SYSVOL - Clients connecting across WAN for SYSVOL data

Hi,

I have just implemented a brand new AD 2003 domain, and we using GPO's
heavily for settings and site logon scripts etc.

We are seeing some clients connect to remote sites to get GPO data on the
SYSVOL share, which is slowing down logon responsiveness.

After doing a packet trace, I see a "GET_DFS_REFERRAL" request from the
client to "\<domain>.local\sysvol" and it returns a full list of available
servers that hold a copy of that replicated share. Problem is, some clients
are being handed a site that is over a slow WAN link and it can take a few
mins before the GPO's are applied and scripts run etc.

Are there some settings I don’t know about with regards to FRS costings that
help the client identify which server is closest to pull the data from?

Cheers
A

Hello Andrew,

> We are seeing some clients connect to remote sites to get GPO data on the
> SYSVOL share, which is slowing down logon responsiveness.
>
> After doing a packet trace, I see a "GET_DFS_REFERRAL" request from the
> client to "\<domain>.local\sysvol" and it returns a full list of available
> servers that hold a copy of that replicated share. Problem is, some clients
> are being handed a site that is over a slow WAN link and it can take a few
> mins before the GPO's are applied and scripts run etc.
>
> Are there some settings I don’t know about with regards to FRS costings that
> help the client identify which server is closest to pull the data from?

Do you have implemented Sites in your Active Directory Domain? For each
physical Site you should create a Site with the correct Subnet. Then a
client tries to connect to a dc in his current Site/IP-Subnet.

--
Viele Grüße
Frank Röder
MVP Windows Server System - Directory Services
Ex oriente lux

My first thought is are all the ip addresses for the sites in AD Sites and
Services?

Best Practices
http://technet2.microsoft.com/Window....mspx?mfr=true

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"AndrewH" <AndrewH@discussions.microsoft.com> wrote in message
news:AD9DE54E-F087-4FDF-9AA0-8C7A5DDE3532@microsoft.com...
> Hi,
>
> I have just implemented a brand new AD 2003 domain, and we using GPO's
> heavily for settings and site logon scripts etc.
>
> We are seeing some clients connect to remote sites to get GPO data on the
> SYSVOL share, which is slowing down logon responsiveness.
>
> After doing a packet trace, I see a "GET_DFS_REFERRAL" request from the
> client to "\<domain>.local\sysvol" and it returns a full list of available
> servers that hold a copy of that replicated share. Problem is, some
> clients
> are being handed a site that is over a slow WAN link and it can take a few
> mins before the GPO's are applied and scripts run etc.
>
> Are there some settings I don't know about with regards to FRS costings
> that
> help the client identify which server is closest to pull the data from?
>
> Cheers
> A

Hi,

Yeah, I have setup all the correct sites with their servers and costings
assigned. The clients seem to be talking to the correct local server for
authentication, but when it attemps to connect to the SYSVOL share, a full
list of servers are returned - and its pretty much a lottery to which one it
connects to.

Seen this before?

Cheers
A

"Paul Bergson [MVP-DS]" wrote:

> My first thought is are all the ip addresses for the sites in AD Sites and
> Services?
>
> Best Practices
> http://technet2.microsoft.com/Window....mspx?mfr=true
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "AndrewH" <AndrewH@discussions.microsoft.com> wrote in message
> news:AD9DE54E-F087-4FDF-9AA0-8C7A5DDE3532@microsoft.com...
> > Hi,
> >
> > I have just implemented a brand new AD 2003 domain, and we using GPO's
> > heavily for settings and site logon scripts etc.
> >
> > We are seeing some clients connect to remote sites to get GPO data on the
> > SYSVOL share, which is slowing down logon responsiveness.
> >
> > After doing a packet trace, I see a "GET_DFS_REFERRAL" request from the
> > client to "\<domain>.local\sysvol" and it returns a full list of available
> > servers that hold a copy of that replicated share. Problem is, some
> > clients
> > are being handed a site that is over a slow WAN link and it can take a few
> > mins before the GPO's are applied and scripts run etc.
> >
> > Are there some settings I don't know about with regards to FRS costings
> > that
> > help the client identify which server is closest to pull the data from?
> >
> > Cheers
> > A
>
>
>

Hi,

Yeah, I have setup all the correct sites with their servers and costings
assigned. The clients seem to be talking to the correct local server for
authentication, but when it attemps to connect to the SYSVOL share, a full
list of servers are returned - and its pretty much a lottery to which one it
connects to.

