Domain Controller Question

Hey everyone,

We are running a Windows 2003 domain. We had two DCs (DC01 and DC02). DC01
has all of the FSMO rolls.

Here's the issue that we are having:

We added a thired (older server) domain controller to our DR site (DC03) and
made it a GC server. Looking at "Performance Monitor" is looks like DC03 is
doing ALL of the work. This is NOT what we want. DC03 is an OLDER system
we put in the DR site just as a backup, and we don't want it to be doing all
of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of the
work. Anyone know of a way to change that?

Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
pulling from DC03.


TIA,


Clayton

I assume the other two servers are Global catalogues too? Are they all in one
site?

"Clayton Sutton" wrote:

> Hey everyone,
>
> We are running a Windows 2003 domain. We had two DCs (DC01 and DC02). DC01
> has all of the FSMO rolls.
>
> Here's the issue that we are having:
>
> We added a thired (older server) domain controller to our DR site (DC03) and
> made it a GC server. Looking at "Performance Monitor" is looks like DC03 is
> doing ALL of the work. This is NOT what we want. DC03 is an OLDER system
> we put in the DR site just as a backup, and we don't want it to be doing all
> of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of the
> work. Anyone know of a way to change that?
>
> Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
> pulling from DC03.
>
>
> TIA,
>
>
> Clayton
>
>
>

Yes, they all are GCs and there is only one site.


Clayton


"Tommy" <(E-Mail Removed)> wrote in message
news0FD131A-11A5-4C84-ABB5-(E-Mail Removed)...
>I assume the other two servers are Global catalogues too? Are they all in
>one
> site?
>
> "Clayton Sutton" wrote:
>
>> Hey everyone,
>>
>> We are running a Windows 2003 domain. We had two DCs (DC01 and DC02).
>> DC01
>> has all of the FSMO rolls.
>>
>> Here's the issue that we are having:
>>
>> We added a thired (older server) domain controller to our DR site (DC03)
>> and
>> made it a GC server. Looking at "Performance Monitor" is looks like DC03
>> is
>> doing ALL of the work. This is NOT what we want. DC03 is an OLDER
>> system
>> we put in the DR site just as a backup, and we don't want it to be doing
>> all
>> of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of
>> the
>> work. Anyone know of a way to change that?
>>
>> Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
>> pulling from DC03.
>>
>>
>> TIA,
>>
>>
>> Clayton
>>
>>
>>

Hi!

Do you have only one domain in your forest? If so, than you shold make ALL
domain controllers in your domain global catalogs. You can balance the load
of GC in _msdsc.domainname.com zone with priority on SRV resource records.

Toni


"Clayton Sutton" <(E-Mail Removed)> wrote in message
news7PWg.430744$(E-Mail Removed) ...
> Hey everyone,
>
> We are running a Windows 2003 domain. We had two DCs (DC01 and DC02).
> DC01 has all of the FSMO rolls.
>
> Here's the issue that we are having:
>
> We added a thired (older server) domain controller to our DR site (DC03)
> and made it a GC server. Looking at "Performance Monitor" is looks like
> DC03 is doing ALL of the work. This is NOT what we want. DC03 is an
> OLDER system we put in the DR site just as a backup, and we don't want it
> to be doing all of the work. We want our to NEW DCs (DC01 and DC02) to be
> doing most of the work. Anyone know of a way to change that?
>
> Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
> pulling from DC03.
>
>
> TIA,
>
>
> Clayton
>

Hi,

What exactly do you mean by the new DC doing all the work? User
authentication?
The FSMO roles really are not at "work" all the time.
If you do not want Exchange to pull from this DC, do not make it a GC

Of all the operations master roles, the PDC emulator role has the
highest impact on the performance of the domain controller hosting that
role

PDC Emulator:
PDC Emulator is the root time server for synchronizing the clocks of
all Windows computers in your forest.
Another function of the PDC Emulator is that it is the domain
controller to which all changes to Group Policy are initially made
Finally, all password changes and account lockout issues are handled by
the PDC Emulator to ensure that password changes are replicated
properly and account lockout policy is effective.

