| Author | Messages | |
rmscheck
Posts:249
 | | 09/21/2009 6:52 PM |
| Hi there..
Just a theoretical question in designing a hub and spoke topology...
If my hub has say, 5 DCs... and I have 100 spokes pointing to it..
is there some sort of theoretical limit to how many spokes should
point to the hub. Wont there be at some point overloading of DCs in
the hub as far as connection objects to it from all of the spokes?
Say I had 200 spokes pointing there.. what then?
Rand.
| | | |
| florian
Posts:87
| | 09/21/2009 6:56 PM |
| Howdie!
I'm not aware of a technical limit of a hub and spoke topology in terms of a
max count of spokes you can connect to the hub. I guess this is bound to
other limits not directly related to AD (hardware, link speed).
I believe the number of spokes you can "connect" is limited by
- the number of sites AD can actually manage (~1000?)
- the links and link speed that you have available for those spokes
- the load on hub DCs that replication and KCC rep topology generation puts
on them.
- average rep traffic and other services on hub DCs (DFS? Do spokes have
GCs?)
At least that's the limitations I can think of.
Cheers,
Florian
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Rand Salazar
> Sent: Mittwoch, 16. September 2009 20:26
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Hub-Spoke limit?
>
> Hi there..
>
> Just a theoretical question in designing a hub and spoke topology...
>
> If my hub has say, 5 DCs... and I have 100 spokes pointing to it..
> is there some sort of theoretical limit to how many spokes should point to
> the hub. Wont there be at some point overloading of DCs in the hub as far
as
> connection objects to it from all of the spokes?
> Say I had 200 spokes pointing there.. what then?
>
> Rand.
| | | |
| listmail
Posts:824
| | 09/21/2009 7:02 PM |
| Under Windows 2000 I had hubs with over a hundred spokes hanging off with no
real issues. This is all traffic through the single bridgehead for the hub
site. Windows Server 2003 made this even easier because it would load
balance the connections between all of the DCs in the hub, not just beat up
on a single bridgehead. Also you could force this rebalancing with a tool
called ADLB (it works with Windows 2000 as well, I helped MSFT test and work
out the kinks of the tool on Windows 2000).
In general, the longer your replication period is or the less churn you
have, the more DCs, IMO, you can hang off a given hub DC. The main key is to
make sure you get through all of the partner's NCs every period so you don't
start backing up... I.E. You haven't finished replicating to the set of DCs
that need replication in period 1 before period 2 starts. So say you have
site links all set to 15 minute replication periods (extremely normal from
all enterprises I have seen), you want to make sure you can normally get
through all partners in that 15 minute period.
One of the best, IMO, ways of monitoring if you have too many replication
partners hung off a given DC is to watch for the DRA Pending Replication
Synchronizations counter on DCs to come back to zero and how long it takes
for that to occur. I have mentioned this counter several times on this list
if you look through the archives. Unfortunately most monitoring apps seem to
screw up monitoring of this counter. They look at the high count value and
if it goes over some threshhold it starts warning. I have never worried how
large the number gets as long as it gets back to zero every replication
period. I would regularly see the counter up near 2000 and it wasn't an
issue. You will get a pending repl sync added to the counter for every NC
that needs to replicate for every DCs it replicates with every repl period.
Let me restate that but with an example.
Say I have 10 sites with DCs hung off of a single hub DC. Say there are 6
NCs that have to be replicated to all 10 DCs... Config, Schema, Default, and
three additional RO NCs (this would be normal for a four domain forest which
is pretty standard). Further say that the replication schedule for all 10
sites is every 15 minutes. Four times an hour you should see the DRA Pending
Repl Sync counter jump to 60. 10 DCs x 6 NCs is 60 NCs to replicate in. In
general 60 or even 6000 isn't an issue because most NCs in a hub and spoke
setup have very little to no data to replicate so the DCs are usually just
saying "hey, how's the weather" and off to the next NC... Anyway, as long as
that counter comes back to zero every 15 minutes as well, you aren't being
overloaded from the inbound side. When I set up monitoring of this, I
actually would have it make sure it came back to zero every 30 minutes, if
it didn't, it logs an error that I could see next time I was in the office.
