Announcement

Collapse
No announcement yet.

Branch Offices

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Branch Offices

    Hi everyone,

    Have got a problem with SBS2008 and speed to some branch offices.

    Overview
    ------------
    We have SBS2008 at the head office, server 2008 SP2 DCs at 2 other branch offices, but there are also 3 more sites who just have workstations and no servers.

    The VPN config is 'Hub and Spoke' I guess, with HO connecting to all sites, but all sites not necessarily connecting to each other (apart from the 2 that have DCs)

    Head Office: 192.168.0.0/24
    Branch 1 (with DC): 192.168.1.0/24
    Branch 2 (with DC): 192.168.2.0/24
    Branch 3 (no DC): 192.168.3.0/24
    Branch 4 (no DC): 192.168.4.0/24
    Branch 5 (no DC): 192.168.5.0/24

    The workstations are Win 7.

    Symptoms:
    --------------
    Booting up the machine - it takes a long time on 'Please Wait' prior to CTRL-ALT-DEL screen

    Logging in - takes approx 10-15 minutes.

    Things tried so far
    -----------------------
    Pinging from Branch 3 to domain.local resolved to the one of the branch office DCs (where there is no direct VPN link to) - manually put an entry in hosts file, flushed dns, rebooted - no difference in login time.

    Have added 192.168.3.0/24, 192.168.4.0/24, 192.168.5.0/24 subnets to the Head Office Site in AD Sites and Services

    GPRESULT /R /V - returns 'there is no RSOP data for this user'

    GPUPDATE - times out completely.

    File access etc is absolutely fine once logged in - actually pretty quick, and ping times are low.



    Because of the wrong DC IP coming back when I ping domain.local, I'm guessing it's trying to use the wrong DC for GPO's, authentication etc? But since adding the subnet to the Head Office site, I would have thought it would have improved it?

    Any ideas?

    Thanks in advance!

  • #2
    Re: Branch Offices

    Not an answer to your query, but it seems to me that with that many sites, your company may have somewhat outgrown SBS... maybe it would be worthwhile considering a move to full blown Windows Server and Exchange at some point.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Branch Offices

      Which DCs have DNS installed?

      Can you post an IPCONFIG/ALL from the problem branch office?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Branch Offices

        I would suspect DNS problems.

        OR - you may not have appropriate Active Directory "Sites" configured.
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Branch Offices

          I would say a combination of DNS problems, site errors and windows 7 GPOs.

          Win7 is very touchy with domain server it can not always talk to, as it will sit there waiting on contact from the server before letting the users do anything.

          There are some GPO's about waiting for server response, and startup log on scripts that will really cause Win7 to take ages to boot. My startup script to map a network drive made a win 7 laptop take 96 mins to boot on Wifi.

          I would disable all startup scripts being deployed via GPO, and try to limit the GPO's as much as possible.

          Also, are you able to get a catalog server, or something similer at the branchs that do not have DC's? Just to lower the network load, and to allow your users to authencate when the connect to there DC's are down?

          Wofen
          Good to be back....

          Comment


          • #6
            Re: Branch Offices

            @gforceindustries - Yes....I know....It's actually a customer of ours who have in fact 4 or 5 months ago moved from full blown Server 2003....to SBS 2008... *Sigh*

            @Wofen - Unfortunately not. each branch office that doesn't have a server has 2, maybe 3 workstations at each, so the expense of a server can't be justified, even if it was a little HP ML115 or something. Budgets aren't stretching very far at the mo.

            @tehcamel - There are 3 AD sites configured for each office with a DC. The site containing Head Office has the subnets 192.168.0.0/24, 192.168.3.0/24, 192.168.4.0/24 and 192.168.5.0/24 assigned to it. Since my first post, I've been testing stuff and have rebooted that workstation a number of times. On one occasion, it started resolving domain.local to 192.168.0.1 which is the correct one, and everything started working, plus login time was down to under 2 minutes.

