Global Catalog

  • Thread starter Thread starter sf=
  • Start date Start date
S

sf=

Dear All,
I am dian, and I have a question about Active Directory.
In my company we implement active directory. We have many active
directory sites but we only create a domain, which is:
xx.yyyyyy.com

currently in my sites, we do not have a DC ( domain controller)
installed. So every user has to authenticate to AD controller in
regional office in another country. As my file server is in my place,
sometime when internet connection goes down, my users can not access
the file in my local server. Because, we fail to authenticate to AD
controller as the internet goes down.
I want to set up the AD controller in my site, but the problem is I
only have limited bandwidth, I am not so sure that the bandwidth is
enough for replication process. My question are:
1. If I install AD controller on windows server 2003, should I enable
Global Catalog? Can I just install AD controller without enable global
catalog? As I know there is Global Catalog - less logon process.
Please correct me if I am wrong.

2. If our Active Directory domain is created under Windows 2000
server. Should I install global catalog on my domain controller.

3. How big the size of file that need to be replicate in the
replication process?


4. Should all domain controller enable GC (global catalog), if the
domain is created in windows server 2003 or windows server 2000?

Please anyone help me, your help will be much appreciated.
Thanks in advance

Best Regards
 
1) make the DC a GC, especially if you only have ONE AD domain. Just do it!
2) yes, like the previous question, you need GCs
3) impossible to answer as it is unknown what objects, how many objects and
what information will be stored. why is this important to know for you?
4) see 1) and 2)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
Howdie!

sf= said:
the file in my local server. Because, we fail to authenticate to AD
controller as the internet goes down.
Click to expand...

If it is a one-domain-forest, you should be able to authenticate locally
on the machines using cached credentials.
1. If I install AD controller on windows server 2003, should I enable
Global Catalog? Can I just install AD controller without enable global
catalog? As I know there is Global Catalog - less logon process.
Please correct me if I am wrong.
Click to expand...

You can promote it to an DC without the need to GC it right away. It can
be promoted to a DC-only (which is the standard for an additional DC for
an existing domain pre-Winserver2008). I can't understand the last two
sentences though.
2. If our Active Directory domain is created under Windows 2000
server. Should I install global catalog on my domain controller.
Click to expand...

There are issues when running on Windows 2000 - putting a new attribute
to the partial attribute set would cause the GC to re-sync all
attributes in full. I'd urge you to look for Server 2003.
3. How big the size of file that need to be replicate in the
replication process?
Click to expand...

That depends on your infrastructure.
4. Should all domain controller enable GC (global catalog), if the
domain is created in windows server 2003 or windows server 2000?
Click to expand...

Since the bandwidth is slow, I'd do so.

Two options you have:
- Promote the server in the main office where it stands next to the main
DC (with fast speed) and move it afterwards to the remote site (would
need sites and services set up correctly).

- Look into the /ADV switch of DCpromo. That lets you specify a system
state backup taken from ntbackup from the first DC. The dcpromo process
will take the information from there to set up the new DC and only
replicate the delta since the backup was taken.

cheers,

Florian
 
Remember you need a DC available to be provided a Kerberos ticket to gain
access to remote services, so although a user will be able to logon locally
but w/o a dc cached credentials will provide no relief to gain access to
files/objects/services. Only localized access is possible in this scenario.

"If it is a one-domain-forest, you should be able to authenticate locally on
the machines using cached credentials."


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Florian Frommherz said:
Howdie!

sf= said:
the file in my local server. Because, we fail to authenticate to AD
controller as the internet goes down.
Click to expand...

If it is a one-domain-forest, you should be able to authenticate locally
on the machines using cached credentials.
1. If I install AD controller on windows server 2003, should I enable
Global Catalog? Can I just install AD controller without enable global
catalog? As I know there is Global Catalog - less logon process.
Please correct me if I am wrong.
Click to expand...

You can promote it to an DC without the need to GC it right away. It can
be promoted to a DC-only (which is the standard for an additional DC for
an existing domain pre-Winserver2008). I can't understand the last two
sentences though.
2. If our Active Directory domain is created under Windows 2000
server. Should I install global catalog on my domain controller.
Click to expand...

