GC use during logon - can anyone clarify this point?

  • Thread starter Thread starter Trust No One
  • Start date Start date
T

Trust No One

Hi Folks,

Need some help in clarifying a particular point concerning Global
Catalog usage during the logon authenication process.

Lets say we have a network with 2 AD sites SITE1 and SITE2.

There are 2 domains in the AD forest: DOMAIN1 and DOMAIN2.

SITE1 contains a DC for DOMAIN1, this DC is also a global catalog.

SITE2 contains a DC for DOMAIN2, this DC is also a global catalog.

My expectation is that if a user in SITE2 logs into DOMAIN1 (for which
there is no local DC) that they should be authenticated entirely by
the local DC in SITE2 _by virtue of it being a global catalog_

In practice I'm finding in my lab testing that the user in this case
is actually being validated by the DC in SITE1. If on the other hand
the user in SITE2 logs into DOMAIN2 (for which there is a local DC)
then the user is authenticated by the local DC in SITE2.

Is this the way it's supposed to happen? I had assumed that the DC in
SITE2 would be capable of authenicating a login to DOMAIN1 as being a
global catalog, it contained a partial replica of DOMAIN1.

Can anyone clarify? Can't get my head around this :)

Many Thanks
Peter
 
during logon process GC is contacted for universal groups or, if you are
using UPN for logon. But actual authentication is done by domain controller
of the domain, so, to be authenticated locally both GC and DC (for that
particular domain) has to be present.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
 
Unless of course, Universal group memberships are cached
from another GC in another site. In that case, the caching
DC need not be a GC too. (Useful in the branch office
scenario, for example).

HTH,
Neil
 
Matjaz said:
during logon process GC is contacted for universal groups or, if you
are using UPN for logon. But actual authentication is done by domain
controller of the domain, so, to be authenticated locally both GC and
DC (for that particular domain) has to be present.
Click to expand...
Thanks for clarifying this particular point which until now hadn't been
clear to me. I understood that a GC was needed to resolve universal group
membership, but didn't realise that it could not authenticate a login to a
domain other than that in which it ( the GC) is a member. Pity :(

All is now crystal clear :)
 
Back
Top