Re: GC-Problems
- From: "Bill" <itprofessional0812_at_remove_yahoo.com>
- Date: Tue, 21 Mar 2006 14:58:30 -0600
Not necessarily. Any DC can authenticate a logon - but the authenticating DC
will check with the PDC if the password the user supplied does not match the
value it has. If this occurs, it checks with the PDC to see if the user's
password has changed within the last replication interval.
"JMS" <jms_pt@xxxxxxx> wrote in message
news:OVgtSgSTGHA.4952@xxxxxxxxxxxxxxxxxxxxxxx
Just Another Thing
When Users from domain1 trying to logon on Domain3 they must be able to
contact the DomainController that is hosting the PDC role on Domain1
rigtht??
Thnks Again
--
Systems Administrator
MCSA + Exchange
"Bill" <itprofessional0812_at_remove_yahoo.com> wrote in message
news:eQqxzRSTGHA.4300@xxxxxxxxxxxxxxxxxxxxxxx
OK, here's what is happening. To clarify all of this, let's define what
a GC is. A Global Catalog server stores a partial replica of informaion
from all domains in the forest. You have 5 domains, so each GC has
replicas of objects from all of those domains. The GC stores only a
minimal set of attributes of that object, and are primarily used for
searches. They also store information about where to find the full
replica of the object, that is, a DC for the domain.
OK, even though a GC stores information about objects in ALL domains, it
is not a domain controller for those domains, other than its own. So, if
you have a user from domain 1 in domain 3, that user cannot authenticate
to their domain unless the WAN is up. If you had a domain 1 DC in the
same location as domain 3, it would work, because you have a DC for that
domain locally. So you could set up two sites for domain 1, one which
already exists, and another at the site where domain 3 is. At the domain
3 site you could deploy a new domain 1 DC, and the data would replicate
back and forth. If the WAN is down, no big deal, we have a DC for domain
locally. Make sense?
OK, now for the second question. When you search the entire directory,
you are looking at a GC. When you select a specific domain, you are
attempting to contact a DC for that domain. In your case, if the WAN is
down, you have no local DC to search for that information and your query
fails.
"GIG" <GIG@xxxxxx> wrote in message
news:uo99zxQTGHA.4264@xxxxxxxxxxxxxxxxxxxxxxx
Hello Bill
Configuration - 5 Sites - 5 Diferent Subnets (One to each site) 5
Different Domains (One in Each Site)- 2 Domain Controllers per Domain
1 - Site = 1 domain = 2 DomainControllers, 1 of the domain controllers
is a GC.
2 - Site = 2 domain = 2 DomainControllers, 1 of the domain controllers
is a GC.
3 - Site = 3 domain = 2 DomainControllers, 1 of the domain controllers
is a GC.
4 - Site = 4 domain = 2 DomainControllers, 1 Universal Group Membership
Enabled
5 - Site = 5 domain = 2 DomainControllers, 1 Universal Group Membership
Enabled
I have users from different sites or domains that need to logon on
different domains.
For example: I have one or more users from domain 1 and they go to the
domain 3 and try to logon on machines on Domain 3 with their users names
(DOMAIN1\USER01). If the wan link is down, the the logon is denied
stating that the domain couldn't be contacted. (In yhis situation the
users are trying to logon on machines that exists in domain3).
My question is if I have a GC on Site3-Domain3, why users aren't allowed
to logon with their user names??
The other question is:
When I try to make searches when the wan link is down.
For example: from Domain 1 to domain3- I open Ad Users and computers and
select Find, In search i have locations to define, if i select Entire
Directory, the search is ok and shows me all objects in all domains, but
if i select a especific domain, for example Domain3, the search can't
find anything. This only happens when the wan link is down.
"Bill" <itprofessional0812_at_remove_yahoo.com> wrote in message
news:e7y7PEQTGHA.5900@xxxxxxxxxxxxxxxxxxxxxxx
I'm not sure I understand. I'd recommend you have one GC per site.
You mention that you don't have GC's there because of bandwidth
considerations, but you'd want a GC in those sites anyway. This should
not increase network utilization, it should decrease it because the GC
is now on the local LAN and you are only replicating delta changes to
the catalog.
"GIG" <GIG@xxxxxx> wrote in message
news:%23OwHNyMTGHA.4956@xxxxxxxxxxxxxxxxxxxxxxx
Hello everyone
I Have 5 Diferent Sites with 2 domain controllers in each site, exist
one different subnet per site, and five diferent Tree root Domains,
one for each site.
3 of the 5 sites have 1 Global Catalog the the other Two sites have
have Universal group membership enabled.
Now the problem is if Wan link is down, and I try to make searches on
AD to other different Domains or if a user from other domain tries to
logon on a machine the logon is denied... Isn't suppose the GC to have
all information about the forest and serve all queries an logon
requests??
What about the 2 Sites that have only the Universal Group Membership
Enabled, if I need to make searches to that domain which site or
global catalog should i make sure that has Wan connection available??
(Remember they don't have any GC, THEY ONLY HAVE Group Membership
Enabled, because the Wan links are very slow).
Some help would be very appreciated.
Regards
.
- Follow-Ups:
- Re: GC-Problems
- From: JMS
- Re: GC-Problems
- References:
- Re: GC-Problems
- From: Bill
- Re: GC-Problems
- From: Bill
- Re: GC-Problems
- From: JMS
- Re: GC-Problems
- Prev by Date: Re: GC-Problems
- Next by Date: Re: GC-Problems
- Previous by thread: Re: GC-Problems
- Next by thread: Re: GC-Problems
- Index(es):
Relevant Pages
|
|