If it didn't come back to zero at least once in an hour I would have it page
me. The inbound side on the hub DCs is where I have run into the most
issues, and usually, in all honesty, it is network issue related where I get
too much latency and the remote DC cannot maintain good RPC connectivity and
you get hung up on that one DC and that causes the whole hub DC to backup
because there is but a single inbound thread. This got considerably better
with Windows Server 2003 due to several optimizations in how RPC timeouts
were handled as well as how duplicate sync requests queued.
Now you should also watch, though I have never seen as many issues with,
outbound replication. Because if you have a lot of churn, it is possible for
a hub DC to get bogged down feeding those changes to the downstream DCs. It
is much better than it is for inbound repl though. Where inbound repl has
but a single thread, there are multiple threads for the outbound side. I
once thought I understood how many threads there were and I understood that
to be 25 but later determined I wasn't truly sure about that other than I
knew it was greater than one. If you have WAN site DCs that have a DRA
Pending that isn't going back to zero, you likely have a hub DC that is
dealing with a combination of too many partners with too much churn.
I do not think you will find guidance of "if you have an xyz capable
machine, you can have abc downstream replication partners". The answer as it
is with so many things in this field is "it depends". If you have little
churn with decent network you should be able to have several hundreds of
downstream replication partners with little to no issue. If you have a lot
of churn or poor networks, you may only be able to get away with double
digit or less downstream partners. Your main warning will be on the DRA
Pending counter I mention. If you see that constantly getting backed up, you
need to start digging into things a little.
You can watch the replication queue in near real time with my adqueueloop
tool on my website. Any time I have a DC that has a DRA Pending counter that
is backed up I fire up the tool and look at what is currently in the queue
causing the heartache. I also just run it occasionally to see what is going
on. Nice to look at things when they are allegedly working fine sometimes
and not just when things are broken. Gives you familiarity of what it
normally looks like.
Now back to my turkey swiss on wheat... ;o)
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Wednesday, September 16, 2009 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Hub-Spoke limit?
Hi there..
Just a theoretical question in designing a hub and spoke topology...
If my hub has say, 5 DCs... and I have 100 spokes pointing to it..
is there some sort of theoretical limit to how many spokes should point to
the hub. Wont there be at some point overloading of DCs in the hub as far
as connection objects to it from all of the spokes?
Say I had 200 spokes pointing there.. what then?
Rand.
| | | |
| hcoleman
Posts:134
| | 09/21/2009 7:06 PM |
| Besides perfmon?
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Thursday, September 17, 2009 11:18 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Hub-Spoke limit?
Very interesting. So, Joe while using your adqueueloop against a particular DC you can determine the delta/Operation status, what would be a quick way to check the DRA PRS counter ?
Adqueueloop.exe -h MYTESTDC
Current Local Machine Time: 09/17/2009-12:13:48.93
Delta (seconds): 0.093
Previous Displayed Op completed.
Current Local Machine Time: 09/17/2009-12:14:03.406
Pending Ops: 1
Current Op start time (server): 09/17/2009-12:14:03.00
Delta (seconds): 0.406
On Thu, Sep 17, 2009 at 11:25 AM, joe <listmail@joeware.net<mailto:listmail@joeware.net>> wrote:
Under Windows 2000 I had hubs with over a hundred spokes hanging off with no
real issues. This is all traffic through the single bridgehead for the hub
site. Windows Server 2003 made this even easier because it would load
balance the connections between all of the DCs in the hub, not just beat up
on a single bridgehead. Also you could force this rebalancing with a tool
called ADLB (it works with Windows 2000 as well, I helped MSFT test and work
out the kinks of the tool on Windows 2000).
