2nd site questions

[Anderson]

Hi All,

I have just added a 2nd site with a member DC to our SBS network,
connected via MS VPN between the 2 servers.

The users at the new site are complaining of slow speeds accessing their
"my documents" and while using outlook.

I was planning on changing the users in the other site to use "Outlook
over http", is that the best solution?

Now, I am assuming that the "My Documents" access is slow because it is
redirected to the SBS server. DFS file replication looks like a good
solution for this - I can redirect all the folders to \\domain\Users and
replicate the folders to the other site. This has been disabled in SBS
though :-(

Will DFS replication be enabled when I install the transition pack?

What other solutions are there?

[Lanwench [MVP - Exchange]]

Anderson <ande...@bobsyouruncle.com> wrote:
> Hi All,
>
> I have just added a 2nd site with a member DC to our SBS network,
> connected via MS VPN between the 2 servers.

I'd have recommended IPSEC VPN between two hardware endpoints - I like
SonicWALL for this.

>
> The users at the new site are complaining of slow speeds accessing
> their "my documents" and while using outlook.
>
> I was planning on changing the users in the other site to use "Outlook
> over http", is that the best solution?

Yes indeed, with cached mode. All your users should use cached mode, too....

>
>
>
> Now, I am assuming that the "My Documents" access is slow because it
> is redirected to the SBS server. DFS file replication looks like a
> good solution for this - I can redirect all the folders to
> \\domain\Users and replicate the folders to the other site. This has
> been disabled in SBS though :-(

Hmm - got R2?

>
> Will DFS replication be enabled when I install the transition pack?

Why would you be installing the transition pack?

>
> What other solutions are there?

You can put these users in another OU, and set their folder redirection to
their local DC via a custom group policy. I don't like using the built in
"folder redirection" checkbox and prefer to create my own GPOs.

You can use robocopy to copy the remote site data to your main server via a
batch file scheduled to run nightly.

[Anderson]

Lanwench [MVP - Exchange] wrote:
> Anderson <ande...@bobsyouruncle.com> wrote:
>> Hi All,
>>
>> I have just added a 2nd site with a member DC to our SBS network,
>> connected via MS VPN between the 2 servers.
>
> I'd have recommended IPSEC VPN between two hardware endpoints - I like
> SonicWALL for this.

Can anyone point me to a network diagram of how this might be set up?
Would the VPN link be inside your ISA server? Would this affect "Road
Warrior" VPN connections to the SBS server?

We currently have a cisco 871 at each site.

>> The users at the new site are complaining of slow speeds accessing
>> their "my documents" and while using outlook.
>>
>> I was planning on changing the users in the other site to use "Outlook
>> over http", is that the best solution?
>
> Yes indeed, with cached mode. All your users should use cached mode, too....

Done, outlook seems to be running much better now.

>>
>>
>> Now, I am assuming that the "My Documents" access is slow because it
>> is redirected to the SBS server. DFS file replication looks like a
>> good solution for this - I can redirect all the folders to
>> \\domain\Users and replicate the folders to the other site. This has
>> been disabled in SBS though :-(
>
> Hmm - got R2?

Yes, I have R2, but it seems that DFS replication has been removed from
SBS - If someone could let me know how to get DFS replication installed
on SBS, that would be great!

>
>> Will DFS replication be enabled when I install the transition pack?
>
> Why would you be installing the transition pack?

We are currently at about 60 users, and will soon reach the 75 user
limit, so I will need to load the transition pack fairly soon.

If the DFS replication has been disabled in SBS, then will loading the
transition pack enable it?

>
> You can put these users in another OU, and set their folder redirection to
> their local DC via a custom group policy. I don't like using the built in
> "folder redirection" checkbox and prefer to create my own GPOs.
>

Can someone point me to some documentation on setting up another OU?

> You can use robocopy to copy the remote site data to your main server via a
> batch file scheduled to run nightly.
>

Some of the users with notebooks, travel between sites regularly - I
would hate to lose data, by copying in the wrong direction.

More questions ...

How should the DNS server at the remote site be setup? Currently I have
the DNS server running, but it seems to get out of sync with the head
office.

Should I be able to see the computers at the remote site under "Network
places->Entire Network"? What do I need to do to get this working?

[Terence Liu [MSFT]]

Hello Anderson,

Thank you for posting here.

According to your description, I understand that the remote VPN site
clients access their My Documents are very slow. If I have misunderstood
the problem, please don't hesitate to let me know.

Suggestion 1: Based on my research, all clients' My Documents will redirect
to SBS by default. The document access traffic will go through VPN
connection, therefore, the remote site clients access their My Documents
will be very slow. We have 2 methods to resolve this issue: make the My
Documents access does not go through VPN or improve bandwidth of VPN.

The VPN bandwidth is mostly depend on the 2 sites Internet connection
bandwidth. To improve bandwidth of VPN, you can change 2 sites ISP or lease
higher speed Internet connection line. Of course, you can try to change the
VPN devices from SBS to your Cisco router to see if it help. For how to
setup site-to-site VPN thru Cisco devices, please contact Cisco support.

