Skip to main content

improvements to finding things close to you

I am a fountain of technical terms, I know.

in my opinion, one of the most convenient things about active directory is the ability to locate stuff. I don’t mean searching through the directory to find an object exactly. more so, I’m referring to how you can locate things like a DFS server or a domain controller without thinking about it. I don’t have to select which DC I want to use to authenticate me, for example.

if you spend any amount of time managing your active directory sites, you probably want to maximize your return on that work. managing sites is referring to the management of the site containers and objects. for instance, managing the subnets assigned to sites or the costs associated to site links would be an administrative task you might perform.

if all you did was manage the subnets associated to sites, you would get the immediate benefit of clients knowing where to go to get services, but what happens if where they were going is no longer available? well, in the DFS or AD scenario, they would grab something else – randomly.

wow. random. that doesn’t seem beneficial at all. in truth, it’s not. you don’t want your client who was talking to the dfs server next to them in idaho suddenly start talking to one in ireland. clearly this was understood as there were changes in both DFS (version 2003) and AD (version 2008) to address this specific concern.

 

distributed file system

the behavior in dfs is referred to as least expensive targeting (otherwise known as site-costing) and described below:

If you create a stand-alone or domain-based DFS root on a server running Windows Server 2003, and the domain controller acting as the Intersite Topology Generator (ISTG) is also running Windows Server 2003, you can use the /SiteCosting parameter in Dfsutil.exe to enable DFS to choose an alternate target based on connection cost if no same-site targets are available.

Windows Server 2003 uses the site and costing information in Active Directory to determine whether sites are linked by inexpensive, high-speed links or by expensive wide area network (WAN) links.

 

active directory

for AD, this is referred to as the setting try next closest site quoted below:

If you have a domain controller that runs Windows Server 2008 or Windows Server 2008 R2, you can make it possible for client computers that run Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 to locate domain controllers more efficiently by enabling the Try Next Closest Site Group Policy setting. This setting improves the Domain Controller Locator (DC Locator) by helping to streamline network traffic, especially in large enterprises that have many branch offices and sites.

This new setting can affect how you configure site link costs because it affects the order in which domain controllers are located. For enterprises that have many hub sites and branch offices, you can significantly reduce Active Directory traffic on the network by ensuring that clients fail over to the next closest hub site when they cannot find a domain controller in the closest hub site.

 

implementing these changes means that when your client can’t access what’s in their site, they will intelligently use services at a location that is closest to them. so that person in idaho? instead of ireland, they might to iowa.

this is stuff that’s been around for awhile but often overlooked. there’s plenty of information on it though. if you haven’t done this yet, it might be something to think about.

Labels:

Comments

Post a Comment

Popular posts from this blog

using preloadpkgonsite.exe to stage compressed copies to child site distribution points

UPDATE: john marcum sent me a kind email to let me know about a problem he ran into with preloadpkgonsite.exe in the new SCCM Toolkit V2 where under certain conditions, packages will not uncompress.  if you are using the v2 toolkit, PLEASE read this blog post before proceeding.   here’s a scenario that came up on the mssms@lists.myitforum.com mailing list. when confronted with a situation of large packages and wan links, it’s generally best to get the data to the other location without going over the wire. in this case, 75gb. :/ the “how” you get the files there is really not the most important thing to worry about. once they’re there and moved to the appropriate location, preloadpkgonsite.exe is required to install the compressed source files. once done, a status message goes back to the parent server which should stop the upstream server from copying the package source files over the wan to the child site. anyway, if it’s a relatively small amount of packages, you can
11 comments
more »

How to Identify Applications Using Your Domain Controller

Problem Everyone has been through it. We've all had to retire or replace a domain controller at some point in our checkered collective experiences. While AD provides very intelligent high availability, some applications are just plain dumb. They do not observe site awareness or participate in locating a domain controller. All they want is the name or IP of one domain controller which gets hardcoded in a configuration file somewhere, deeply embedded in some file folder or setting that you are never going to find. How do you look at a DC and decide which applications might be doing it? Packet trace? Logs? Shut it down and wait for screaming? It seems very tedious and nearly impossible. Potential Solution Obviously I wouldn't even bother posting this if I hadn't run across something interesting. :) I ran across something in draftcalled Domain Controller Isolation. Since it's in draft, I don't know that it's published yet. HOWEVER, the concept is based off
3 comments
more »

sccm: content hash fails to match

back in 2008, I wrote up a little thing about how distribution manager fails to send a package to a distribution point . even though a lot of what I wrote that for was the failure of packages to get delivered to child sites, the result was pretty much the same. when the client tries to run the advertisement with an old package, the result was a failure because of content mismatch. I went through an ordeal recently capturing these exact kinds of failures and corrected quite a number of problems with these packages. the resulting blog post is my effort to capture how these problems were resolved. if nothing else, it's a basic checklist of things you can use.   DETECTION status messages take a look at your status messages. this has to be the easiest way to determine where these problems exist. unfortunately, it requires that a client is already experiencing problems. there are client logs you can examine as well such as cas, but I wasn't even sure I was going to have enough m
3 comments
more »