Domain Controller Question

Hey everyone,

We are running a Windows 2003 domain. We had two DCs (DC01 and DC02). DC01
has all of the FSMO rolls.

Here's the issue that we are having:

We added a thired (older server) domain controller to our DR site (DC03) and
made it a GC server. Looking at "Performance Monitor" is looks like DC03 is
doing ALL of the work. This is NOT what we want. DC03 is an OLDER system
we put in the DR site just as a backup, and we don't want it to be doing all
of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of the
work. Anyone know of a way to change that?

Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
pulling from DC03.


TIA,


Clayton

 

I assume the other two servers are Global catalogues too? Are they all in one
site?

 

Yes, they all are GCs and there is only one site.


Clayton

 

Hi!

Do you have only one domain in your forest? If so, than you shold make ALL
domain controllers in your domain global catalogs. You can balance the load
of GC in _msdsc.domainname.com zone with priority on SRV resource records.

Toni

 

Hi Clayton.

Looks like there are options in DNS (see other posts) - alternatively if the
"DR" domain controller can be put (or is already based) on a separate subnet
to your other DC's and PC's then you could also create a second site in AD
sites and services put the DR domain controller in there. As long as your
clients are on the main DC's subnet then they should only use those DC's for
authentication (unless they find them unreachable).

You need to make sure you have the subnets created in the AD sites and
services and that they're assigned to the appropriate site - Just a thought.

T.

 

By the way - it's also a good idea to have your FSMO's distributed across
your DC's - there's plenty of articles on the MS website about this.

 

Not really no.

Initially MSFT pushed this idea and then backed off of it considerably.
The only time this is really necessary is if the load of the FSMO roles
together over taxes a single DC. I can say that I never spread the roles
out, I pretty much always keep them on a single DC in each domain of the
forest and the forest roles sit with whatever DC in the root domain that
has all of those domain's roles. This has worked fine in forests I have
managed with hundreds of thousands of users.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

I am monitoring (from my XP workstation) the following "Performance objects"
in Windows Performance Monitor on my three DCs:

Memory - Pages/sec
Paging File - % Usage (_Total)
PhysicalDisk - % Disk Time (_Total)
PhysicalDisk - Avg. Disk Queue Length (_Total)
Processor - % Processor Time (_Total)

The graghs for DC01 and DC02 (my NEW Dell 2850 servers) are flat lined (they
don't show any activity going on). However, DC03 (which is an OLD Dell 2550
out in my DR site) looks to be doing everything. I have "some" activity on
ALL of the graghs for DC03. However, I just put this server online just to
be a backup DC. ALL of the FSMO roles are on DC01, so why is ALL of the
activity on DC03? DC03 is an old "slow" server, that's why we just made it
a backup DC. Now it looks like it's doing most of the work. (ALL DCs are
GCs in one site. We have two domains in the forest and I am working with
the root domain). Any ideas?

TIA,

Clayton

 

I am monitoring (from my XP workstation) the following "Performance objects"
in Windows Performance Monitor on my three DCs:

Memory - Pages/sec
Paging File - % Usage (_Total)
PhysicalDisk - % Disk Time (_Total)
PhysicalDisk - Avg. Disk Queue Length (_Total)
Processor - % Processor Time (_Total)

The graghs for DC01 and DC02 (my NEW Dell 2850 servers) are flat lined (they
don't show any activity going on). However, DC03 (which is an OLD Dell 2550
out in my DR site) looks to be doing everything. I have "some" activity on
ALL of the graghs for DC03. However, I just put this server online just to
be a backup DC. ALL of the FSMO roles are on DC01, so why is ALL of the
activity on DC03? DC03 is an old "slow" server, that's why we just made it
a backup DC. Now it looks like it's doing most of the work. (ALL DCs are
GCs in one site. We have two domains in the forest and I am working with
the root domain). Any ideas?

TIA,

Clayton

 

You should check NTDS counters for all domain controllers. If you wish to
balance the load on your domain controllers you should go to DNS console and
change priority for appropriate SRV record.

More info:
http://www.microsoft.com/technet/pr...rv/reskit/distrib/dsbc_nar_sdns.mspx?mfr=true

Toni

 

Ok it doesn't sound like you know if it is doing all of the work. You
are looking at counters that aren't busy on one DC but are on another
lesser DC, the load balancing could be equal amongst all of them and
DC03 would still show the busiest as it has the least horsepower.

I believe someone else mentioned using priority and weighting on DC DNS
records, that is what you want to look at. Alternately, put the DC in
another logical site so it is only used in a failover.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

Hey T.

Which NTDS counters do you thing are best for me to keep an eye on?

Clayton

 

Hi!

It's hard to say which counters are appropriate in your case. If you
suspect, that one of your domain controllers is doing all the work related
to Active Directory services, check this two articles:

Active Directory monitoring in general:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=5454

Active Directory and Exchange monitoring:
http://www.microsoft.com/technet/pr...381-bdab-44bc-9df4-35e9d6192b86.mspx?mfr=true

I would check at least the following counters:
LDAP Client Sessions
LDAP Bind Time
Kerberos Authentications/sec
NTLM Authentications/sec
LDAP Successful Binds/sec
LDAP Searches/sec

It was mentioned before, that your DC3 might be the busiest server just
because it is the weakest one.

Toni

 

Thanks T., and everyone else. That gives me more info. to move forward
with.


Clayton

 

great info , Thanks

 

Great info.. thanks