Global Catalogs in Multiple Domain forest

  • Thread starter Thread starter DV
  • Start date Start date
D

DV

Hi,

A very quick question for you gurus. I read that GC's are required per
site.
My question is: Can a DC that belongs to one domain query GC's in
another domain for universal groups etc..?
Example: If i have 2 domains in my forest: domain1.company.com and
domain2.company.com and i have 2 or more sites. If in one of those
sites, i place 1 DC for domain1.company.com and 1 DC for
domain2.company.com and then only make one of those DC's a GC, will the
other DC be able to query the GC in the same site or will it try to
find a GC in the same domain to query.

Thank you for your time and i appreciate your responses.

Diego
 
The DC will be able to lookup universal groups from the GC in the same site.

Consider having all your DCs in the forest act as GCs, unless there is a
specific reason not to do so. This will remove issues and complexities such
as the below, ensures that AD aware apps have a consistent way in which to
contact a GC and also means that the infra master FSMO becomes redundant. One
less FSMO to worry about :)

If in doubt consult the Branch Office Guide at
http://www.microsoft.com/downloads/...F6-A8A8-40BB-9FA7-3A95C9540112&displaylang=en

hth,
neil
 
Hi Neil,

Thanks for your response. Yes you are right. Making all the DC's GC's
makes things easier. This question was purely just for my
understanding.

Thanks again

Diego
 
Remember though you should not have the Infrastructure Master on a GC in a
mulitple domain forest as this can cause problems and is not recommended.
 
Concerning the IM FSMO role and the GC role look at it from the
domain perspective. If all DCs in a domain are GC then it does not
matter the IM of that domain is on a GC. You don't have any other
choice though. If you at least have one DC in a domain that will not
be a GC then do not put the IM of that same domain on a GC. For more
info on this read: MS-KBQ248047_Phantoms, Tombstones and the
Infrastructure Master
There is not problem in using a GC from another domain.... In one
situation though, you might get issues. For ALL reading activities it
does not matter which GC you use. However, if you want to change the
membership of universal group that is in another domain through
outlook, and outlook does not use a DC/GC from that same domain you
will not be able to change the membership. Why? GCs are read-only for
other domains NCs than their own!

I remember something someone said once: "why changing group
memberships with outlook? I don't read my mail either with Active
Directory Users and Computers" ;-)

Cheers,
Jorge

24-Nov-2005 11:33:02
Remember though you should not have the Infrastructure Master on a GC in a
mulitple domain forest as this can cause problems and is not recommended.
Click to expand...
Cheers,
# Jorge de Almeida Pinto #
 
hey gentlement, thanks for all your replies.

Jorge, you are the man. This is the info i was looking for. I assumed
the transitive trusts between domains in the forest would allow the
reading of GC's in any domain by pcs in any domain. But as you know
have pointed out, pcs in other domains only have read ability not write
ability.

thanks again.
 
That is only an issue under a certain set of circumstances, namely a
multi-domain forest where the IM for a given domain resides on a GC when
there are other DCs in that domain that are not GCs.
-- http://www.msresource.net/content/view/14/46/


Re. the question of "Can a DC that belongs to one domain query GC's in
another domain for universal groups etc..?"

Yes. GCs are forest-wide roles. They are not domain specific. So any DC
in the forest can query any GC in the forest. Although, the locator
algorithm will try and use a local one before looking for any. GCs only
register their records in the root domain's DNS, because they are
forest-wide.

As mentioned, you obviously cannot write domain information for domain-a to
a GC that is a DC in domain-b, as the GC is read-only (and a partial
replica) and the DC only holds the domainDNS objects for it's own domain.
However, in this instance a referral would be returned, and your app should
be clever enough to chase that referral (although earlier versions of
Outlook aren't - which is why Exchange has DSProxy, et al).
 
Back
Top