In general, the longer your replication period is or the less churn you
have, the more DCs, IMO, you can hang off a given hub DC. The main key is to
make sure you get through all of the partner's NCs every period so you don't
start backing up... I.E. You haven't finished replicating to the set of DCs
that need replication in period 1 before period 2 starts. So say you have
site links all set to 15 minute replication periods (extremely normal from
all enterprises I have seen), you want to make sure you can normally get
through all partners in that 15 minute period.
One of the best, IMO, ways of monitoring if you have too many replication
partners hung off a given DC is to watch for the DRA Pending Replication
Synchronizations counter on DCs to come back to zero and how long it takes
for that to occur. I have mentioned this counter several times on this list
if you look through the archives. Unfortunately most monitoring apps seem to
screw up monitoring of this counter. They look at the high count value and
if it goes over some threshhold it starts warning. I have never worried how
large the number gets as long as it gets back to zero every replication
period. I would regularly see the counter up near 2000 and it wasn't an
issue. You will get a pending repl sync added to the counter for every NC
that needs to replicate for every DCs it replicates with every repl period.
Let me restate that but with an example.
Say I have 10 sites with DCs hung off of a single hub DC. Say there are 6
NCs that have to be replicated to all 10 DCs... Config, Schema, Default, and
three additional RO NCs (this would be normal for a four domain forest which
is pretty standard). Further say that the replication schedule for all 10
sites is every 15 minutes. Four times an hour you should see the DRA Pending
Repl Sync counter jump to 60. 10 DCs x 6 NCs is 60 NCs to replicate in. In
general 60 or even 6000 isn't an issue because most NCs in a hub and spoke
setup have very little to no data to replicate so the DCs are usually just
saying "hey, how's the weather" and off to the next NC... Anyway, as long as
that counter comes back to zero every 15 minutes as well, you aren't being
overloaded from the inbound side. When I set up monitoring of this, I
actually would have it make sure it came back to zero every 30 minutes, if
it didn't, it logs an error that I could see next time I was in the office.
If it didn't come back to zero at least once in an hour I would have it page
me. The inbound side on the hub DCs is where I have run into the most
issues, and usually, in all honesty, it is network issue related where I get
too much latency and the remote DC cannot maintain good RPC connectivity and
you get hung up on that one DC and that causes the whole hub DC to backup
because there is but a single inbound thread. This got considerably better
with Windows Server 2003 due to several optimizations in how RPC timeouts
were handled as well as how duplicate sync requests queued.
Now you should also watch, though I have never seen as many issues with,
outbound replication. Because if you have a lot of churn, it is possible for
a hub DC to get bogged down feeding those changes to the downstream DCs. It
is much better than it is for inbound repl though. Where inbound repl has
but a single thread, there are multiple threads for the outbound side. I
once thought I understood how many threads there were and I understood that
to be 25 but later determined I wasn't truly sure about that other than I
knew it was greater than one. If you have WAN site DCs that have a DRA
Pending that isn't going back to zero, you likely have a hub DC that is
dealing with a combination of too many partners with too much churn.
I do not think you will find guidance of "if you have an xyz capable
machine, you can have abc downstream replication partners". The answer as it
is with so many things in this field is "it depends". If you have little
churn with decent network you should be able to have several hundreds of
downstream replication partners with little to no issue. If you have a lot
of churn or poor networks, you may only be able to get away with double
digit or less downstream partners. Your main warning will be on the DRA
Pending counter I mention. If you see that constantly getting backed up, you
need to start digging into things a little.
You can watch the replication queue in near real time with my adqueueloop
tool on my website. Any time I have a DC that has a DRA Pending counter that
is backed up I fire up the tool and look at what is currently in the queue
causing the heartache. I also just run it occasionally to see what is going
on. Nice to look at things when they are allegedly working fine sometimes
and not just when things are broken. Gives you familiarity of what it
normally looks like.
Now back to my turkey swiss on wheat... ;o)
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rand Salazar
Sent: Wednesday, September 16, 2009 2:26 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Hub-Spoke limit?
Hi there..
Just a theoretical question in designing a hub and spoke topology...
