?
-
Then what's the point of having any DC that isn't a GC?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
S
Scott Harding - MS MVP
In a large environment it can cause replication issues, in smaller
environments this is not uncommon to make many DC's GC's. It can also be
affected by the number of Child Domains in your Forest.
environments this is not uncommon to make many DC's GC's. It can also be
affected by the number of Child Domains in your Forest.
D
Danny Sanders
See general recommendations for FSMO placement in this article:
FSMO Placement and Optimization on Windows 2000 Domain Controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;223346
hth
DDS W 2k MVP MCSE
FSMO Placement and Optimization on Windows 2000 Domain Controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;223346
hth
DDS W 2k MVP MCSE
J
Jordan
For a single domain, there's no harm making all DCs to be GCs.
GC are more significant for multiple domains environment (they store partial
attributes for all objects in the forest).
Moreover if you are not in Windows 2000 Native Mode, you don't need a GC for
logging on.
GC are more significant for multiple domains environment (they store partial
attributes for all objects in the forest).
Moreover if you are not in Windows 2000 Native Mode, you don't need a GC for
logging on.
A
a-chadl [MSFT]
| Then what's the point of having any DC that isn't a GC?
|
|
|
When you are in Windwos 2000 Native mode at login, the DC will query a GC
to see if the user is a member of any Universal Groups. Obviously, this
isn't much of an issue for small environments where Universal Group
membership is probablly not used. In large enterprised with multiple
domains, Universal Groups become more frequent. A Global Catalog hold
partial attributes for every domain in an enterprise and thus keep track of
Universal Group membership. A user would not be able to logon if it could
not contact a GC because the token could not be built for the user.
At the same time, it is not effecient to make every DC a GC in large
environments. It is recommended that you place a single GC in every site.
Chad A. Lacy
Windows 2000 Directory Services
==================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
When you are in Windwos 2000 Native mode at login, the DC will query a GC
to see if the user is a member of any Universal Groups. Obviously, this
isn't much of an issue for small environments where Universal Group
membership is probablly not used. In large enterprised with multiple
domains, Universal Groups become more frequent. A Global Catalog hold
partial attributes for every domain in an enterprise and thus keep track of
Universal Group membership. A user would not be able to logon if it could
not contact a GC because the token could not be built for the user.
At the same time, it is not effecient to make every DC a GC in large
environments. It is recommended that you place a single GC in every site.
Chad A. Lacy
Windows 2000 Directory Services
==================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================
This posting is provided "AS IS" with no warranties, and confers no rights.
?
-
I read that there was an exception to the "no GC on Infrastructure role
holder" rule that said that if all the DC's in the domain are GC, then there
are no phantoms to update and that it's then ok to have GC and
Infrastructure on the same one. This is true for our child domain, all DC's
are GC's, but not for other domains in the forest (some are not GC's). The
way it reads it looks like we are ok, but since Infrastructure master has to
do with other domains' objects, I'm not so sure. I'm also wondering, if a
DC isn't a GC, and therefore cannot log anyone on (Native Mode), then what
good is it? What does it actually do?
holder" rule that said that if all the DC's in the domain are GC, then there
are no phantoms to update and that it's then ok to have GC and
Infrastructure on the same one. This is true for our child domain, all DC's
are GC's, but not for other domains in the forest (some are not GC's). The
way it reads it looks like we are ok, but since Infrastructure master has to
do with other domains' objects, I'm not so sure. I'm also wondering, if a
DC isn't a GC, and therefore cannot log anyone on (Native Mode), then what
good is it? What does it actually do?
A
a-chadl [MSFT]
| I read that there was an exception to the "no GC on Infrastructure role
| holder" rule that said that if all the DC's in the domain are GC, then
there
| are no phantoms to update and that it's then ok to have GC and
| Infrastructure on the same one. This is true for our child domain, all
DC's
| are GC's, but not for other domains in the forest (some are not GC's).
The
| way it reads it looks like we are ok, but since Infrastructure master has
to
| do with other domains' objects, I'm not so sure. I'm also wondering, if a
| DC isn't a GC, and therefore cannot log anyone on (Native Mode), then what
| good is it? What does it actually do?
Yes, it is true that is every DC is a GC then it is OK to have the GC on
the machine that holds the Infrastructure Master role. A DC does not have
to be a GC in order to allow someone to logon. Any DC can log someone on.
The difference is, the DC must be able to communicate with a GC (in native
mode) in order to query for Universal Group membership for the user that is
logging on. When the user logs on to a DC in native mode, the DC will query
a GC for Universal Group membership in order to build the user's token. The
DC does not have to be a GC, it just has to be able to communicate with a
GC. Again, it is not effeciant in large environments for every DC to be a
GC. This is due to the fact that every time there is a change to the
partial attribute list in any domain, these changes must be replicated to
every GC in the forest. If every DC is a GC in a large environment, tis
will result in a massive amount of unnecessary replication.