RID Master:
The purpose of this role is to replenish the pool of unused relative
IDs (RIDs) for the domain and prevent this pool from becoming
exhausted. RIDs are used up whenever you create a new security
principle (user or computer account) because the SID for the new
security principle is constructed by combining the domain SID with a
unique RID taken from the pool.
So the only time the RID Master is "working" is when a DC runs out of
RIDS

Infrastructure Master:
Its purpose is to ensure that cross-domain object references are
correctly handled. For example, if you add a user from one domain to a
security group from a different domain, the Infrastructure Master makes
sure this is done properly. As you can guess however, if your Active
Directory deployment has only a single domain, then the Infrastructure
Master role does no work at all, and even in a multi-domain environment
it is rarely used except when complex user administration tasks are
performed, so the machine holding this role doesn't need to have much
horsepower at all.

Schema Master:
The purpose of this role is to replicate schema changes to all other
domain controllers in the forest. Since the schema of Active Directory
is rarely changed however, the Schema Master role will rarely do any
work. Typical scenarios where this role is used would be when you
deploy Exchange Server onto your network, or when you upgrade domain
controllers from Windows 2000 to Windows Server 2003, as these
situations both involve making changes to the Active Directory schema.

Domain Naming Master:
The Domain Naming Master role processes all changes to the namespace,
for example adding the child domain vancouver.mycompany.com to the
forest root domain mycompany.com requires that this role be available,
so you can't add a new child domain or new domain tree, check to make
sure this role is running properly.

What you can do is to adjust the priority or weight in the DNS
environment.
If you want to proportionately reduce the number of client
authentication requests received by a DC, adjust its weight. If you
want to ensure that the DC does not receive any client authentication
requests, adjust its priority.

306602 How to Optimize the Location of a Domain Controller or Global
Catalog
http://support.microsoft.com/?id=306602

Configure Operations Master Roles
http://technet2.microsoft.com/Window....mspx?mfr=true

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

Clayton Sutton wrote:
> Hey everyone,
>
> We are running a Windows 2003 domain. We had two DCs (DC01 and DC02). DC01
> has all of the FSMO rolls.
>
> Here's the issue that we are having:
>
> We added a thired (older server) domain controller to our DR site (DC03) and
> made it a GC server. Looking at "Performance Monitor" is looks like DC03 is
> doing ALL of the work. This is NOT what we want. DC03 is an OLDER system
> we put in the DR site just as a backup, and we don't want it to be doing all
> of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of the
> work. Anyone know of a way to change that?
>
> Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
> pulling from DC03.
>
>
> TIA,
>
>
> Clayton

Hi Clayton.

Looks like there are options in DNS (see other posts) - alternatively if the
"DR" domain controller can be put (or is already based) on a separate subnet
to your other DC's and PC's then you could also create a second site in AD
sites and services put the DR domain controller in there. As long as your
clients are on the main DC's subnet then they should only use those DC's for
authentication (unless they find them unreachable).

You need to make sure you have the subnets created in the AD sites and
services and that they're assigned to the appropriate site - Just a thought.

T.

"Clayton Sutton" wrote:

> Yes, they all are GCs and there is only one site.
>
>
> Clayton
>
>
> "Tommy" <(E-Mail Removed)> wrote in message
> news0FD131A-11A5-4C84-ABB5-(E-Mail Removed)...
> >I assume the other two servers are Global catalogues too? Are they all in
> >one
> > site?
> >
> > "Clayton Sutton" wrote:
> >
> >> Hey everyone,
> >>
> >> We are running a Windows 2003 domain. We had two DCs (DC01 and DC02).
> >> DC01
> >> has all of the FSMO rolls.
> >>
> >> Here's the issue that we are having:
> >>
> >> We added a thired (older server) domain controller to our DR site (DC03)
> >> and
> >> made it a GC server. Looking at "Performance Monitor" is looks like DC03
> >> is
> >> doing ALL of the work. This is NOT what we want. DC03 is an OLDER
> >> system
> >> we put in the DR site just as a backup, and we don't want it to be doing
> >> all
> >> of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of
> >> the
> >> work. Anyone know of a way to change that?
> >>
> >> Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
> >> pulling from DC03.
> >>
> >>
> >> TIA,
> >>
> >>
> >> Clayton
> >>
> >>
> >>
>
>
>