Note: If you setup site-to-site VPN thru hardware device, you need to make
your SBS and remote site DC work as single NIC.

Suggestion 2: For the DFS replication with SBS 2003 R2, there is a list:

Windows server 2003 R2 technologies included in Small Business Server 2003
R2:

* File System Resource Manager (FSRM)
* MMC 3.0

Windows server 2003 R2 technologies NOT included in SBS 2003 R2:

* DFS-Replication (DFS-R)
* ADFS
* Printer Management Console
* Storage Manager for SANs

Therefore, the DFS replication is not support by SBS 2003 R2. If you
install SBS 2003 R2 Transition Pack on SBS, the SBS 2003 R2 will become
Windows server 2003 R2. Then, you can install the DFS replication component
on it.

Suggestion 3: You have some mobile users with laptops, they will move
between the 2 sites. So setup customize GPO for different users in
different sits about My Documents Redirection is not suit for the mobile
users. From your condition, I suggest you totally disable the My Documents
Redirection for all users. My Documents on every client store in local. It
will total solve the slow access issue.

To disable My Document redirection, please open Server Management console,
locate on Users node, click Configure My Documents Redirection link in
right pane, select Do not redirect My Documents Folders option, click OK.
Then restart client computers to apply this settings.

Suggestion 4: For you additional questions, please understand that our
newsgroup is an issue based service, meaning we usually respond to one
question/issue per post. This will lessen the confusion for both of us, as
well as ensure that our results are accurate and not a result of a test for
a different question. Therefore, I will work with you on the slow access
question in this post. Regarding the additional questions, I suggest you
create a new post for getting more quick assistance. Or, I will work with
you about them after we resolved the original issue.

I hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Date: Thu, 01 Nov 2007 10:19:30 +1100
| From: Anderson <ande...@bobsyouruncle.com>
| User-Agent: Thunderbird 2.0a1 (Windows/20060724)
| MIME-Version: 1.0
| Subject: Re: 2nd site questions
| References: <eUQf5#2GIHA...@TK2MSFTNGP04.phx.gbl>
<ukUs8v8G...@TK2MSFTNGP03.phx.gbl>
| In-Reply-To: <ukUs8v8G...@TK2MSFTNGP03.phx.gbl>
| Content-Type: text/plain; charset=ISO-8859-1; format=flowed
| Content-Transfer-Encoding: 7bit
| Message-ID: <ef5wmRB...@TK2MSFTNGP06.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: wallte.lnk.telstra.net 139.130.205.10
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:73018
| X-Tomcat-NG: microsoft.public.windows.server.sbs

[Lanwench [MVP - Exchange]]

Anderson <ande...@bobsyouruncle.com> wrote:
> Lanwench [MVP - Exchange] wrote:
>> Anderson <ande...@bobsyouruncle.com> wrote:
>>> Hi All,
>>>
>>> I have just added a 2nd site with a member DC to our SBS network,
>>> connected via MS VPN between the 2 servers.
>>
>> I'd have recommended IPSEC VPN between two hardware endpoints - I
>> like SonicWALL for this.
>
> Can anyone point me to a network diagram of how this might be set up?

Sorry, don't have anything handy.

> Would the VPN link be inside your ISA server?

It would preclude your using ISA. I use decent hardware appliances as
firewalls and a single NIC in my servers, and would keep it that way.

> Would this affect "Road
> Warrior" VPN connections to the SBS server?

Not necessarily. But I'd have them use the Sonicwall Global VPN client - or
one of the Sonicwall SSL VPN appliances. However, I rarely need users to
have VPN access, as RPC over HTTP and RWW suffice.

>
> We currently have a cisco 871 at each site.

I don't know the Cisco line - if those are just routers, you need firewalls.

>
>>> The users at the new site are complaining of slow speeds accessing
>>> their "my documents" and while using outlook.
>>>
>>> I was planning on changing the users in the other site to use
>>> "Outlook over http", is that the best solution?
>>
>> Yes indeed, with cached mode. All your users should use cached mode,
>> too....
>
> Done, outlook seems to be running much better now.

Excellent.

>
>>>
>>>
>>> Now, I am assuming that the "My Documents" access is slow because it
>>> is redirected to the SBS server. DFS file replication looks like a
>>> good solution for this - I can redirect all the folders to
>>> \\domain\Users and replicate the folders to the other site. This has
>>> been disabled in SBS though :-(
>>
>> Hmm - got R2?
>
> Yes, I have R2, but it seems that DFS replication has been removed
> from SBS - If someone could let me know how to get DFS replication
> installed on SBS, that would be great!

Apparently it isn't possible, according to Terrence's reply....

>
>>
>>> Will DFS replication be enabled when I install the transition pack?
>>
>> Why would you be installing the transition pack?
>
> We are currently at about 60 users, and will soon reach the 75 user
> limit, so I will need to load the transition pack fairly soon.
>
> If the DFS replication has been disabled in SBS, then will loading the
> transition pack enable it?

