Windows 2003 R2 Active Directory Performance Question

Here is our environment:

5 Windows 2003 R2 SP2 Domain Controllers (4 of which also do File/Print/DNS
and 1 is running DHCP) spread across multiple VLANs (multiple NICs mapped to
different VLANs in each)
*** These are HP DL380 G5's with 8GB RAM runninw Win2k3R2 Enterprise
These DCs are all in the same physical location supporting 10 other
buildings, some buildings are 1 mile, some are 7 miles away connected by GB
fiber.

Network is GB between buildings, GB between closets, 100MB to the desktop
with a mix of Extreme and HP equipment with one BlackDiamond 6808 Router in
the data center.

Roughly 3000 computers on the network, 10k Active Directory objects, 1100
Exchange 2003 mailboxes

*

The issue we are having is that since we've migrated from NetWare (last
year) to AD we have login and login resource issues.

Example: there will be 30 people in a room all logging in more-or-less at
the same time, 5 or 6 or 8 will get in, get their home drive, mapped drive
and group policies w/o a problem... another 10-12 might need to logout and
try again and the rest may actually need to reboot to make it work
correctly.

If I go to the location I can login as any user and it works fine, but put a
bunch of people in a room and it starts to get flakey again.

Here's most of what I've done over the past couple of months:

*
* Aggregated network closets -- where I could I changed the closet
configurations from a daisy-chain of switches to an aggregated config (IE:
four 100MB switches uplink directly to a GB switch and out the closet)
* Introduced WINS into the environment on two of the DCs
* Moved server secondary NICs from 100MB to 1GB ports.
At this point I'm starting to get a little frustrated. *My next step is
going to be to put a couple of satellite AD boxes in choice buildings to try
and reduce the physical distance between the end-user and a domain
controller. *We have also purchased HP ProCurve equipment to replace the
Extreme stuff inthe MDFs of the buildings and at the core because of the age
(8+ years) of the Extreme stuff but I'm not convinced that is going to "fix"
the problem. *I feel like i provided enough DCs per VLAN (at least 2), at
last one DNS server on each VLAN so there is no traversign VLANs for this
information.

*

Any suggestions? *Where should I be looking that I'm not looking? *I've
checked AD's health and its good... DNS seems solid... but I'm open to just
about any suggestions right now.

> 5 Windows 2003 R2 SP2 Domain Controllers (4 of which also do
> File/Print/DNS
> and 1 is running DHCP) spread across multiple VLANs (multiple NICs mapped
> to
> different VLANs in each)


MULTIHOMING Domain controllers is not recommended, it always results in
multiple problems.
-----------------------------------------------------------------------
1. Domain Controllers should not be multi-homed
2. Being a VPN Server and even simply running RRAS makes it multi-homed.
3. DNS,..even just all by itself, is better on a single homed machine.
4. Domain Controllers with the PDC Role are automatically Domain Master
Browser. Master Browsers should not be multi-homed

:See:
Symptoms of Multihomed Browsers
http://support.microsoft.com/kb/191611

Active Directory Communication Fails on Multihomed Domain Controllers
http://support.microsoft.com/default...b;en-us;272294