By the way - it's also a good idea to have your FSMO's distributed across
your DC's - there's plenty of articles on the MS website about this.

"Clayton Sutton" wrote:

> Yes, they all are GCs and there is only one site.
>
>
> Clayton
>
>
> "Tommy" <(E-Mail Removed)> wrote in message
> news0FD131A-11A5-4C84-ABB5-(E-Mail Removed)...
> >I assume the other two servers are Global catalogues too? Are they all in
> >one
> > site?
> >
> > "Clayton Sutton" wrote:
> >
> >> Hey everyone,
> >>
> >> We are running a Windows 2003 domain. We had two DCs (DC01 and DC02).
> >> DC01
> >> has all of the FSMO rolls.
> >>
> >> Here's the issue that we are having:
> >>
> >> We added a thired (older server) domain controller to our DR site (DC03)
> >> and
> >> made it a GC server. Looking at "Performance Monitor" is looks like DC03
> >> is
> >> doing ALL of the work. This is NOT what we want. DC03 is an OLDER
> >> system
> >> we put in the DR site just as a backup, and we don't want it to be doing
> >> all
> >> of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of
> >> the
> >> work. Anyone know of a way to change that?
> >>
> >> Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
> >> pulling from DC03.
> >>
> >>
> >> TIA,
> >>
> >>
> >> Clayton
> >>
> >>
> >>
>
>
>

Not really no.

Initially MSFT pushed this idea and then backed off of it considerably.
The only time this is really necessary is if the load of the FSMO roles
together over taxes a single DC. I can say that I never spread the roles
out, I pretty much always keep them on a single DC in each domain of the
forest and the forest roles sit with whatever DC in the root domain that
has all of those domain's roles. This has worked fine in forests I have
managed with hundreds of thousands of users.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Tommy wrote:
> By the way - it's also a good idea to have your FSMO's distributed across
> your DC's - there's plenty of articles on the MS website about this.
>
> "Clayton Sutton" wrote:
>
>> Yes, they all are GCs and there is only one site.
>>
>>
>> Clayton
>>
>>
>> "Tommy" <(E-Mail Removed)> wrote in message
>> news0FD131A-11A5-4C84-ABB5-(E-Mail Removed)...
>>> I assume the other two servers are Global catalogues too? Are they all in
>>> one
>>> site?
>>>
>>> "Clayton Sutton" wrote:
>>>
>>>> Hey everyone,
>>>>
>>>> We are running a Windows 2003 domain. We had two DCs (DC01 and DC02).
>>>> DC01
>>>> has all of the FSMO rolls.
>>>>
>>>> Here's the issue that we are having:
>>>>
>>>> We added a thired (older server) domain controller to our DR site (DC03)
>>>> and
>>>> made it a GC server. Looking at "Performance Monitor" is looks like DC03
>>>> is
>>>> doing ALL of the work. This is NOT what we want. DC03 is an OLDER
>>>> system
>>>> we put in the DR site just as a backup, and we don't want it to be doing
>>>> all
>>>> of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of
>>>> the
>>>> work. Anyone know of a way to change that?
>>>>
>>>> Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
>>>> pulling from DC03.
>>>>
>>>>
>>>> TIA,
>>>>
>>>>
>>>> Clayton
>>>>
>>>>
>>>>
>>
>>

I am monitoring (from my XP workstation) the following "Performance objects"
in Windows Performance Monitor on my three DCs:

