RE: [ActiveDir] AD Design Guidance

[Friese, Casey]

Title: Message

Roger,

 

The problem is appearing with the fiber modules in the switch and it's not just CRC errors.  I apologize for miss informing everyone.

The majority of the errors are excessive late collision errors

 

Late collisions (collisions detected after transmitting ~64 bytes) were detected on port I2.

 

The possible causes include an overextended LAN topology, half/full duplex mismatch, or a misconfigured or faulty device connected to port I2.

 

-----Original Message-----
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Friday, March 07, 2003 12:15 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD Design Guidance

That's a port speed and/or duplex mismatch. Set both the port and the NIC to the same speed and duplex settings and that will stop.

 

 

--------------------------------------------------------------
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis Inc.

-----Original Message-----
From: Friese, Casey [mailto:[EMAIL PROTECTED]
Sent: Friday, March 07, 2003 10:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Design Guidance

Damian,

 

I'm contacting HP today with regards to our switches because I'm finding tons of CRC errors on them and my Networking team isn't sure why.  I will update everyone with the results.

 

Thanks,

Casey

-----Original Message-----
From: Scoles, Damian [mailto:[EMAIL PROTECTED]
Sent: Friday, March 07, 2003 9:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Design Guidance

Casey,

    Have you had a chance to look into this?  If so, any results yet?  Thanks.

 

Damian Scoles
Senior Technical Analyst
MCSE+I, CCNP

-----Original Message-----
From: Friese, Casey [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 04, 2003 12:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Design Guidance

Damian,

 

Indeed, the servers are connected directly to the switch.  I'm going to dive in and have a look.

-----Original Message-----
From: Scoles, Damian [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 04, 2003 11:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Design Guidance

Casey,

    Are these servers hooked directory to a switch?  If so, you should be able set the ports and the server to 100/Full and get rid of some of the performance problems.  Doing so would not affect the Unix servers as the switch will take care of the communication in between.  Thanks.

 

Damian Scoles
Senior Technical Analyst
MCSE+I, CCNP

-----Original Message-----
From: Friese, Casey [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 04, 2003 8:27 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Design Guidance

I've also noticed that the nic's in the two DC's are set to Auto and the routers are set to auto - full duplex

I'm guessing I should change these to 100mb full but I'm not sure how my unix access points would act because they only support 10mb...grrr

Unix is always getting in my way.

 

Can't make wine out of water - I'm going to use that excuse:

 

IT Director: "Casey, why do we have bad performance on our network? Fix it now!"

Casey: "Because you insist on using an outdated Unix App along with Bar Code Scanning hand guns that talk to the Unix server through a device that only supports 10mb/sec"

 

I think this is what we're boiling down to.

 

The combination of:

Physical device speeds not matching

Telnet protocol priority from Office A to Office B

Bandwidth overload on the Site Link

DNS configuration problems

Replication Times

Over utilized DC's that office DNS, DHCP and WINS among their other duties

 

I've already addressed the DNS and replication times as advised by the list.

-----Original Message-----
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 04, 2003 9:03 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD Design Guidance

I would avoid using a subdomain, especially for 25 people.

 

Refresh our minds on your sites and subnets layout. Are they all in one site or are they two? It sounds like that might be part of the issue.

 

Another option, and this might make a lot of sense, is to put another ISA server in the small office, and force (via group policy) all clients to use it as a proxy. We find a lot of our WAN traffic from remote offices is web browsing. Alternately, it might be worth working with whoever manages your routers to do a little traffic shaping or queuing modifications to ensure adequate traffic between the DCs.

 

 

--------------------------------------------------------------
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis Inc.

-----Original Message-----
From: Friese, Casey [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 04, 2003 8:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Design Guidance

Rick,

 

There are around 25 clients in Office A where the head server is located.

 

Ideally I would like to increase the bandwidth on the line but failing that, if we would move the DC that is there now back to our datacenter we would structure so that our datacenter in Office B becomes our root domain and purchase another server for Office A.  The server purchased for Office A would be built as a DC and as a child domain...clientname.officea.comapny.com

 

Does that make any sense?

 

Thus far I have done the following:

 

-Made sure that NAV on both DC's isn't scanning any db's

-I've changed the DNS settings on Both DC's to point to it's oposite as primary and itself as secondary

-Made sure that clients are pointing to their closest DC for DNS

-Changed replication interval from every 15minutes to every 60minutes

 

-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Monday, March 03, 2003 10:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Design Guidance

Casey,

 

It would clearly resolve the replication issue.  But, it's only going to cause issues with the clients at the office where no server or DC now resides.  I tried to get back into the thread where you state how many machines are at this office, but obviously am overlooking it.  With Exchange and other F&P type issues, I think that you're only 'robbing Peter to pay Paul' by moving this machine. 

 

Ultimately, upgrading the line is the reasonable answer.

 Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Friese, Casey
Sent: Monday, March 03, 2003 7:21 PM
To: [EMAIL PROTECTED]

Thanks Rick.  My only thought was that by moving the DC from office B (which is the server that was first built and is the head huncho) to office A with the only other DC in the domain, this would clear up any replication problems that I am seeing or are there and I'm missing.  Obviously the 256kbps shared line isn't adequate for us.

-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Monday, March 03, 2003 6:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Design Guidance

Casey,

 

I don't truly see that moving where the roles are is going to have a huge impact.  Yes, moving the PDC-E role may have some impact, but the GC and the replication overall is the most problematic.

