We have a highly available AD environment with over 40 distributed domain controllers, many in remote sites with slow links connecting them to the data center.
In the current implementation of PasswordSafe, when connecting to AD it does a DNS query to determine the domain controllers for the AD domain. Whether that is a normal A record search or an SRV search, it does not take into account any setup of Sites and Services that may exist. As we do not use Windows for DNS, the results of the DNS query are just a round-robin list of all possible domain controllers for the domain.
Performance could be significantly improved if it was possible to configure each UVM with the appropriate site to use in an SRC record lookup, therefore restricting the searches to those local domain controllers. As it stands, the LDAP lookups for group information can take upwards of 20 seconds across a 600Mbps MPLS link to complete when a local LAN lookup takes less than 2 seconds. This causes considerable delay for users logging into BeyondInsight as well as to each DirectConnect session that they may initiate.
A simple modification to the lookup code to use something like:
nslookup -type=srv _ldap._tcp.<site>._sites.<domain>
Where the domain is a global setting, but the site could be specified on a per system basis.