hth
DDS\
"Bruce Sarte" <> wrote in message
news:C7F769B9.110B2%...
> Here is our environment:
>
> 5 Windows 2003 R2 SP2 Domain Controllers (4 of which also do
> File/Print/DNS
> and 1 is running DHCP) spread across multiple VLANs (multiple NICs mapped
> to
> different VLANs in each)
> These are HP DL380 G5's with 8GB RAM runninw Win2k3R2 Enterprise
> These DCs are all in the same physical location supporting 10 other
> buildings, some buildings are 1 mile, some are 7 miles away connected by
> GB
> fiber.
>
> Network is GB between buildings, GB between closets, 100MB to the desktop
> with a mix of Extreme and HP equipment with one BlackDiamond 6808 Router
> in
> the data center.
>
> Roughly 3000 computers on the network, 10k Active Directory objects, 1100
> Exchange 2003 mailboxes
>
>
>
> The issue we are having is that since we've migrated from NetWare (last
> year) to AD we have login and login resource issues.
>
> Example: there will be 30 people in a room all logging in more-or-less at
> the same time, 5 or 6 or 8 will get in, get their home drive, mapped drive
> and group policies w/o a problem... another 10-12 might need to logout and
> try again and the rest may actually need to reboot to make it work
> correctly.
>
> If I go to the location I can login as any user and it works fine, but put
> a
> bunch of people in a room and it starts to get flakey again.
>
> Here's most of what I've done over the past couple of months:
>
>
> * Aggregated network closets -- where I could I changed the closet
> configurations from a daisy-chain of switches to an aggregated config (IE:
> four 100MB switches uplink directly to a GB switch and out the closet)
> * Introduced WINS into the environment on two of the DCs
> * Moved server secondary NICs from 100MB to 1GB ports.
> At this point I'm starting to get a little frustrated. My next step is
> going to be to put a couple of satellite AD boxes in choice buildings to
> try
> and reduce the physical distance between the end-user and a domain
> controller. We have also purchased HP ProCurve equipment to replace the
> Extreme stuff inthe MDFs of the buildings and at the core because of the
> age
> (8+ years) of the Extreme stuff but I'm not convinced that is going to
> "fix"
> the problem. I feel like i provided enough DCs per VLAN (at least 2), at
> last one DNS server on each VLAN so there is no traversign VLANs for this
> information.
>
>
>
> Any suggestions? Where should I be looking that I'm not looking? I've
> checked AD's health and its good... DNS seems solid... but I'm open to
> just
> about any suggestions right now.
>

Hello Bruce,

As Danny said multihoming of DCs is a really bad solution:
http://msmvps.com/blogs/acefekay/arc...-adapters.aspx

For workstations make also sure that fast logon optimization isn't configured,
applies on machines higher then Windows 2000:
http://support.microsoft.com/kb/305293

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Here is our environment:
>
> 5 Windows 2003 R2 SP2 Domain Controllers (4 of which also do
> File/Print/DNS
> and 1 is running DHCP) spread across multiple VLANs (multiple NICs
> mapped to
> different VLANs in each)
> These are HP DL380 G5's with 8GB RAM runninw Win2k3R2 Enterprise
> These DCs are all in the same physical location supporting 10 other
> buildings, some buildings are 1 mile, some are 7 miles away connected
> by GB fiber.
>
> Network is GB between buildings, GB between closets, 100MB to the
> desktop with a mix of Extreme and HP equipment with one BlackDiamond
> 6808 Router in the data center.
>
> Roughly 3000 computers on the network, 10k Active Directory objects,
> 1100 Exchange 2003 mailboxes
>
> The issue we are having is that since we've migrated from NetWare
> (last year) to AD we have login and login resource issues.
>
> Example: there will be 30 people in a room all logging in more-or-less
> at the same time, 5 or 6 or 8 will get in, get their home drive,
> mapped drive and group policies w/o a problem... another 10-12 might
> need to logout and try again and the rest may actually need to reboot
> to make it work correctly.
>
> If I go to the location I can login as any user and it works fine, but
> put a bunch of people in a room and it starts to get flakey again.
>
> Here's most of what I've done over the past couple of months:
>
> * Aggregated network closets -- where I could I changed the closet
> configurations from a daisy-chain of switches to an aggregated config
> (IE:
> four 100MB switches uplink directly to a GB switch and out the closet)
> * Introduced WINS into the environment on two of the DCs
> * Moved server secondary NICs from 100MB to 1GB ports.
> At this point I'm starting to get a little frustrated. My next step
> is
> going to be to put a couple of satellite AD boxes in choice buildings
> to try
> and reduce the physical distance between the end-user and a domain
> controller. We have also purchased HP ProCurve equipment to replace
> the
> Extreme stuff inthe MDFs of the buildings and at the core because of
> the age
> (8+ years) of the Extreme stuff but I'm not convinced that is going to
> "fix"
> the problem. I feel like i provided enough DCs per VLAN (at least 2),
> at
> last one DNS server on each VLAN so there is no traversign VLANs for
> this
> information.
> Any suggestions? Where should I be looking that I'm not looking?
> I've checked AD's health and its good... DNS seems solid... but I'm
> open to just about any suggestions right now.
>

Meinolf,
I removed the multihoming -- hopefully this will go a long way to fixing
our issue. What about the global catalog? How many servers should it be
on? Does it need to be on every DC?