Seen this before?

Cheers
A

""Frank Röder [MVP]"" wrote:

> Hello Andrew,
>
> > We are seeing some clients connect to remote sites to get GPO data on the
> > SYSVOL share, which is slowing down logon responsiveness.
> >
> > After doing a packet trace, I see a "GET_DFS_REFERRAL" request from the
> > client to "\<domain>.local\sysvol" and it returns a full list of available
> > servers that hold a copy of that replicated share. Problem is, some clients
> > are being handed a site that is over a slow WAN link and it can take a few
> > mins before the GPO's are applied and scripts run etc.
> >
> > Are there some settings I don’t know about with regards to FRS costings that
> > help the client identify which server is closest to pull the data from?
>
> Do you have implemented Sites in your Active Directory Domain? For each
> physical Site you should create a Site with the correct Subnet. Then a
> client tries to connect to a dc in his current Site/IP-Subnet.
>
> --
> Viele Grüße
> Frank Röder
> MVP Windows Server System - Directory Services
> Ex oriente lux
>

AndrewH schrieb:
> Hi,
>
> Yeah, I have setup all the correct sites with their servers and costings
> assigned. The clients seem to be talking to the correct local server for
> authentication, but when it attemps to connect to the SYSVOL share, a full
> list of servers are returned - and its pretty much a lottery to which one it
> connects to.
>
> Seen this before?
No, but i think i have a solution;-)

http://support.microsoft.com/kb/905846/en-us

--
Viele Grüße
Frank Röder
MVP Windows Server System - Directory Services
Ex oriente lux

Nice one, thats great. Can't believe I didn't find that myself.

I will check it out.

Thanks for your assistance.

Cheers
A

""Frank Röder [MVP]"" wrote:

> AndrewH schrieb:
> > Hi,
> >
> > Yeah, I have setup all the correct sites with their servers and costings
> > assigned. The clients seem to be talking to the correct local server for
> > authentication, but when it attemps to connect to the SYSVOL share, a full
> > list of servers are returned - and its pretty much a lottery to which one it
> > connects to.
> >
> > Seen this before?
> No, but i think i have a solution;-)
>
> http://support.microsoft.com/kb/905846/en-us
>
> --
> Viele Grüße
> Frank Röder
> MVP Windows Server System - Directory Services
> Ex oriente lux
>

But do you have the sub-nets setup as well?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"AndrewH" <AndrewH@discussions.microsoft.com> wrote in message
news:E4186A50-A8AB-4F72-86D4-DD5934FB5B1E@microsoft.com...
> Hi,
>
> Yeah, I have setup all the correct sites with their servers and costings
> assigned. The clients seem to be talking to the correct local server for
> authentication, but when it attemps to connect to the SYSVOL share, a full
> list of servers are returned - and its pretty much a lottery to which one
> it
> connects to.
>
> Seen this before?
>
> Cheers
> A
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> My first thought is are all the ip addresses for the sites in AD Sites
>> and
>> Services?
>>
>> Best Practices
>> http://technet2.microsoft.com/Window....mspx?mfr=true
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "AndrewH" <AndrewH@discussions.microsoft.com> wrote in message
>> news:AD9DE54E-F087-4FDF-9AA0-8C7A5DDE3532@microsoft.com...
>> > Hi,
>> >
>> > I have just implemented a brand new AD 2003 domain, and we using GPO's
>> > heavily for settings and site logon scripts etc.
>> >
>> > We are seeing some clients connect to remote sites to get GPO data on
>> > the
>> > SYSVOL share, which is slowing down logon responsiveness.
>> >
>> > After doing a packet trace, I see a "GET_DFS_REFERRAL" request from the
>> > client to "\<domain>.local\sysvol" and it returns a full list of
>> > available
>> > servers that hold a copy of that replicated share. Problem is, some
>> > clients
>> > are being handed a site that is over a slow WAN link and it can take a
>> > few
>> > mins before the GPO's are applied and scripts run etc.
>> >
>> > Are there some settings I don't know about with regards to FRS costings
>> > that
>> > help the client identify which server is closest to pull the data from?
>> >
>> > Cheers
>> > A
>>
>>
>>