If my hub has say, 5 DCs... and I have 100 spokes pointing to it..
is there some sort of theoretical limit to how many spokes should point to
the hub. Wont there be at some point overloading of DCs in the hub as far
as connection objects to it from all of the spokes?
Say I had 200 spokes pointing there.. what then?
Rand.
| | | |
| RickSheikh
Posts:373
| | 09/21/2009 7:06 PM |
| Yes, besides perfmon.
On Thu, Sep 17, 2009 at 2:06 PM, Coleman, Hunter <hcoleman@mt.gov> wrote:
> Besides perfmon?
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Rick Sheikh
> *Sent:* Thursday, September 17, 2009 11:18 AM
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Hub-Spoke limit?
>
>
>
> Very interesting. So, Joe while using your adqueueloop against a particular
> DC you can determine the delta/Operation status, what would be a quick way
> to check the DRA PRS counter ?
>
>
>
> Adqueueloop.exe -h MYTESTDC
>
> Current Local Machine Time: 09/17/2009-12:13:48.93
> Delta (seconds): 0.093
> Previous Displayed Op completed.
>
>
> Current Local Machine Time: 09/17/2009-12:14:03.406
> Pending Ops: 1
> Current Op start time (server): 09/17/2009-12:14:03.00
> Delta (seconds): 0.406
>
>
>
> On Thu, Sep 17, 2009 at 11:25 AM, joe <listmail@joeware.net> wrote:
>
> Under Windows 2000 I had hubs with over a hundred spokes hanging off with
> no
> real issues. This is all traffic through the single bridgehead for the hub
> site. Windows Server 2003 made this even easier because it would load
> balance the connections between all of the DCs in the hub, not just beat up
> on a single bridgehead. Also you could force this rebalancing with a tool
> called ADLB (it works with Windows 2000 as well, I helped MSFT test and
> work
> out the kinks of the tool on Windows 2000).
>
> In general, the longer your replication period is or the less churn you
> have, the more DCs, IMO, you can hang off a given hub DC. The main key is
> to
> make sure you get through all of the partner's NCs every period so you
> don't
> start backing up... I.E. You haven't finished replicating to the set of DCs
> that need replication in period 1 before period 2 starts. So say you have
> site links all set to 15 minute replication periods (extremely normal from
> all enterprises I have seen), you want to make sure you can normally get
> through all partners in that 15 minute period.
>
> One of the best, IMO, ways of monitoring if you have too many replication
> partners hung off a given DC is to watch for the DRA Pending Replication
> Synchronizations counter on DCs to come back to zero and how long it takes
> for that to occur. I have mentioned this counter several times on this list
> if you look through the archives. Unfortunately most monitoring apps seem
> to
> screw up monitoring of this counter. They look at the high count value and
> if it goes over some threshhold it starts warning. I have never worried how
> large the number gets as long as it gets back to zero every replication
> period. I would regularly see the counter up near 2000 and it wasn't an
> issue. You will get a pending repl sync added to the counter for every NC
> that needs to replicate for every DCs it replicates with every repl period.
> Let me restate that but with an example.
>
> Say I have 10 sites with DCs hung off of a single hub DC. Say there are 6
> NCs that have to be replicated to all 10 DCs... Config, Schema, Default,
> and
> three additional RO NCs (this would be normal for a four domain forest
> which
> is pretty standard). Further say that the replication schedule for all 10
> sites is every 15 minutes. Four times an hour you should see the DRA
> Pending
> Repl Sync counter jump to 60. 10 DCs x 6 NCs is 60 NCs to replicate in. In
> general 60 or even 6000 isn't an issue because most NCs in a hub and spoke
> setup have very little to no data to replicate so the DCs are usually just
> saying "hey, how's the weather" and off to the next NC... Anyway, as long
> as
> that counter comes back to zero every 15 minutes as well, you aren't being
> overloaded from the inbound side. When I set up monitoring of this, I
> actually would have it make sure it came back to zero every 30 minutes, if
> it didn't, it logs an error that I could see next time I was in the office.
