RE: [ActiveDir] single login size in bytes?
Good points, thanks Al. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, October 12, 2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? I don't know the answer to that exact question. What I was after was the WAN link QoS vs. the desktop to server. The reason for that is that it's likely that you have a 10/100/1000 ethernet network at the remote site. That's WAY more than the WAN link. But once on the WAN link, you'll want to ensure that you prioritize your traffic to ensure that if anything has to wait, it's not the cc traffic. That's a WAN router issue vs. a desktop issue. I've never even given the desktop QoS a second look, personally. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, October 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Al speaking of QoS (and feel free to mail me offline [whoever] if it's too off-topic)... I have never really bothered with QoS on XP because most users (IMHO) do not use anything that takes advantage of it. In order to use it for our credit card processing traffic, would it be true that all devices and the software that forwards it would have to support QoS? i.e. the app in the store that submits the request via SSL, the store router, our router here, etc? Anyone know some basic white papers that discuss that without me having to study to pass the QoS Certification Test? Thanks Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 11, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Ah. I see where you're coming from then. Layer 8 issues can be tough to solve. I like to add l1 to l7 and see if I can match. I wouldn't expect auth traffic to tip the scales, but I really think the should be asked to investigate QoS (if network is a separate group of people; otherwise disregard). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, October 11, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Al - The factor at issue here is simply the addition of the workgroup computers to the domain. They currently do everything over that link, but they're not domain members. People think that authentication traffic would break the connectivity! :) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 11, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Having been in that situation you are correct that it's likely very little over the wire at initial logon. It's if they have to access anything back across the wire or if they let Outlook run in cached mode that you'll see differences. Outlook and other apps are variables that are hard to measure in this case. I also would watch out for the client-side antivirus software - been bit by that in the past in a similar situation. If GPO's or logon scripts get out of hand, that could be another variable risk to account for, but... As for your cc transactions, what ever happened to QoS on the routers? If it's that important, wouldn't it make sense to not leave it to chance like that? Al -Original
RE: [ActiveDir] single login size in bytes?
I don't know the answer to that exact question. What I was after was the WAN link QoS vs. the desktop to server. The reason for that is that it's likely that you have a 10/100/1000 ethernet network at the remote site. That's WAY more than the WAN link. But once on the WAN link, you'll want to ensure that you prioritize your traffic to ensure that if anything has to wait, it's not the cc traffic. That's a WAN router issue vs. a desktop issue. I've never even given the desktop QoS a second look, personally. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, October 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Al speaking of QoS (and feel free to mail me offline [whoever] if it's too off-topic)... I have never really bothered with QoS on XP because most users (IMHO) do not use anything that takes advantage of it. In order to use it for our credit card processing traffic, would it be true that all devices and the software that forwards it would have to support QoS? i.e. the app in the store that submits the request via SSL, the store router, our router here, etc? Anyone know some basic white papers that discuss that without me having to study to pass the QoS Certification Test? Thanks Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 11, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Ah. I see where you're coming from then. Layer 8 issues can be tough to solve. I like to add l1 to l7 and see if I can match. I wouldn't expect auth traffic to tip the scales, but I really think the should be asked to investigate QoS (if network is a separate group of people; otherwise disregard). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, October 11, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Al - The factor at issue here is simply the addition of the workgroup computers to the domain. They currently do everything over that link, but they're not domain members. People think that authentication traffic would break the connectivity! :) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 11, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Having been in that situation you are correct that it's likely very little over the wire at initial logon. It's if they have to access anything back across the wire or if they let Outlook run in cached mode that you'll see differences. Outlook and other apps are variables that are hard to measure in this case. I also would watch out for the client-side antivirus software - been bit by that in the past in a similar situation. If GPO's or logon scripts get out of hand, that could be another variable risk to account for, but... As for your cc transactions, what ever happened to QoS on the routers? If it's that important, wouldn't it make sense to not leave it to chance like that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps ra
RE: [ActiveDir] single login size in bytes?
Al speaking of QoS (and feel free to mail me offline [whoever] if it's too off-topic)... I have never really bothered with QoS on XP because most users (IMHO) do not use anything that takes advantage of it. In order to use it for our credit card processing traffic, would it be true that all devices and the software that forwards it would have to support QoS? i.e. the app in the store that submits the request via SSL, the store router, our router here, etc? Anyone know some basic white papers that discuss that without me having to study to pass the QoS Certification Test? Thanks Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 11, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Ah. I see where you're coming from then. Layer 8 issues can be tough to solve. I like to add l1 to l7 and see if I can match. I wouldn't expect auth traffic to tip the scales, but I really think the should be asked to investigate QoS (if network is a separate group of people; otherwise disregard). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, October 11, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Al - The factor at issue here is simply the addition of the workgroup computers to the domain. They currently do everything over that link, but they're not domain members. People think that authentication traffic would break the connectivity! :) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 11, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Having been in that situation you are correct that it's likely very little over the wire at initial logon. It's if they have to access anything back across the wire or if they let Outlook run in cached mode that you'll see differences. Outlook and other apps are variables that are hard to measure in this case. I also would watch out for the client-side antivirus software - been bit by that in the past in a similar situation. If GPO's or logon scripts get out of hand, that could be another variable risk to account for, but... As for your cc transactions, what ever happened to QoS on the routers? If it's that important, wouldn't it make sense to not leave it to chance like that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps range, and only briefly. No one here at the technical level is worried about it - note how I was asking about how much bandwidth it uses, not how much of a noticeable delay might there be :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Monday, October 10, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. W
RE: [ActiveDir] single login size in bytes?