 

Roger and Marc have you on some good paths.  If I see anything that they are missing (not likely) I'll pop in.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Friese, Casey
Sent: Monday, March 03, 2003 11:01 AM
To: [EMAIL PROTECTED]

Thanks Rick,

 

This is my thought as well.  If the powers that be refuse to up the bandwidth on the WAN line, is there a problem with relocating the master in Office A to Office B with the other DC?

-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Monday, March 03, 2003 9:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Design Guidance

Given that you only have a 256kb connection between sites and DCs, and where the FSMO roles are located, I'd back down your replication times.  It seems apparent that much of your problem is due to over utilization of the WAN segment, and the frequency of replication is only going to exacerbate the problem. 

As a test, I'd back off the replication times to 60 minutes.  Give it 48 hours, and see if the problems at least subside, though I doubt they will be completely solved.

I suspect you're going to be looking at upping the bandwidth on the WAN line.  The only way to truly know how large is to run some baselines and find the highwater mark - then plan well above that for the upgrade.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone

> 
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Friese, Casey
> Sent: Monday, March 03, 2003 7:45 AM
> To: [EMAIL PROTECTED]
>
> Back on the ball:
>
> My sites and services are setup correctly according to my
> untrained eye.
>
> Tow separate, distinct sites, Office A & Office B.  Each
> container has it's respective server listed.
>
> The NTDS Settings For Office A are set as follows:
>
> Name = <automatically generated>
> >From Server = PA-FILE-02
> >From Site = Office B
> Type = Connection
> Trasnport = IP
> Schedule = 4 times per hour
>
>
> The NTDS Settings For Office B are set as follows:
>
> Name = <automatically generated>
> >From Server = PA-FILE-01
> >From Site = Office A
> Type = Connection
> Trasnport = IP
> Schedule = 4 times per hour
>
> I have an Office A to Office B Site Link listed on Inter-Site
> Transports\IP Cost = 100, Replicate every 15 minutes
>
> Spearate Subnets for each site:
> Office A = 10.64.0.0/16
> Office B = 10.128.0.0/16
>
>
>
>
> -----Original Message-----
> From: Ken Cornetet [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 28, 2003 2:18 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] AD Design Guidance
>
>
> I see nothing absolutely wrong at first blush. I think you
> are confusing domain structure and site structure.
>
> You left some important parts out:
>
> 1. Are the two offices set up as two different AD sites? (I
> suspect not from your problem description).
> 2. Is each of the DCs a GC as well?
>
> A couple of notes:
>
> 1. Exchange can be painful over 256k.
> 2. You really shouldn't be using your DCs as file/print servers.
>
> -----Original Message-----
> From: Friese, Casey [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 28, 2003 2:00 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] AD Design Guidance
>
>
> I have uncovered what I believe is a problem with our Active Directory
> design.  I'm looking for assurance that it is indeed a problem judging
> from the symptoms that I am seeing and I'm also looking for
> recommendations on how to correct it.
>
> I've walked into the company just weeks after a consultant started
> implementing the AD design.  Now, 8 months later and 10
> servers later I
> believe that the design is flawed.  Here are my symptoms:
>
> Any administration activity done on the servers such as setting
> permissions/re-writing permissions, opening property sheets within
> Exchange System Manager, Viewing properties sheets of OU objects/group
> policies, etc.  All of these tasks take a long period of time to
> complete or display.
>
> >From the client end we see hanging connections - one moment
> a share is
> >available, the next permission is denied or the connection can't be
> >made.  Opening files from the network sluggish and at times dhcp
> >settings are lost.
>
> We have 2 offices:
> Our HQ is in office A
> Our Datacenter is in office B
>
> Office A has 1 Windows 2000 Server and was the first server
> built in the
> Forest.  This server is doing File/Print, DHCP, WINS, DNS for it's
> location among doing it's specialized tasks for the domain.
>
> Office B has 9 Windows 2000 Servers - among those 9 is a DC,
> 1 is an E2K
> server and 1 is an ISA server.  The DC provides file/print,
> DHCP, WINS,
> DNS for it's location.  The E2K server is the mail server for both
> locations and the ISA server is the Firewall for both locations.
>
> Office A is connected to Office B via 256kbps Split T1 used for both
> voice and data.  Office B is connected to the internet via
> full T1 which
> is responsible for handling all internet requests.
>
> Both sites, office A and B, belong to the same parent domain -
> company.com with each client's dns set as clientname.company.com
>
> First questions: Are there any flaws with the above design?  The most
> noticeable thing to me is that Office A and B communicate of a 256kbps
> shared line.  I'm not an expert with AD, in fact, It's new to me but
> from what I understand anything done in Office B has to go to the Head
> Server in Office A.  These is where I believe my problems lie.
>
> What I would like to do is break these two sites apart and have
> officeA.company.com and officeB.company.com - I think this is the
> correct approach but I'm not sure. My main concern is our
> Exchange 2000
> Server and out ISA server because they're both linked heavily into the
> AD so totally redoing the design is a bit tough. 
> Alternatively, I have
> started entertaining the idea of moving the server in Office A to the
> Office B location making Office B the root domain and any new sites
> child domains.
>
> I apologize for the length and if I've confused anyone - I'm confused
> myself.  I just want to know if I'm blaming the symptoms on the right
> thing and how I should proceed.
>
> Thanks,
> Casey
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>