Remote AD offline and lack of access to local file server

A customer called complaining about a WAN link problem (Offline for several
minutes, several times in a day) and he observed that seconds after the WAN
Link disruption (and lose access to the remote DCs) the access to the local
File Server stopped almost immedialty.

In my mind i was thinking: if Kerberos have a "cache" for Tickets, why the
File Servers where affected so fast? Why even with the WAN Link failure, the
communcation with DC is so critical? I wonder if the Kerberos have a "life
time", why it expired as soon the WAN link failed?

This is the normal behaviour?

"FB" <(E-Mail Removed)> wrote in message news:36BEC9D6-E872-41DD-ABD0-(E-Mail Removed)...
>
> A customer called complaining about a WAN link problem (Offline for several
> minutes, several times in a day) and he observed that seconds after the WAN
> Link disruption (and lose access to the remote DCs) the access to the local
> File Server stopped almost immedialty.
>
> In my mind i was thinking: if Kerberos have a "cache" for Tickets, why the
> File Servers where affected so fast? Why even with the WAN Link failure, the
> communcation with DC is so critical? I wonder if the Kerberos have a "life
> time", why it expired as soon the WAN link failed?
>
> This is the normal behaviour?

Yep. Sure is. Clients machines always authenticate against the DC they logged on with. You can see which logon server it is by typing in 'echo %logonserver% in a CMD line. A local DC eliminates unnecessary WAN traffic such as for authentication, DNS, WINS, and other traffic, depending on your scenario. Yes, with DCs in multiple locations, DC replication will be present, but will be compressed when you configure AD Sites.

If you only have a DC in a remote location, assuming it's your corp or central location, then how many users are in your location? If more than 10, or if business functions are critical where they need to be constantly connected to local resources and the WAN link is unreliable, then I would put a replica DC in your location. Also in any domain, it's best practice, as well as highly recommended to have a minimum of two DCs per domain. This provides fault tolerance if anything were to happen to a single DC.

Keep in mind, I do not know your infrastructure, since you didn't elaborate on your infrastructure to provide specific suggestions, these are just recommendations based on best practices aligned with business requirements.

If you can elaborate a bit such as number of users in each location, type of WAN line, is there a VPN connected, etc, we may be able to make some recommendations.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay

FB,
This is a really common problem: how to provide DC services to a small
remote office. If you use a remote DC you are dependent on the WAN link, and
people don't understand why they can't work locally when the WAN is down. To
have a local DC costs more. Alternately you might even consider working in a
workgroup locally if the cost of the DC is too much.
Anthony
http://www.airdesk.com


"FB" <(E-Mail Removed)> wrote in message
news:36BEC9D6-E872-41DD-ABD0-(E-Mail Removed)...
>
> A customer called complaining about a WAN link problem (Offline for
> several
> minutes, several times in a day) and he observed that seconds after the
> WAN
> Link disruption (and lose access to the remote DCs) the access to the
> local
> File Server stopped almost immedialty.
>
> In my mind i was thinking: if Kerberos have a "cache" for Tickets, why the
> File Servers where affected so fast? Why even with the WAN Link failure,
> the
> communcation with DC is so critical? I wonder if the Kerberos have a "life
> time", why it expired as soon the WAN link failed?
>
> This is the normal behaviour?
>
>
>
>

It´s a small office with 4 XP Machines...
In Workgroup mode there are management challenges in maintaining security,
AVirus, ASpyware, Patches...

Trade-offs... A decision have to be taken in choosing what is more important.

The customer is thinking in a "B" Plan to be used in emergencies, where
they´ll enable "Guest access" to the shares during the "outages" of the WAN
link and configure back to "normal mode" when WAN link is up again.


"Anthony [MVP]" wrote:

> FB,
> This is a really common problem: how to provide DC services to a small
> remote office. If you use a remote DC you are dependent on the WAN link, and
> people don't understand why they can't work locally when the WAN is down. To
> have a local DC costs more. Alternately you might even consider working in a
> workgroup locally if the cost of the DC is too much.
> Anthony
> http://www.airdesk.com
>
>
> "FB" <(E-Mail Removed)> wrote in message
> news:36BEC9D6-E872-41DD-ABD0-(E-Mail Removed)...
> >
> > A customer called complaining about a WAN link problem (Offline for
> > several
> > minutes, several times in a day) and he observed that seconds after the
> > WAN
> > Link disruption (and lose access to the remote DCs) the access to the
> > local
> > File Server stopped almost immedialty.
> >
> > In my mind i was thinking: if Kerberos have a "cache" for Tickets, why the
> > File Servers where affected so fast? Why even with the WAN Link failure,
> > the
> > communcation with DC is so critical? I wonder if the Kerberos have a "life
> > time", why it expired as soon the WAN link failed?
> >
> > This is the normal behaviour?
> >
> >
> >
> >
>

FB <(E-Mail Removed)> wrote:
> It´s a small office with 4 XP Machines...
> In Workgroup mode there are management challenges in maintaining
> security, AVirus, ASpyware, Patches...