> If it didn't come back to zero at least once in an hour I would have it
> page
> me. The inbound side on the hub DCs is where I have run into the most
> issues, and usually, in all honesty, it is network issue related where I
> get
> too much latency and the remote DC cannot maintain good RPC connectivity
> and
> you get hung up on that one DC and that causes the whole hub DC to backup
> because there is but a single inbound thread. This got considerably better
> with Windows Server 2003 due to several optimizations in how RPC timeouts
> were handled as well as how duplicate sync requests queued.
>
> Now you should also watch, though I have never seen as many issues with,
> outbound replication. Because if you have a lot of churn, it is possible
> for
> a hub DC to get bogged down feeding those changes to the downstream DCs. It
> is much better than it is for inbound repl though. Where inbound repl has
> but a single thread, there are multiple threads for the outbound side. I
> once thought I understood how many threads there were and I understood that
> to be 25 but later determined I wasn't truly sure about that other than I
> knew it was greater than one. If you have WAN site DCs that have a DRA
> Pending that isn't going back to zero, you likely have a hub DC that is
> dealing with a combination of too many partners with too much churn.
>
> I do not think you will find guidance of "if you have an xyz capable
> machine, you can have abc downstream replication partners". The answer as
> it
> is with so many things in this field is "it depends". If you have little
> churn with decent network you should be able to have several hundreds of
> downstream replication partners with little to no issue. If you have a lot
> of churn or poor networks, you may only be able to get away with double
> digit or less downstream partners. Your main warning will be on the DRA
> Pending counter I mention. If you see that constantly getting backed up,
> you
> need to start digging into things a little.
>
> You can watch the replication queue in near real time with my adqueueloop
> tool on my website. Any time I have a DC that has a DRA Pending counter
> that
> is backed up I fire up the tool and look at what is currently in the queue
> causing the heartache. I also just run it occasionally to see what is going
> on. Nice to look at things when they are allegedly working fine sometimes
> and not just when things are broken. Gives you familiarity of what it
> normally looks like.
>
> Now back to my turkey swiss on wheat... ;o)
>
>
> joe
>
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar
>
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Hub-Spoke limit?
>
> Hi there..
>
> Just a theoretical question in designing a hub and spoke topology...
>
> If my hub has say, 5 DCs... and I have 100 spokes pointing to it..
> is there some sort of theoretical limit to how many spokes should point to
> the hub. Wont there be at some point overloading of DCs in the hub as far
> as connection objects to it from all of the spokes?
> Say I had 200 spokes pointing there.. what then?
>
> Rand.
>
>
>
| | | |
| robertsingers
Posts:579
| | 09/21/2009 7:10 PM |
| To save people the googling (Binging or is it Bong?)
GWMI -computer <dc name here> "Win32_PerfFormattedData_NTDS_NTDS" | Select-object DRAPendingReplicationSynchronizations
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, 18 September 2009 7:22 a.m.
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Hub-Spoke limit?
Perfmon or your monitoring utility of choice.
If you just want to watch the current value on a given DC you can do something like
typeperf "\\servername\NTDS\DRA<file://\\servername\NTDS\DRA> Pending Replication Synchronizations"
Alternately you could write a WMI script in your script language of choice to pull the values.
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Thursday, September 17, 2009 1:18 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Hub-Spoke limit?
Very interesting. So, Joe while using your adqueueloop against a particular DC you can determine the delta/Operation status, what would be a quick way to check the DRA PRS counter ?
Adqueueloop.exe -h MYTESTDC
Current Local Machine Time: 09/17/2009-12:13:48.93
Delta (seconds): 0.093
Previous Displayed Op completed.