For speed and reliability, it is recommended that you have one GC in every
site. This will allow user to make the necessary GC queries without going
across WAN links.
Chad A. Lacy
Windows 2000 Directory Services
==================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================
This posting is provided "AS IS" with no warranties, and confers no rights.
| holder" rule that said that if all the DC's in the domain are GC, then
there
| are no phantoms to update and that it's then ok to have GC and
| Infrastructure on the same one. This is true for our child domain, all
DC's
| are GC's, but not for other domains in the forest (some are not GC's).
The
| way it reads it looks like we are ok, but since Infrastructure master has
to
| do with other domains' objects, I'm not so sure. I'm also wondering, if a
| DC isn't a GC, and therefore cannot log anyone on (Native Mode), then what
| good is it? What does it actually do?
Yes, it is true that is every DC is a GC then it is OK to have the GC on
the machine that holds the Infrastructure Master role. A DC does not have
to be a GC in order to allow someone to logon. Any DC can log someone on.
The difference is, the DC must be able to communicate with a GC (in native
mode) in order to query for Universal Group membership for the user that is
logging on. When the user logs on to a DC in native mode, the DC will query
a GC for Universal Group membership in order to build the user's token. The
DC does not have to be a GC, it just has to be able to communicate with a
GC. Again, it is not effeciant in large environments for every DC to be a
GC. This is due to the fact that every time there is a change to the
partial attribute list in any domain, these changes must be replicated to
every GC in the forest. If every DC is a GC in a large environment, tis
will result in a massive amount of unnecessary replication.
For speed and reliability, it is recommended that you have one GC in every
site. This will allow user to make the necessary GC queries without going
across WAN links.
Chad A. Lacy
Windows 2000 Directory Services
==================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================
This posting is provided "AS IS" with no warranties, and confers no rights.
D
Dave Shaw [MVP]
A non-GC DC will still authenticate users in a multi-domain forest with
domains in native mode or greater. However, if the authenticating DC is not
a GC, it will need to refer to a GC for Universal Group memberships. The DC
will still authenticate and issue tickets without being a GC.
-ds
domains in native mode or greater. However, if the authenticating DC is not
a GC, it will need to refer to a GC for Universal Group memberships. The DC
will still authenticate and issue tickets without being a GC.
-ds
J
Jordan
GC stores partial replicas (AD consists of 3 partition, schema, config and
domain) of other domains objects. And these will incur additional
replication traffic. If you have more than 1 domain, just make sure that you
have at least 1 GC in each site. No harm making other DC to be GC is
additional replication traffic is not a concern. Also for multiple domain,
GC and Infrastructure Master should not be placed on the same machine.
248047 Phantoms, Tombstones and the Infrastructure Master
http://support.microsoft.com/?id=248047
223346 FSMO Placement and Optimization on Windows 2000 Domain Controllers
http://support.microsoft.com/?id=223346
Besides the Universal Group, a GC is also required if you are using User
Principle Name (i.e. (e-mail address removed)) to logon.
domain) of other domains objects. And these will incur additional
replication traffic. If you have more than 1 domain, just make sure that you
have at least 1 GC in each site. No harm making other DC to be GC is
additional replication traffic is not a concern. Also for multiple domain,
GC and Infrastructure Master should not be placed on the same machine.
248047 Phantoms, Tombstones and the Infrastructure Master
http://support.microsoft.com/?id=248047
223346 FSMO Placement and Optimization on Windows 2000 Domain Controllers
http://support.microsoft.com/?id=223346
Besides the Universal Group, a GC is also required if you are using User
Principle Name (i.e. (e-mail address removed)) to logon.
R
Rahisuddin Shah
There is another concept regarding the GC in a single or multidomain
architecture. If you a site which contain more than two DC, for efficient
replication, there should be one GC who act a bridge head server for
replication.
GCs are much needed in multidomain because they contain partial read only
copy of domain, configuration and infrastructure partitions of all domains
in forest. GC is just function of DC and it not neccesary for logon except
you have universal group. Universal groups are available in native mode
only.
architecture. If you a site which contain more than two DC, for efficient
replication, there should be one GC who act a bridge head server for
replication.
GCs are much needed in multidomain because they contain partial read only
copy of domain, configuration and infrastructure partitions of all domains
in forest. GC is just function of DC and it not neccesary for logon except
you have universal group. Universal groups are available in native mode
only.