Ah. I see where you're coming from then. Layer 8 issues can be tough to solve. I like to add l1 to l7 and see if I can match. I wouldn't expect auth traffic to tip the scales, but I really think the should be asked to investigate QoS (if network is a separate group of people; otherwise disregard). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, October 11, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Al - The factor at issue here is simply the addition of the workgroup computers to the domain. They currently do everything over that link, but they're not domain members. People think that authentication traffic would break the connectivity! :) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 11, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Having been in that situation you are correct that it's likely very little over the wire at initial logon. It's if they have to access anything back across the wire or if they let Outlook run in cached mode that you'll see differences. Outlook and other apps are variables that are hard to measure in this case. I also would watch out for the client-side antivirus software - been bit by that in the past in a similar situation. If GPO's or logon scripts get out of hand, that could be another variable risk to account for, but... As for your cc transactions, what ever happened to QoS on the routers? If it's that important, wouldn't it make sense to not leave it to chance like that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps range, and only briefly. No one here at the technical level is worried about it - note how I was asking about how much bandwidth it uses, not how much of a noticeable delay might there be :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Monday, October 10, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- R
RE: [ActiveDir] single login size in bytes?
Thanks Al - The factor at issue here is simply the addition of the workgroup computers to the domain. They currently do everything over that link, but they're not domain members. People think that authentication traffic would break the connectivity! :) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 11, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Having been in that situation you are correct that it's likely very little over the wire at initial logon. It's if they have to access anything back across the wire or if they let Outlook run in cached mode that you'll see differences. Outlook and other apps are variables that are hard to measure in this case. I also would watch out for the client-side antivirus software - been bit by that in the past in a similar situation. If GPO's or logon scripts get out of hand, that could be another variable risk to account for, but... As for your cc transactions, what ever happened to QoS on the routers? If it's that important, wouldn't it make sense to not leave it to chance like that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps range, and only briefly. No one here at the technical level is worried about it - note how I was asking about how much bandwidth it uses, not how much of a noticeable delay might there be :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Monday, October 10, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, I
RE: [ActiveDir] single login size in bytes?
We went through this exercise during our design and plan phase of our AD deployment four years ago - including using the same whitepaper that Bob mentioned. We have multiple sites across Montana with 56K frame relay lines that authenticate back to DCs in a centralized location. We thought that the 56K sites were going to be a big deal but they really are not a problem. The offices are generally less than 15 users and login times are very reasonable - less than two minutes including a Novell login. The offices also access Exchange from the central location and generally performance is only an issue for very large documents (4MB+). The use of bandwidth for a 56K line is really not the issue, it is the delay, latency, and user experience you want to worry about. It is quite easy to run a 56K circuit up to 100% with a single user doing something like downloading a large file from the Internet. However, if the other users can still login and do their thing then it is okay. The user sitting out in Ekalaka, Montana knows that things across a 56K line take longer and therefore don't expect to get the file down as quick as someone with a T-1 line. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps range, and only briefly. No one here at the technical level is worried about it - note how I was asking about how much bandwidth it uses, not how much of a noticeable delay might there be :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Monday, October 10, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful.
RE: [ActiveDir] single login size in bytes?
Having been in that situation you are correct that it's likely very little over the wire at initial logon. It's if they have to access anything back across the wire or if they let Outlook run in cached mode that you'll see differences. Outlook and other apps are variables that are hard to measure in this case. I also would watch out for the client-side antivirus software - been bit by that in the past in a similar situation. If GPO's or logon scripts get out of hand, that could be another variable risk to account for, but... As for your cc transactions, what ever happened to QoS on the routers? If it's that important, wouldn't it make sense to not leave it to chance like that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps range, and only briefly. No one here at the technical level is worried about it - note how I was asking about how much bandwidth it uses, not how much of a noticeable delay might there be :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Monday, October 10, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
Re: [ActiveDir] single login size in bytes?
Totally guessing here from the Dr. J password literature I've read...but wouldn't it depend on the auth method involved as to the traffic size? Since NTLMv2 is MS specific... you might have to fire up the sniff tools on that one. Chapter 11 in the Riley/Johansson book on passwords LMhash ... password is padded to 14 characers lowercase converted to uppercase split into 7 byte chunks, chunk generates 8 byte odd parity DES key each 8 byte key used in DES encryption of fixed string two cipher texts are concatenated and stored NTMLv2 you are sending challenges back and forth across the wire Auth req Server challenge ntlm2 response auth result The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3 -- TechNet Column - Security Management - December 2004: http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx Rich Milburn wrote: Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I’ve been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We’re talking simple logging in, including a single GPO or maybe two – but no replication, etc. They do already get their email using Outlook to a pst. And please don’t laugh. This is a very serious issue. ;-) Rich //---/// ///Rich Milburn/// ///MCSE, Microsoft MVP - Directory Services/// //Sr Network Analyst, Field Platform Development// //Applebee's International, Inc.// //4551 W. 107th St// //Overland Park//, KS 66207// //913-967-2819// //---// ///"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso// / *---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---* PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system./ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] single login size in bytes?
Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps range, and only briefly. No one here at the technical level is worried about it - note how I was asking about how much bandwidth it uses, not how much of a noticeable delay might there be :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Monday, October 10, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal crimin
RE: [ActiveDir] single login size in bytes?
Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