Memory - Pages/sec
Paging File - % Usage (_Total)
PhysicalDisk - % Disk Time (_Total)
PhysicalDisk - Avg. Disk Queue Length (_Total)
Processor - % Processor Time (_Total)

The graghs for DC01 and DC02 (my NEW Dell 2850 servers) are flat lined (they
don't show any activity going on). However, DC03 (which is an OLD Dell 2550
out in my DR site) looks to be doing everything. I have "some" activity on
ALL of the graghs for DC03. However, I just put this server online just to
be a backup DC. ALL of the FSMO roles are on DC01, so why is ALL of the
activity on DC03? DC03 is an old "slow" server, that's why we just made it
a backup DC. Now it looks like it's doing most of the work. (ALL DCs are
GCs in one site. We have two domains in the forest and I am working with
the root domain). Any ideas?

TIA,

Clayton


"Joe Richards [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Not really no.
>
> Initially MSFT pushed this idea and then backed off of it considerably.
> The only time this is really necessary is if the load of the FSMO roles
> together over taxes a single DC. I can say that I never spread the roles
> out, I pretty much always keep them on a single DC in each domain of the
> forest and the forest roles sit with whatever DC in the root domain that
> has all of those domain's roles. This has worked fine in forests I have
> managed with hundreds of thousands of users.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> Tommy wrote:
>> By the way - it's also a good idea to have your FSMO's distributed across
>> your DC's - there's plenty of articles on the MS website about this.
>>
>> "Clayton Sutton" wrote:
>>
>>> Yes, they all are GCs and there is only one site.
>>>
>>>
>>> Clayton
>>>
>>>
>>> "Tommy" <(E-Mail Removed)> wrote in message
>>> news0FD131A-11A5-4C84-ABB5-(E-Mail Removed)...
>>>> I assume the other two servers are Global catalogues too? Are they all
>>>> in one
>>>> site?
>>>>
>>>> "Clayton Sutton" wrote:
>>>>
>>>>> Hey everyone,
>>>>>
>>>>> We are running a Windows 2003 domain. We had two DCs (DC01 and DC02).
>>>>> DC01
>>>>> has all of the FSMO rolls.
>>>>>
>>>>> Here's the issue that we are having:
>>>>>
>>>>> We added a thired (older server) domain controller to our DR site
>>>>> (DC03) and
>>>>> made it a GC server. Looking at "Performance Monitor" is looks like
>>>>> DC03 is
>>>>> doing ALL of the work. This is NOT what we want. DC03 is an OLDER
>>>>> system
>>>>> we put in the DR site just as a backup, and we don't want it to be
>>>>> doing all
>>>>> of the work. We want our to NEW DCs (DC01 and DC02) to be doing most
>>>>> of the
>>>>> work. Anyone know of a way to change that?
>>>>>
>>>>> Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
>>>>> pulling from DC03.
>>>>>
>>>>>
>>>>> TIA,
>>>>>
>>>>>
>>>>> Clayton
>>>>>
>>>>>
>>>>>
>>>
>>>

I am monitoring (from my XP workstation) the following "Performance objects"
in Windows Performance Monitor on my three DCs:

Memory - Pages/sec
Paging File - % Usage (_Total)
PhysicalDisk - % Disk Time (_Total)
PhysicalDisk - Avg. Disk Queue Length (_Total)
Processor - % Processor Time (_Total)

The graghs for DC01 and DC02 (my NEW Dell 2850 servers) are flat lined (they
don't show any activity going on). However, DC03 (which is an OLD Dell 2550
out in my DR site) looks to be doing everything. I have "some" activity on
ALL of the graghs for DC03. However, I just put this server online just to
be a backup DC. ALL of the FSMO roles are on DC01, so why is ALL of the
activity on DC03? DC03 is an old "slow" server, that's why we just made it
a backup DC. Now it looks like it's doing most of the work. (ALL DCs are
GCs in one site. We have two domains in the forest and I am working with
the root domain). Any ideas?

