Branch offices and not stable WAN links

Discussion in 'Active Directory' started by Rytis, Aug 19, 2005.

  1. Rytis

    Rytis Guest

    We have a lot of small branch offices (~5-10 PCs in each), which connects to
    our central office via slow WAN links (256 kbps). And these WAN links are
    not stable - usualy their are down from 10 min to ~1 hrs per day. And all
    branch offices have their own file server.
    In our central office we have Windows 2003 domain. We decided to join all
    branch offices PCs (and servers of course) to our domain. All branch offices
    will use DCs in our central office for authentication.

    The problem is that when WAN link goes down, users in branch can not access
    files located in branch`s file server (it is critical point). My task is to
    find a solution, how users can access files on file server, when the WAN
    link is down (= the DC is not accessible).
    One guy recommend us to disable Kerberos.
    How to do this? I found a GP setting in Default Domain policy "Enforce user
    logon restrictions" (Computer Configuration\Windows Settings\Security
    Settings\Account Policies\Kerberos Policy), which is Enabled by default in
    Windows 2003 domain enviroment. Is this can help?

    Or maybe there are other solutions or ideas?


    a) It is impossible to place DC on each branch office.
    b) It is impossible to rise WAN link quality (stability)
    Rytis, Aug 19, 2005
    1. Advertisements

  2. In
    I would choose both A and B above. A to have a DC locally so logon and
    authentication traffic doesnt consume the WAN link, which it's doing now. I
    bet half the traffic going across it now is authentication traffic.

    B because AD's default threshold to indicate a "slow" link is 512k. 256k is
    way below it. Below this level, many things do not come across, such as
    GPOs, and other vital configuration during the logon process.

    I wouldn't disable Kerberos. Update your infrastructure to properly support
    AD, and provide a DC at each location if there are more than 5 users (that's
    my magic number).


    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    Ace Fekay [MVP], Aug 20, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.