Agreed.
>
> Trade-offs... A decision have to be taken in choosing what is more
> important.

Yes. I don't like remote offices without local DCs, but I know what you
mean.
>
> The customer is thinking in a "B" Plan to be used in emergencies,
> where they´ll enable "Guest access" to the shares during the
> "outages" of the WAN link and configure back to "normal mode" when
> WAN link is up again.

I'd just install a terminal services box in the main office so that all
users access the centralized file server directly. If they get disconnected
tney can reconnect to their sessions without losing data.

Heck, at that point you could put thin clients in the remote locations which
would save money, wouldn't get malware, etc.
>
>
> "Anthony [MVP]" wrote:
>
>> FB,
>> This is a really common problem: how to provide DC services to a
>> small remote office. If you use a remote DC you are dependent on the
>> WAN link, and people don't understand why they can't work locally
>> when the WAN is down. To have a local DC costs more. Alternately you
>> might even consider working in a workgroup locally if the cost of
>> the DC is too much.
>> Anthony
>> http://www.airdesk.com
>>
>>
>> "FB" <(E-Mail Removed)> wrote in message
>> news:36BEC9D6-E872-41DD-ABD0-(E-Mail Removed)...
>>>
>>> A customer called complaining about a WAN link problem (Offline for
>>> several
>>> minutes, several times in a day) and he observed that seconds after
>>> the WAN
>>> Link disruption (and lose access to the remote DCs) the access to
>>> the local
>>> File Server stopped almost immedialty.
>>>
>>> In my mind i was thinking: if Kerberos have a "cache" for Tickets,
>>> why the File Servers where affected so fast? Why even with the WAN
>>> Link failure, the
>>> communcation with DC is so critical? I wonder if the Kerberos have
>>> a "life time", why it expired as soon the WAN link failed?
>>>
>>> This is the normal behaviour?

I agree, 4 is a very awkward number.
Its actually not hard to manage workgroup clients. You can use a third party
client management tool. It does not have to be AD.
You can use the DC as the file server, so you only have one file server
(even if it is a PC). This creates a slight problem that to administer the
server, e.g create a new Share, the user has to be a domain admin, which is
very undesirable So you can accept that you will need to administer the
server centrally only.
The other concern is physical security. Unless it is 2008 RODC, you really
don't want a DC to be in an insecure area like an office. It is easy for
someone to get control of the whole domain that way.
2008 RODC answers a lot of these problems,
Anthony
http://www.airdesk.com


"FB" <(E-Mail Removed)> wrote in message
news:9F825BB3-8326-46B6-93E8-(E-Mail Removed)...
> It´s a small office with 4 XP Machines...
> In Workgroup mode there are management challenges in maintaining security,
> AVirus, ASpyware, Patches...
>
> Trade-offs... A decision have to be taken in choosing what is more
> important.
>
> The customer is thinking in a "B" Plan to be used in emergencies, where
> they´ll enable "Guest access" to the shares during the "outages" of the
> WAN
> link and configure back to "normal mode" when WAN link is up again.
>
>
> "Anthony [MVP]" wrote:
>
>> FB,
>> This is a really common problem: how to provide DC services to a small
>> remote office. If you use a remote DC you are dependent on the WAN link,
>> and
>> people don't understand why they can't work locally when the WAN is down.
>> To
>> have a local DC costs more. Alternately you might even consider working
>> in a
>> workgroup locally if the cost of the DC is too much.
>> Anthony
>> http://www.airdesk.com
>>
>>
>> "FB" <(E-Mail Removed)> wrote in message
>> news:36BEC9D6-E872-41DD-ABD0-(E-Mail Removed)...
>> >
>> > A customer called complaining about a WAN link problem (Offline for
>> > several
>> > minutes, several times in a day) and he observed that seconds after the
>> > WAN
>> > Link disruption (and lose access to the remote DCs) the access to the
>> > local
>> > File Server stopped almost immedialty.
>> >
>> > In my mind i was thinking: if Kerberos have a "cache" for Tickets, why
>> > the
>> > File Servers where affected so fast? Why even with the WAN Link
>> > failure,
>> > the
>> > communcation with DC is so critical? I wonder if the Kerberos have a
>> > "life
>> > time", why it expired as soon the WAN link failed?
>> >
>> > This is the normal behaviour?
>> >
>> >
>> >
>> >
>>