And how big of a player is WINS and Master Browsers in this whole thing?

Our workstations *do* have fast logon optimization enabled (the default is
on). If we disable this, how much longer will the initialization be for the
machines?


On 4/24/10 6:05 AM, in article
, "Meinolf Weber [MVP-DS]"
<> wrote:

> Hello Bruce,
>
> As Danny said multihoming of DCs is a really bad solution:
> http://msmvps.com/blogs/acefekay/arc...cs-with-dns-rr
> as-and-or-pppoe-adapters.aspx
>
> For workstations make also sure that fast logon optimization isn't configured,
> applies on machines higher then Windows 2000:
> http://support.microsoft.com/kb/305293
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> Here is our environment:
>>
>> 5 Windows 2003 R2 SP2 Domain Controllers (4 of which also do
>> File/Print/DNS
>> and 1 is running DHCP) spread across multiple VLANs (multiple NICs
>> mapped to
>> different VLANs in each)
>> These are HP DL380 G5's with 8GB RAM runninw Win2k3R2 Enterprise
>> These DCs are all in the same physical location supporting 10 other
>> buildings, some buildings are 1 mile, some are 7 miles away connected
>> by GB fiber.
>>
>> Network is GB between buildings, GB between closets, 100MB to the
>> desktop with a mix of Extreme and HP equipment with one BlackDiamond
>> 6808 Router in the data center.
>>
>> Roughly 3000 computers on the network, 10k Active Directory objects,
>> 1100 Exchange 2003 mailboxes
>>
>> The issue we are having is that since we've migrated from NetWare
>> (last year) to AD we have login and login resource issues.
>>
>> Example: there will be 30 people in a room all logging in more-or-less
>> at the same time, 5 or 6 or 8 will get in, get their home drive,
>> mapped drive and group policies w/o a problem... another 10-12 might
>> need to logout and try again and the rest may actually need to reboot
>> to make it work correctly.
>>
>> If I go to the location I can login as any user and it works fine, but
>> put a bunch of people in a room and it starts to get flakey again.
>>
>> Here's most of what I've done over the past couple of months:
>>
>> * Aggregated network closets -- where I could I changed the closet
>> configurations from a daisy-chain of switches to an aggregated config
>> (IE:
>> four 100MB switches uplink directly to a GB switch and out the closet)
>> * Introduced WINS into the environment on two of the DCs
>> * Moved server secondary NICs from 100MB to 1GB ports.
>> At this point I'm starting to get a little frustrated. My next step
>> is
>> going to be to put a couple of satellite AD boxes in choice buildings
>> to try
>> and reduce the physical distance between the end-user and a domain
>> controller. We have also purchased HP ProCurve equipment to replace
>> the
>> Extreme stuff inthe MDFs of the buildings and at the core because of
>> the age
>> (8+ years) of the Extreme stuff but I'm not convinced that is going to
>> "fix"
>> the problem. I feel like i provided enough DCs per VLAN (at least 2),
>> at
>> last one DNS server on each VLAN so there is no traversign VLANs for
>> this
>> information.
>> Any suggestions? Where should I be looking that I'm not looking?
>> I've checked AD's health and its good... DNS seems solid... but I'm
>> open to just about any suggestions right now.
>>
>
>

Hello Bruce,

In a single forest domain, like domain.com, you should make ALL DCs Global
catalog server as the IM has nothing to do.
http://msmvps.com/blogs/ulfbsimonwei.../08/37975.aspx

WINS is in a domain normally not needed, a domain is DNS based working. BUT,
if you have the need for network browsing over subnets or applications running
that require WINS then you have to install it.