            @Ossian -

            Windows IP Configuration

            Host Name . . . . . . . . . . . . : WKS01
            Primary Dns Suffix . . . . . . . : domain.local
            Node Type . . . . . . . . . . . . : Hybrid
            IP Routing Enabled. . . . . . . . : No
            WINS Proxy Enabled. . . . . . . . : No
            DNS Suffix Search List. . . . . . : domain.local

            Ethernet adapter Local Area Connection:

            Connection-specific DNS Suffix . : domain.local
            Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
            Physical Address. . . . . . . . . : 18-A9-05-39-C1-1B
            DHCP Enabled. . . . . . . . . . . : Yes
            Autoconfiguration Enabled . . . . : Yes
            Link-local IPv6 Address . . . . . : fe80::1a2:ce9c:ffd9:4ee9%13(Preferred)
            IPv4 Address. . . . . . . . . . . : 192.168.4.14(Preferred)
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Lease Obtained. . . . . . . . . . : 06 July 2010 08:23:54
            Lease Expires . . . . . . . . . . : 07 July 2010 08:23:54
            Default Gateway . . . . . . . . . : 192.168.4.254
            DHCP Server . . . . . . . . . . . : 192.168.4.254
            DHCPv6 IAID . . . . . . . . . . . : 270051589
            DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-13-76-AB-18-A9-05-39-C1-1B
            DNS Servers . . . . . . . . . . . : 192.168.0.1
            8.8.8.8
            NetBIOS over Tcpip. . . . . . . . : Enabled




            So basically, it seems like it still picks a DC at random, despite the subnet being assigned to the Head Office site. And when it picked the Head Office DC, it worked as well as I could expect over a WAN link (sub 2 minute login, down from 10-15), with all GPO's applied etc.

            Is there no way to force it to use a certain DC? Reg entry? Variable setting etc?

            Thanks for your input so far, much appreciated.

            Comment


            • #7
              Re: Branch Offices

              How are the sites . What do the tracert's look like going to server from workstations and vice versa. I had similar issues recently and found by publishing dns on my site to site routers helped.

              Comment


              • #8
                Re: Branch Offices

                Originally posted by db9429 View Post

                Windows IP Configuration

                Host Name . . . . . . . . . . . . : WKS01
                Primary Dns Suffix . . . . . . . : domain.local
                Node Type . . . . . . . . . . . . : Hybrid
                IP Routing Enabled. . . . . . . . : No
                WINS Proxy Enabled. . . . . . . . : No
                DNS Suffix Search List. . . . . . : domain.local

                Ethernet adapter Local Area Connection:

                Connection-specific DNS Suffix . : domain.local
                Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
                Physical Address. . . . . . . . . : 18-A9-05-39-C1-1B
                DHCP Enabled. . . . . . . . . . . : Yes
                Autoconfiguration Enabled . . . . : Yes
                Link-local IPv6 Address . . . . . : fe80::1a2:ce9c:ffd9:4ee9%13(Preferred)
                IPv4 Address. . . . . . . . . . . : 192.168.4.14(Preferred)
                Subnet Mask . . . . . . . . . . . : 255.255.255.0
                Lease Obtained. . . . . . . . . . : 06 July 2010 08:23:54
                Lease Expires . . . . . . . . . . : 07 July 2010 08:23:54
                Default Gateway . . . . . . . . . : 192.168.4.254
                DHCP Server . . . . . . . . . . . : 192.168.4.254
                DHCPv6 IAID . . . . . . . . . . . : 270051589
                DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-13-76-AB-18-A9-05-39-C1-1B
                DNS Servers . . . . . . . . . . . : 192.168.0.1
                8.8.8.8

                NetBIOS over Tcpip. . . . . . . . : Enabled
                what's that 8.8.8.8 ? have you reviewed event logs on theDCs ? I know i've seen them bfore whereit says "no dc exists for site, selecting dc BLA based on costs"

                so check your costs too...
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment


                • #9
                  Re: Branch Offices

                  Thanks V. much for your replies.

                  @Scuba - Sites/Replication is all fine. Tracerts show hops as I would expect.

                  @Tehcamel - 8.8.8.8 = Google's DNS servers. They are in case the VPN tunnel goes down for whatever reason, so they can still get internet access.

                  As the remote branches subnets have been assigned to the same site, I'm guessing I can't assign different costs...

                  Meh, I will keep digging. There must be a way to force it to use a specific DC. Otherwise I'm going to have to set up site to site VPNs in nearly a full mesh, but it will be too much strain on the routers.

                  Comment


                  • #10
                    Re: Branch Offices

                    Not a good idea to have Google's DNS server configured on the domain clients IMO. That should only be configured as a forwarder on your DNS servers.
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment


                    • #11
                      Re: Branch Offices

                      I think he is trying to ensure some form of external DNS if the VPN to his actual DCs goes down.

                      IMHO put in the router IP as a tertiary DNS server for such a scenario.
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: Branch Offices

                        @gforceindustries - As Ossian says, internal and external DNS resolution is needed without an on site server, so they use the Head Office DC as primary DNS, and a public DNS server in case the tunnel goes down. That way they can still connect to the public address of OWA, browse the internet etc.

                        Comment

                        Working...
                        X