Current Local Machine Time: 09/17/2009-12:14:03.406
Pending Ops: 1
Current Op start time (server): 09/17/2009-12:14:03.00
Delta (seconds): 0.406
On Thu, Sep 17, 2009 at 11:25 AM, joe <listmail@joeware.net<mailto:listmail@joeware.net>> wrote:
Under Windows 2000 I had hubs with over a hundred spokes hanging off with no
real issues. This is all traffic through the single bridgehead for the hub
site. Windows Server 2003 made this even easier because it would load
balance the connections between all of the DCs in the hub, not just beat up
on a single bridgehead. Also you could force this rebalancing with a tool
called ADLB (it works with Windows 2000 as well, I helped MSFT test and work
out the kinks of the tool on Windows 2000).
In general, the longer your replication period is or the less churn you
have, the more DCs, IMO, you can hang off a given hub DC. The main key is to
make sure you get through all of the partner's NCs every period so you don't
start backing up... I.E. You haven't finished replicating to the set of DCs
that need replication in period 1 before period 2 starts. So say you have
site links all set to 15 minute replication periods (extremely normal from
all enterprises I have seen), you want to make sure you can normally get
through all partners in that 15 minute period.
One of the best, IMO, ways of monitoring if you have too many replication
partners hung off a given DC is to watch for the DRA Pending Replication
Synchronizations counter on DCs to come back to zero and how long it takes
for that to occur. I have mentioned this counter several times on this list
if you look through the archives. Unfortunately most monitoring apps seem to
screw up monitoring of this counter. They look at the high count value and
if it goes over some threshhold it starts warning. I have never worried how
large the number gets as long as it gets back to zero every replication
period. I would regularly see the counter up near 2000 and it wasn't an
issue. You will get a pending repl sync added to the counter for every NC
that needs to replicate for every DCs it replicates with every repl period.
Let me restate that but with an example.
Say I have 10 sites with DCs hung off of a single hub DC. Say there are 6
NCs that have to be replicated to all 10 DCs... Config, Schema, Default, and
three additional RO NCs (this would be normal for a four domain forest which
is pretty standard). Further say that the replication schedule for all 10
sites is every 15 minutes. Four times an hour you should see the DRA Pending
Repl Sync counter jump to 60. 10 DCs x 6 NCs is 60 NCs to replicate in. In
general 60 or even 6000 isn't an issue because most NCs in a hub and spoke
setup have very little to no data to replicate so the DCs are usually just
saying "hey, how's the weather" and off to the next NC... Anyway, as long as
that counter comes back to zero every 15 minutes as well, you aren't being
overloaded from the inbound side. When I set up monitoring of this, I
actually would have it make sure it came back to zero every 30 minutes, if
it didn't, it logs an error that I could see next time I was in the office.
If it didn't come back to zero at least once in an hour I would have it page
me. The inbound side on the hub DCs is where I have run into the most
issues, and usually, in all honesty, it is network issue related where I get
too much latency and the remote DC cannot maintain good RPC connectivity and
you get hung up on that one DC and that causes the whole hub DC to backup
because there is but a single inbound thread. This got considerably better
with Windows Server 2003 due to several optimizations in how RPC timeouts
were handled as well as how duplicate sync requests queued.
Now you should also watch, though I have never seen as many issues with,
outbound replication. Because if you have a lot of churn, it is possible for
a hub DC to get bogged down feeding those changes to the downstream DCs. It
is much better than it is for inbound repl though. Where inbound repl has
but a single thread, there are multiple threads for the outbound side. I
once thought I understood how many threads there were and I understood that
to be 25 but later determined I wasn't truly sure about that other than I
knew it was greater than one. If you have WAN site DCs that have a DRA
Pending that isn't going back to zero, you likely have a hub DC that is
dealing with a combination of too many partners with too much churn.
I do not think you will find guidance of "if you have an xyz capable
machine, you can have abc downstream replication partners". The answer as it
is with so many things in this field is "it depends". If you have little
churn with decent network you should be able to have several hundreds of
downstream replication partners with little to no issue. If you have a lot
of churn or poor networks, you may only be able to get away with double
digit or less downstream partners. Your main warning will be on the DRA
Pending counter I mention. If you see that constantly getting backed up, you
need to start digging into things a little.
