AD and GPO RRS feed

  • Question

  • Hi
    Any one has some experience in analyzing gpo performance in sites without local dc's. My question is more related to using network monitoring tools to find out the root cause of the problem? I understand a bit now about how some protocols are involved, not all yet, and how traffic should flow. BUt what to look for in cap files to see whats wrong? 

    Like what is the impact of IP fragmentation, what is ack is lost? What should basically proper traffic look like?

    Saturday, June 20, 2009 9:03 PM

All replies

  • This is certainly a very involved question as it requires knowlege about AD, GPO and general network traffic.  And while we can try to get through the details on this forum, it might be difficult to get very specific with out looking at traces and a specific problem.

    My guess is that the bulk of AD/GPO traffic is LDAP lookups and File transfers.  I'd also guess that the file transfers are done via SMB or SMB2.  I suppose you can confirm both by taking a sniff during a known GPO update and look at the traffic based on the IP address or Machine address.

    The next step, in terms of performance, is a base line.  As you are comparing this to sites with local DCs vs not, then a trace from a site with a DC might be a good comparison. 

    Once you have a baseline you can start to compare.  Given you have the exact same traffic from a AD/GPO point of view then you can compare response times for complete transactions.  But even if you don't you can still compare individual response times, in the case of LDAP, look for an LDAP response and the subsequent response.  You can use the Time Delta column (you can add this to the columns) and filter down on the conversation (right click, find conversation -> LDAP).  This will update the time delta based on the last filtered frame. You can then get an idea of how long it takes each request to get done.

    The same thing can be done for file transfers, though I can't say for sure GPO would need to move files around.  But doing this based on SMB/SMB2 is basically the same thing.  The difference here is that you will also be concerned with the time to move files around.  At the top level, SMB has transfer sizes per request that could be different depending on the location.  So you could compare that to your base line.  The other issue, which you elude to, is packet loss and other network problems.  I would look for resets and tcp retransmits (filter is property.tcpretransmits==1).  If you get more remotely, this could affect your transfers, though some level of retransmits can be expected.  If you want to go into more detail on this subject we can, but let me stop here for now.


    Tuesday, June 23, 2009 7:31 PM
  • Thanks for your reply Paul and indeed this requieres knowledge about AD/GPO and also how to interpret the actual traffic. Purpose of working with this subject is to learn more about how the traffic behaves and can we use sniffing also as a tool to find root causes? Of course there are more techniques to find out if GPO's are properly applied to workstations.

    First of all I have been using the netcap tool which is part of the support tools. And as i learned its a tool just 50KB big and works independant. I mean it dont need any other system dll's or whatever. So its easy to move it around on systems without completly installing windows support tools. This works fine in XP but dont work in vista.

    Then about the sites. I am speaking basically about sites without a local DC. GPO's are defined in the same way allover. GPO setup and OU structure is the same. I speak about sites that have a DC and no DC.  And I can compare netcap results to a site that has a DC as well.

    So far from the moment u open a dos box and run the command GPUPDATE then sniffing shows me several protocols are involved. CLDAP- ICMP- TCP- IP- DCERP- EPM- RPC_NETL- LDAP- SMB. SMB is mostly involved in transferring the GPO to the client. Others are also important for the connection over the WAN but SMB seems to be doing the actual GPO work.

    What i understand from you is try following:
    1. Make traffic analyses on site with DC.
    2. Check for Time delta's in LDAP traffic and SMB traffic.
    3. Look for TCP resets
    4. Look for retransmission keeping in mind that this could be part of the normal traffic.
    5. Look for IP fragmentation although this is not clear to me what is the effect of this on GPO monitoring.


    Wednesday, June 24, 2009 2:14 PM
  • That is correct on 1-4. 

    For #5, IP fragmentation is rare these days.  If it is happening, the affect is that it takes more packets to get the job done.  You can compare that affect to with a trace with a local DC to and see if the end-to-end affect of a file transfer or LDAP lookup is affected.

    Wednesday, June 24, 2009 2:33 PM
  • Ok following then:

    i can check a site without a DC and how that performs.
    I can check a site with a DC and check how that performs.
    I can compare these files according to yr recommendations.
    GPO and OU setup is the same allover in the enviroment.

    Will be back about this.


    Tuesday, June 30, 2009 8:38 AM