AD Setup and Problems with Client Authenication and GPOs

[rflanary]

I have a single AD site setup using the default site. I have a single domain with 3 domain controllers. 1 windows 2000 2 windows 2003. Our main office has the domain controller located here. I have a DR site off site at another property with a dc as backup. The main site and the DR site have a T1 line connected. I have recently implemented group policies and now some windows xp clients take forever to apply personal settings. I have 3 GPO's that apply. I have turned off user and computer configuration where they dont apply. I am not sure what is wrong. I have checked everything i see on the net and it all points to DNS. I have checked DNS and every computer is pointing to DC1 and DC2 no ISP DNS.

My domain has never been setup with subnets in sites and services. Its a single site should there be subnets?

My next questions as well is what is best practices for single domain with 2 dc's one at main office and one at DR site.

 

[Roadki11]

Sounds like DNS. Did the workstations login fine before you linked the GPO's? If you unlink the GPO's does the login speed return to normal? What kind of stuff did you enable in GP, folder redirects, software installs, logon sripts? You could have a bad UNC path to something thats taking a long time to timeout.

RoadKi11

 

[kmcferrin]

It's not DNS, it's the lack of having sites configured correctly in AD. The entire purpose of AD Sites and Services is so that you can tell AD what your physical architecture looks like. If you have multiple physical sites but only have a single site defined in AD Sites and Services, then AD will behave as if everything is located in the same physical site (which they're not). This means that your DC that is offsite for DR purposes is working just like a DC onsite. It is processing logins, group policy, and undergoing AD replication on a regular basis. All of this generates network traffic, and over a single T1 you'll probably see performance issues.

If you split things into multiple sites in AD Sites and Services and set it up correctly, you can set custom intervals for replication between the sites so that replication isn't constantly going on. And of course, none of your PCs at the main office will be trying to authenticate with a DC that is offsite and connected by two tin cans and a string.

Regarding:

Its a single site should there be subnets?

Uhh...you would know better than we would if you have multiple subnets on your network. Do you have multiple subnets? Surely your DR site is on a separate subnet from your main site. You probably have different subnets for servers than PCs, and another separate subnet for your DMZ. Right?

 

[rflanary]

I have about 15 properties on our single domain.

172.16.3.0 main office
172.18.7.0
172.18.8.0
172.18.9.0
172.18.10.0
172.18.12.0
172.18.14.0 DR Site
172.18.15.0
172.18.16.0
172.18.17.0
172.18.19.0
172.18.20.0
172.18.21.0
172.18.22.0
172.18.23.0
172.18.24.0
172.18.25.0
172.18.26.0
172.18.27.0
172.18.30.0

There are no sites in AD Sites and Services. I thought this could be a problem. How do i handle authentication if the main site is down?

 

[rflanary]

I went ahead and created a seperate site for where this domain controller is. I also defined a subnet for it.

I did not define my other subnets. Do i need to define them if i have pt no pot dcs there?

Replication should still occur between sites right? Do i need to do anything special for it?

 

[kmcferrin]

You should go ahead and list the subnets under the appropriate sites.

The authentication will be handled automatically. By default a machine will authenticate only with the DCs in their own site, unless there are no DCs available. Then they'll shuffle off to the next closest/lowest cost site. So it's important to not only configure multiple sites with their correct subnets, but also configure the inter-site link costing correctly as well.

For example, let's say you have three sites, A, B, and C. A is the HQ, and it's the hub of your network. B is a remote site, and it is connected to A via a T1. C is a DR site, and it's connected to A via a T3. If your AD servers at A go down, you'll want to make sure that systems at site A start authenticating with site C instead of site B.