You can watch the replication queue in near real time with my adqueueloop
tool on my website. Any time I have a DC that has a DRA Pending counter that
is backed up I fire up the tool and look at what is currently in the queue
causing the heartache. I also just run it occasionally to see what is going
on. Nice to look at things when they are allegedly working fine sometimes
and not just when things are broken. Gives you familiarity of what it
normally looks like.
Now back to my turkey swiss on wheat... ;o)
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rand Salazar
Sent: Wednesday, September 16, 2009 2:26 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Hub-Spoke limit?
Hi there..
Just a theoretical question in designing a hub and spoke topology...
If my hub has say, 5 DCs... and I have 100 spokes pointing to it..
is there some sort of theoretical limit to how many spokes should point to
the hub. Wont there be at some point overloading of DCs in the hub as far
as connection objects to it from all of the spokes?
Say I had 200 spokes pointing there.. what then?
Rand.
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| robertsingers
Posts:579
| | 09/21/2009 7:31 PM |
| It is an interesting counter. I had no luck doing a WQL query just to pull it back by itself but it comes fine when you grab the entire class.
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Saturday, 19 September 2009 3:32 a.m.
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Hub-Spoke limit?
Thanks Rob. However I just wanted to point out that while attempting this query you may run into a known issue (Get-WmiObject : Invalid class), where the Directory Service incorrectly handles the performance counters, there is an hotfix for this (http://support.microsoft.com/kb/941084)
Additionally, if you would like to run this query against all your DCs (within the domain boundary), you may try this :
Get-qadcomputer -computerrole domaincontroller | % {GWMI "Win32_PerfFormattedData_NTDS_NTDS" | Select CSName,DRAPendingReplicationSynchronizations}
On Thu, Sep 17, 2009 at 4:42 PM, Robert Singers <Robert.Singers@dbh.govt.nz<mailto:Robert.Singers@dbh.govt.nz>> wrote:
To save people the googling (Binging or is it Bong?)
GWMI -computer <dc name here> "Win32_PerfFormattedData_NTDS_NTDS" | Select-object DRAPendingReplicationSynchronizations
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of joe
Sent: Friday, 18 September 2009 7:22 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Hub-Spoke limit?
Perfmon or your monitoring utility of choice.
If you just want to watch the current value on a given DC you can do something like
typeperf "\\servername\NTDS\DRA Pending Replication Synchronizations"
Alternately you could write a WMI script in your script language of choice to pull the values.
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh
Sent: Thursday, September 17, 2009 1:18 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Hub-Spoke limit?
Very interesting. So, Joe while using your adqueueloop against a particular DC you can determine the delta/Operation status, what would be a quick way to check the DRA PRS counter ?
Adqueueloop.exe -h MYTESTDC
Current Local Machine Time: 09/17/2009-12:13:48.93
Delta (seconds): 0.093
Previous Displayed Op completed.
Current Local Machine Time: 09/17/2009-12:14:03.406
Pending Ops: 1
Current Op start time (server): 09/17/2009-12:14:03.00
Delta (seconds): 0.406
On Thu, Sep 17, 2009 at 11:25 AM, joe <listmail@joeware.net<mailto:listmail@joeware.net>> wrote:
Under Windows 2000 I had hubs with over a hundred spokes hanging off with no
real issues. This is all traffic through the single bridgehead for the hub
site. Windows Server 2003 made this even easier because it would load
balance the connections between all of the DCs in the hub, not just beat up
on a single bridgehead. Also you could force this rebalancing with a tool
called ADLB (it works with Windows 2000 as well, I helped MSFT test and work
out the kinks of the tool on Windows 2000).
In general, the longer your replication period is or the less churn you
have, the more DCs, IMO, you can hang off a given hub DC. The main key is to
make sure you get through all of the partner's NCs every period so you don't
start backing up... I.E. You haven't finished replicating to the set of DCs
that need replication in period 1 before period 2 starts. So say you have
site links all set to 15 minute replication periods (extremely normal from
all enterprises I have seen), you want to make sure you can normally get
through all partners in that 15 minute period.