There are issues when running on Windows 2000 - putting a new attribute to
the partial attribute set would cause the GC to re-sync all attributes in
full. I'd urge you to look for Server 2003.
3. How big the size of file that need to be replicate in the
replication process?
Click to expand...

That depends on your infrastructure.
4. Should all domain controller enable GC (global catalog), if the
domain is created in windows server 2003 or windows server 2000?
Click to expand...

Since the bandwidth is slow, I'd do so.

Two options you have:
- Promote the server in the main office where it stands next to the main
DC (with fast speed) and move it afterwards to the remote site (would need
sites and services set up correctly).

- Look into the /ADV switch of DCpromo. That lets you specify a system
state backup taken from ntbackup from the first DC. The dcpromo process
will take the information from there to set up the new DC and only
replicate the delta since the backup was taken.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Click to expand...
 
Hello sf=,

See my answer in microsoft.public.windows.server.general

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Dear All,
Thank you very much for your help. I am so appreciated.
Floarian said:
Two options you have:
- Promote the server in the main ...
- Look into the /ADV switch of DCpromo. --> Thanks Florian, Can you
please explain to me more detail on this?

Thanks Paul, You're right all users can authenticate locally on their
machine using cached credentials but they have no access to server.
That's why I plan to install DC.

Thanks Jorge, if I create a DC than I will need GC enabled because
regional office only created a single domain for the all site that we
have. Previuosly I wanted to know how biog the file size is that will
be replicated, because I have limited bandwidth.

Meinolf, I have read your answer, many thanks.

Thank for you all,
Currently I have 2 connection in my site, 256 Kbps fiber optic and
ADSL about 600 Kbps. I still need to figure it out how to have 1
gateway with 2 ISP connected to it. Currently to contact AD controller
in regional office I use 256 Kbps and there is firewall that create
tunnel to regional office.

I am not sure that 256 Kbps will be enough to replicated GC and DC
database. Than I will figure it out how to make 2 ISP with 1 gateway.
Because my firewall / router / gateway currently can not handle 2
ISP. I will need to set up linux based gateway to handle it. Guys do
you have any idea ?? Please CMIIW.

Thanks in advance
Best Regards

sf
 
Hello sf=,

With that kind of link i would prepare the machine at the main office and
ship it then to the remote site.

For the use of multiple ISP's check out for dual/multi port router's. They
are able to connect more then one.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Howdie!

sf= said:
Two options you have:
- Promote the server in the main ...
- Look into the /ADV switch of DCpromo. --> Thanks Florian, Can you
please explain to me more detail on this?
Click to expand...

You can find a lot written about that:
http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm
http://support.microsoft.com/kb/311078
Currently I have 2 connection in my site, 256 Kbps fiber optic and
ADSL about 600 Kbps. I still need to figure it out how to have 1
gateway with 2 ISP connected to it. Currently to contact AD controller
in regional office I use 256 Kbps and there is firewall that create
tunnel to regional office.
Click to expand...

Hum - why not leave two entry points for the site to cross the internet
to the main office? 256kbps should be good enough for replicating Active
Directory (both domain and GC parts) if you're not in a large org that
has several hundred database changes per hour. 256kbps for AD only
(dedicated line) should really be enough.

I'd try to use the second line for all other traffic that crosses the
line. Management traffic, mail/web traffic from users...

Make sure you design that somewhat fault tolerant so that if the 256kbps
goes down, you can fall back to the 600kbps line.

cheers,

Florian
 
Florian wrote :
Hum - why not leave two entry points for the site to cross the internet
to the main office? 256kbps should be good enough for replicating Active
Directory (both domain and GC parts) if you're not in a large org that
has several hundred database changes per hour. 256kbps for AD only
(dedicated line) should really be enough.
Click to expand...
I'd try to use the second line for all other traffic that crosses the
line. Management traffic, mail/web traffic from users...
Click to expand...

Hi..
How is the best practice to differentiate, computer client request for
service will be using another gateway and AD replication process will
use dedicated gateway? Should I set up default gateway that will
filter a client request ? or i have to configure in each client?

Thanks in advance
Best Regards
 
Back
Top