Apparently so.

>
>>
>> You can put these users in another OU, and set their folder
>> redirection to their local DC via a custom group policy. I don't
>> like using the built in "folder redirection" checkbox and prefer to
>> create my own GPOs.
>
> Can someone point me to some documentation on setting up another OU?

You just open ADUC and right-click in the appropriate location where you
want to create it :)

But for the My Documents folder redirection alone, you don't need to, even.

I'd disable the offline files redirection you enabled via the tickbox and
use your own. One easy way to use it is to set home directories for all your
users - the users in the remote office should have home directories that are
on their local server. This is done in each of their ADUC properties - pick
a drive letter (U for users?) and set it to
\\appropriateservername\users\%username%. Then create a custom GPO linked at
the MyBusiness level, and call it "Folder Redirection" - drill down to the
folder redirection bit, go to My Documents, and have it redirect everyone to
the same location - their home directory. This is a cinch.

>
>> You can use robocopy to copy the remote site data to your main
>> server via a batch file scheduled to run nightly.
>>
>
> Some of the users with notebooks, travel between sites regularly - I
> would hate to lose data, by copying in the wrong direction.

Laptop users should be using offline files or third party sync software
anyway. Laptops should go in their own OU too. I'd put it under Computers,
at the same

>
>
> More questions ...
>
> How should the DNS server at the remote site be setup?

When you promoted this to a DC, did you install DNS then? Should be running
AD-integrated DNS.

> Currently I
> have the DNS server running, but it seems to get out of sync with the
> head office.

Needs to be AD-integrated, but if you already chose that option, then you
may have connectivity problems. Remove Windows from being responsible for
the connection - use a single NIC in each server and use hardware as your
VPN endpoints.

>
>
>
> Should I be able to see the computers at the remote site under
> "Network places->Entire Network"? What do I need to do to get this
> working?

That's a different issue - network browsing across subnets requires WINS.
You may already have WINS installed in the main office - you can install it
in the other office and set it up as a push/pull partnership.

That's about all I can do in a newsgroup post. Anything beyond this is going
to start running up some consulting fees ;-)

[Lanwench [MVP - Exchange]]

Terence Liu [MSFT] <v-te...@online.microsoft.com> wrote:
> Hello Anderson,
>

Pardon my jumping in -

> Thank you for posting here.
>
> According to your description, I understand that the remote VPN site
> clients access their My Documents are very slow. If I have
> misunderstood the problem, please don't hesitate to let me know.
>
> Suggestion 1: Based on my research, all clients' My Documents will
> redirect to SBS by default.

Only if the GPO setting is enabled by ticking the checkbox in Server
Management.

> The document access traffic will go
> through VPN connection, therefore, the remote site clients access
> their My Documents will be very slow.

Indeed....

> We have 2 methods to resolve
> this issue: make the My Documents access does not go through VPN or
> improve bandwidth of VPN.
>
> The VPN bandwidth is mostly depend on the 2 sites Internet connection
> bandwidth. To improve bandwidth of VPN, you can change 2 sites ISP or
> lease higher speed Internet connection line. Of course, you can try
> to change the VPN devices from SBS to your Cisco router to see if it
> help. For how to setup site-to-site VPN thru Cisco devices, please
> contact Cisco support.
>
> Note: If you setup site-to-site VPN thru hardware device, you need to
> make your SBS and remote site DC work as single NIC.

Yes - and to the OP: I would recommend this. Use hardware endpoints for
VPN - and ditch using ISA in favor of a good firewall appliance on each end
(not just routers!).

>
> Suggestion 2: For the DFS replication with SBS 2003 R2, there is a
> list:
>
> Windows server 2003 R2 technologies included in Small Business Server
> 2003 R2:
>
> * File System Resource Manager (FSRM)
> * MMC 3.0
>
> Windows server 2003 R2 technologies NOT included in SBS 2003 R2:
>
> * DFS-Replication (DFS-R)
> * ADFS
> * Printer Management Console
> * Storage Manager for SANs
>
> Therefore, the DFS replication is not support by SBS 2003 R2. If you
> install SBS 2003 R2 Transition Pack on SBS, the SBS 2003 R2 will
> become Windows server 2003 R2. Then, you can install the DFS
> replication component on it.

Cool - I wasn't sure about that.

But there are other ways to copy / sync data - just not as seamlessly.

>
> Suggestion 3: You have some mobile users with laptops, they will move
> between the 2 sites.

Laptops should have offline files or third party sync software on them.

> So setup customize GPO for different users in
> different sits about My Documents Redirection is not suit for the
> mobile users.

Sure it is.

> From your condition, I suggest you totally disable the
> My Documents Redirection for all users. My Documents on every client
> store in local. It will total solve the slow access issue.

I must strongly disagree here! Yes, it will get rid of the slow access
problem - it will do this by causing a far larger one. The better answer is
to customize the OUs and group policies, not to disable redirection. You
will lose control over your data otherwise.
>
<snip>