One of the best, IMO, ways of monitoring if you have too many replication
partners hung off a given DC is to watch for the DRA Pending Replication
Synchronizations counter on DCs to come back to zero and how long it takes
for that to occur. I have mentioned this counter several times on this list
if you look through the archives. Unfortunately most monitoring apps seem to
screw up monitoring of this counter. They look at the high count value and
if it goes over some threshhold it starts warning. I have never worried how
large the number gets as long as it gets back to zero every replication
period. I would regularly see the counter up near 2000 and it wasn't an
issue. You will get a pending repl sync added to the counter for every NC
that needs to replicate for every DCs it replicates with every repl period.
Let me restate that but with an example.
Say I have 10 sites with DCs hung off of a single hub DC. Say there are 6
NCs that have to be replicated to all 10 DCs... Config, Schema, Default, and
three additional RO NCs (this would be normal for a four domain forest which
is pretty standard). Further say that the replication schedule for all 10
sites is every 15 minutes. Four times an hour you should see the DRA Pending
Repl Sync counter jump to 60. 10 DCs x 6 NCs is 60 NCs to replicate in. In
general 60 or even 6000 isn't an issue because most NCs in a hub and spoke
setup have very little to no data to replicate so the DCs are usually just
saying "hey, how's the weather" and off to the next NC... Anyway, as long as
that counter comes back to zero every 15 minutes as well, you aren't being
overloaded from the inbound side. When I set up monitoring of this, I
actually would have it make sure it came back to zero every 30 minutes, if
it didn't, it logs an error that I could see next time I was in the office.
If it didn't come back to zero at least once in an hour I would have it page
me. The inbound side on the hub DCs is where I have run into the most
issues, and usually, in all honesty, it is network issue related where I get
too much latency and the remote DC cannot maintain good RPC connectivity and
you get hung up on that one DC and that causes the whole hub DC to backup
because there is but a single inbound thread. This got considerably better
with Windows Server 2003 due to several optimizations in how RPC timeouts
were handled as well as how duplicate sync requests queued.
Now you should also watch, though I have never seen as many issues with,
outbound replication. Because if you have a lot of churn, it is possible for
a hub DC to get bogged down feeding those changes to the downstream DCs. It
is much better than it is for inbound repl though. Where inbound repl has
but a single thread, there are multiple threads for the outbound side. I
once thought I understood how many threads there were and I understood that
to be 25 but later determined I wasn't truly sure about that other than I
knew it was greater than one. If you have WAN site DCs that have a DRA
Pending that isn't going back to zero, you likely have a hub DC that is
dealing with a combination of too many partners with too much churn.
I do not think you will find guidance of "if you have an xyz capable
machine, you can have abc downstream replication partners". The answer as it
is with so many things in this field is "it depends". If you have little
churn with decent network you should be able to have several hundreds of
downstream replication partners with little to no issue. If you have a lot
of churn or poor networks, you may only be able to get away with double
digit or less downstream partners. Your main warning will be on the DRA
Pending counter I mention. If you see that constantly getting backed up, you
need to start digging into things a little.
You can watch the replication queue in near real time with my adqueueloop
tool on my website. Any time I have a DC that has a DRA Pending counter that
is backed up I fire up the tool and look at what is currently in the queue
causing the heartache. I also just run it occasionally to see what is going
on. Nice to look at things when they are allegedly working fine sometimes
and not just when things are broken. Gives you familiarity of what it
normally looks like.
Now back to my turkey swiss on wheat... ;o)
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rand Salazar
Sent: Wednesday, September 16, 2009 2:26 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Hub-Spoke limit?
Hi there..
Just a theoretical question in designing a hub and spoke topology...
If my hub has say, 5 DCs... and I have 100 spokes pointing to it..
is there some sort of theoretical limit to how many spokes should point to
the hub. Wont there be at some point overloading of DCs in the hub as far
as connection objects to it from all of the spokes?
Say I had 200 spokes pointing there.. what then?
Rand.
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
|
|