If you set the GPO for "Always wait for network..........." it wan't be that
much amount of time the logon process take.. Of course if you use servers
to store the profiles or folder redirection the copy process depends on the
amount of data.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Meinolf,
> I removed the multihoming -- hopefully this will go a long way to
> fixing
> our issue. What about the global catalog? How many servers should it
> be
> on? Does it need to be on every DC?
>
> And how big of a player is WINS and Master Browsers in this whole
> thing?
>
> Our workstations *do* have fast logon optimization enabled (the
> default is on). If we disable this, how much longer will the
> initialization be for the machines?
>
> On 4/24/10 6:05 AM, in article
> , "Meinolf Weber
> [MVP-DS]" <> wrote:
>
>> Hello Bruce,
>>
>> As Danny said multihoming of DCs is a really bad solution:
>> http://msmvps.com/blogs/acefekay/arc...tihomed-dcs-wi
>> th-dns-rr as-and-or-pppoe-adapters.aspx
>>
>> For workstations make also sure that fast logon optimization isn't
>> configured, applies on machines higher then Windows 2000:
>> http://support.microsoft.com/kb/305293
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Here is our environment:
>>>
>>> 5 Windows 2003 R2 SP2 Domain Controllers (4 of which also do
>>> File/Print/DNS
>>> and 1 is running DHCP) spread across multiple VLANs (multiple NICs
>>> mapped to
>>> different VLANs in each)
>>> These are HP DL380 G5's with 8GB RAM runninw Win2k3R2 Enterprise
>>> These DCs are all in the same physical location supporting 10 other
>>> buildings, some buildings are 1 mile, some are 7 miles away
>>> connected
>>> by GB fiber.
>>> Network is GB between buildings, GB between closets, 100MB to the
>>> desktop with a mix of Extreme and HP equipment with one BlackDiamond
>>> 6808 Router in the data center.
>>>
>>> Roughly 3000 computers on the network, 10k Active Directory objects,
>>> 1100 Exchange 2003 mailboxes
>>>
>>> The issue we are having is that since we've migrated from NetWare
>>> (last year) to AD we have login and login resource issues.
>>>
>>> Example: there will be 30 people in a room all logging in
>>> more-or-less at the same time, 5 or 6 or 8 will get in, get their
>>> home drive, mapped drive and group policies w/o a problem... another
>>> 10-12 might need to logout and try again and the rest may actually
>>> need to reboot to make it work correctly.
>>>
>>> If I go to the location I can login as any user and it works fine,
>>> but put a bunch of people in a room and it starts to get flakey
>>> again.
>>>
>>> Here's most of what I've done over the past couple of months:
>>>
>>> * Aggregated network closets -- where I could I changed the closet
>>> configurations from a daisy-chain of switches to an aggregated
>>> config
>>> (IE:
>>> four 100MB switches uplink directly to a GB switch and out the
>>> closet)
>>> * Introduced WINS into the environment on two of the DCs
>>> * Moved server secondary NICs from 100MB to 1GB ports.
>>> At this point I'm starting to get a little frustrated. My next step
>>> is
>>> going to be to put a couple of satellite AD boxes in choice
>>> buildings
>>> to try
>>> and reduce the physical distance between the end-user and a domain
>>> controller. We have also purchased HP ProCurve equipment to replace
>>> the
>>> Extreme stuff inthe MDFs of the buildings and at the core because of
>>> the age
>>> (8+ years) of the Extreme stuff but I'm not convinced that is going
>>> to
>>> "fix"
>>> the problem. I feel like i provided enough DCs per VLAN (at least
>>> 2),
>>> at
>>> last one DNS server on each VLAN so there is no traversign VLANs for
>>> this
>>> information.
>>> Any suggestions? Where should I be looking that I'm not looking?
>>> I've checked AD's health and its good... DNS seems solid... but I'm
>>> open to just about any suggestions right now.