate across this:

Google: [ gc "replication * smtp" | "smtp * replication" domain forest ]

However in doing so you will constrain users from logging into
their
own site only, as the potential WAN speeds between each site (as u
indicate) will be low so cross iste authentication will be very
slow.

If you replicate the GC it should allow for the login.


Even with one domain per site model you still will get RPC replication
happening for GC replication between the domains, which could be large
with many domains..

See above...


As indicated you need to test this out in order to understand where
the balance in replication against availability is..

Yes, testing is definitely in order -- very few people
have actually used SMTP replication in serious
production settings.

 

[ptwilliams]

There's a book that may come in handy -in fact, Herb may have been one of
the authors, it's called Managing Enterprise Active Directory
Services -Notes from the field (or something like that. It's a notes from
the field book written by MS Consulting). This goes into all this in quite
some depth, I believe.

Then again, you've been given a pretty good summary, and the only real way
from here on is to test and test again. There is however, a free tool
called the AD Sizer which may be able to help you. Search MS (using Google
;-) for that.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Cool thanks for that... yeah my teachers at school said that I was a bit
geographically challenged!!!

implemented SMTP style replication before as we had a country in Bahrain
using a 64KB sat link... it works, but its a pain in the a55 to setup
and get
working correctly.

Gosh I am glad you mentioned Bahrain and
Kazakhstan -- Since you claimed a 100+
pan-European deployment and there aren't
that many countries IN EUROPE, I was

Point taken about transmission errors and other overheads. Is there any
point to which RPC errors will just fail and totally stop sending, if it
can't send the info in 1MB chunks? Or will it continually keep on
trying
until it does send the info or doesn't?

There is no "technical limit" if the RPCs
work and that HAS worked down to 9600
bps on high quality, low latency (probably
only dedicated/pinned) lines.

At you your 64kbs (available?) you will get
through most of the time (which is probably
good enough) IF the lines are good enough
but you still have to test.

Granted testing will need to be completed to find out the true nature of
link speeds, over heads and the testing of the AD replication.

I would have thought Microsoft would have produced some documentation as to
what a minimum or recommended link speed would be to transfer AD replication
though? But I guess this does have quite a lot of dependencies

They have; it's all over the web site and in
several MS Press books -- however, I gave you
a rough summary of that and a bit of experience
but nothing like 100 countries across Eurasia
including the Middle East.



--
Herb Martin

Thanks for your posts... I am currently working with the US on this and they
have final say so on the design and we have been told that there can be only
1 domain for EMEA (the design is not just Europe now...!). I have
implemented SMTP style replication before as we had a country in Bahrain
using a 64KB sat link... it works, but its a pain in the a55 to setup
and get
working correctly.

The types of links that i'm thinking is probably going to be 64KB links
or
worse to countries like Kazakhstan.

Point taken about transmission errors and other overheads. Is there any
point to which RPC errors will just fail and totally stop sending, if it
can't send the info in 1MB chunks? Or will it continually keep on
trying
until it does send the info or doesn't?

Granted testing will need to be completed to find out the true nature of
link speeds, over heads and the testing of the AD replication.

I would have thought Microsoft would have produced some documentation as to
what a minimum or recommended link speed would be to transfer AD replication
though? But I guess this does have quite a lot of dependencies

Thanks
Adam

Hi..

Yes fair comment on the GC over SMTP, however I'm yet to come across
any environments that actually use SMTP for replication - so the point
was easily missed..

In order to authticate correctly a home DC is required - GC on its
own is not enough.. GCs dont hold Domain Local Groups, so any AGLP
nesting would not be fully satisified if only a GC from a foreign
domain is used for authtication.. The GC requirement is there in
order to resolve Universal Group memberships..

Oh yes and I do mean Killer for RPC

Cheerio
Gary Simmons

(e-mail address removed)

Latency is the filler for Domain NC replication..

Is that killer? (I agree).

Also noise/errors on the line. RPC don't recover
errors well.

If you use SMTP replication it will only replicate Schema and
Config
NC, so you are going to need to use multiple domains ie one for
each
site you create..

As I mentioned, it will require a separate domain
across any link (to a location) which uses SMTP.

GCs can however replicate across this:

Google: [ gc "replication * smtp" | "smtp * replication" domain forest ]

However in doing so you will constrain users from logging into
their
own site only, as the potential WAN speeds between each site (as u
indicate) will be low so cross iste authentication will be very
slow.

If you replicate the GC it should allow for the login.


Even with one domain per site model you still will get RPC replication
happening for GC replication between the domains, which could be large
with many domains..

See above...


As indicated you need to test this out in order to understand where
the balance in replication against availability is..

Yes, testing is definitely in order -- very few people
have actually used SMTP replication in serious
production settings.

 

[Herb Martin]

There's a book that may come in handy -in fact, Herb may have been one of
the authors,

FYI: No, but thanks for the vote of confidence,

I think some of them were friends of mine however.

...it's called Managing Enterprise Active Directory
Services -Notes from the field (or something like that. It's a notes from
the field book written by MS Consulting). This goes into all this in quite
some depth, I believe.

Then again, you've been given a pretty good summary, and the only real way
from here on is to test and test again. There is however, a free tool
called the AD Sizer which may be able to help you. Search MS (using Google
;-) for that.

Yes.

Are the algorthyms for AD Sizer documented
anywhere?

(I don't like it's black box approach.)

 

[ptwilliams]

I've not seen much about it and have yet to use it. Kouti and Seitsonen
weren't even allowed to show screenshots in Inside Active Directory: A
System Administrators Guide.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

There's a book that may come in handy -in fact, Herb may have been one of
the authors,

FYI: No, but thanks for the vote of confidence,

I think some of them were friends of mine however.

...it's called Managing Enterprise Active Directory
Services -Notes from the field (or something like that. It's a notes from
the field book written by MS Consulting). This goes into all this in quite
some depth, I believe.

Then again, you've been given a pretty good summary, and the only real way
from here on is to test and test again. There is however, a free tool
called the AD Sizer which may be able to help you. Search MS (using Google
;-) for that.

Yes.

Are the algorthyms for AD Sizer documented
anywhere?

(I don't like it's black box approach.)