TIA,

Clayton



"Harj" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hi,
>
> What exactly do you mean by the new DC doing all the work? User
> authentication?
> The FSMO roles really are not at "work" all the time.
> If you do not want Exchange to pull from this DC, do not make it a GC
>
> Of all the operations master roles, the PDC emulator role has the
> highest impact on the performance of the domain controller hosting that
> role
>
> PDC Emulator:
> PDC Emulator is the root time server for synchronizing the clocks of
> all Windows computers in your forest.
> Another function of the PDC Emulator is that it is the domain
> controller to which all changes to Group Policy are initially made
> Finally, all password changes and account lockout issues are handled by
> the PDC Emulator to ensure that password changes are replicated
> properly and account lockout policy is effective.
>
> RID Master:
> The purpose of this role is to replenish the pool of unused relative
> IDs (RIDs) for the domain and prevent this pool from becoming
> exhausted. RIDs are used up whenever you create a new security
> principle (user or computer account) because the SID for the new
> security principle is constructed by combining the domain SID with a
> unique RID taken from the pool.
> So the only time the RID Master is "working" is when a DC runs out of
> RIDS
>
> Infrastructure Master:
> Its purpose is to ensure that cross-domain object references are
> correctly handled. For example, if you add a user from one domain to a
> security group from a different domain, the Infrastructure Master makes
> sure this is done properly. As you can guess however, if your Active
> Directory deployment has only a single domain, then the Infrastructure
> Master role does no work at all, and even in a multi-domain environment
> it is rarely used except when complex user administration tasks are
> performed, so the machine holding this role doesn't need to have much
> horsepower at all.
>
> Schema Master:
> The purpose of this role is to replicate schema changes to all other
> domain controllers in the forest. Since the schema of Active Directory
> is rarely changed however, the Schema Master role will rarely do any
> work. Typical scenarios where this role is used would be when you
> deploy Exchange Server onto your network, or when you upgrade domain
> controllers from Windows 2000 to Windows Server 2003, as these
> situations both involve making changes to the Active Directory schema.
>
> Domain Naming Master:
> The Domain Naming Master role processes all changes to the namespace,
> for example adding the child domain vancouver.mycompany.com to the
> forest root domain mycompany.com requires that this role be available,
> so you can't add a new child domain or new domain tree, check to make
> sure this role is running properly.
>
> What you can do is to adjust the priority or weight in the DNS
> environment.
> If you want to proportionately reduce the number of client
> authentication requests received by a DC, adjust its weight. If you
> want to ensure that the DC does not receive any client authentication
> requests, adjust its priority.
>
> 306602 How to Optimize the Location of a Domain Controller or Global
> Catalog
> http://support.microsoft.com/?id=306602
>
> Configure Operations Master Roles
> http://technet2.microsoft.com/Window....mspx?mfr=true
>
> Good luck
>
> Harj Singh
> Power Your Active Directory Investment
> www.specopssoft.com
>
> Clayton Sutton wrote:
>> Hey everyone,
>>
>> We are running a Windows 2003 domain. We had two DCs (DC01 and DC02).
>> DC01
>> has all of the FSMO rolls.
>>
>> Here's the issue that we are having:
>>
>> We added a thired (older server) domain controller to our DR site (DC03)
>> and
>> made it a GC server. Looking at "Performance Monitor" is looks like DC03
>> is
>> doing ALL of the work. This is NOT what we want. DC03 is an OLDER
>> system
>> we put in the DR site just as a backup, and we don't want it to be doing
>> all
>> of the work. We want our to NEW DCs (DC01 and DC02) to be doing most of
>> the
>> work. Anyone know of a way to change that?
>>
>> Even Outlook/Exchagne is pulling from DC03. Even my CITRIX users are
>> pulling from DC03.
>>
>>
>> TIA,
>>
>>
>> Clayton
>