Re: GC Question
- From: "GIG" <gig@xxxxxxxxxxx>
- Date: Mon, 10 Apr 2006 11:50:55 +0100
Two Last question please:
1st: In a large network with thousands of users what tool should I use to
make sure that no duplicate user accounts are being using (monitoring
purposes) between all existent domains, and when creating new user accounts
what tool should I use to make sure that i'm not using a user account that
is already being use in a different domain?
2nd: This is a Dns question but I believe that someone could anwser me:
- Why some Dns folders are only available on the top root Domain? All other
domains in the forest don't have Several folders that the top root domain
has, example of the folders are:
_msdcs.domains (contains the GUIDs for existent domains)
_msdcs.Gc (Contains the existent Global Catalogs for the existent sites)
ForestDnsZone
When I select the folder _msdcs in the to level Dns domain, in thr right
pane I can see the GUIDs for existent domains.
Now, for example in the other Dns domains (Child or different trees)
shouldn't the Dns on their Domain have access to the _msdcs.Gc? this seems
to be an important folder to identify the existent Global Catalogs in each
site?
And what about the _msdcs.domains folder that i dentifies the GUIDs for all
existent domains and their DCs, should this folder also be available on
other Dns server in different Domains?
Annd The ForestDnsZone?
There is any way to make this folders available for all Dns servers? Which
are the consequences, or what do I lose or win doing that?
Thanks again for your time.
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:eqWtARFXGHA.4768@xxxxxxxxxxxxxxxxxxxxxxx
"GIG" <gig@xxxxxxxxxxx> wrote in message
news:eDim1CEXGHA.4652@xxxxxxxxxxxxxxxxxxxxxxx
Hello Herb
To confirm this i seted up the Following Scenario:
1st Test
objective: (I read in a article that when no GC is available for a domain
that isn't a Root Domain (First Domain to be Created) no one is able to
logon on that domain including in the Domain Controller for that Domain,
that article also states that in this type of situations only Domain
Admins or Enterprise Admins of the Root Domain are able to logon on
"lower" domains to be able to fix sometthing or to make the "lower"
domain controllers Global Catalogs.
Results:
- Well it looks that is not truth - I was Able to logon with
Administrator Account.
No, it was the TRUTH -- you asked about USERS.
Since you specified USERS I didn't mention that there
is an exception for Admins (presumably so there is a way
to fix such problems.)
- I restarted the WXP - Wkst, and I tryed to logon with the User account
"User01" Guess what ... I wasn't able to logon hehehe....
- But then I try to logon with Administrator Account for the Child
Domain, and I was able to logon with no problems.
Conclusion:
The Administrator account for the local domain can logon in any machine
for that domain, including Dcs.
To create user accounts we need an available Gc. (I don't know understand
why...)
That is normal behavior.
- After I turned On the Gc, I was able to logon on the Child Domain.
Conclusion:
- We can create User accounts with the same name in different domains.
You can of course do this -- it is generally a poor practice
(especially if you wish to use a single EMAIL domain name
or if you wish to allow users to logon with a single-standard
User Principal Name.)
You can even create two users with the same name in the
SAME DOMAIN (but in different OUs) -- this is a MUCH
WORSE practice. Don't do it.
Both of these also cause problems for NetBIOS names.
In general, unless you have an overwhelmingly good reason
never create a Domain (or Workgroup), Computer, or User
with the same name as ANY other of any of these categories,
even though it is frequently legal.
Only exception: Workgroup for Win9x machines SHOULD be
the same as the domain to which they are associated.
- We can't logon with user accounts (not the administrator account for
the domain) if no Gc is available
Conclusion:
"Iqual" User Accounts in different domains always must have different Upn
Suffixes.
Yes, and they automatically have different "NetBIOS full names"
but will otherwise clash for email and many NetBIOS purposes.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Follow-Ups:
- Re: GC Question
- From: Herb Martin
- Re: GC Question
- References:
- GC Question
- From: GIG
- Re: GC Question
- From: Herb Martin
- Re: GC Question
- From: GIG
- Re: GC Question
- From: Herb Martin
- GC Question
- Prev by Date: Re: SIDS - defualt domain polikcy
- Next by Date: Re: Windows 2000 server active directory migration
- Previous by thread: Re: GC Question
- Next by thread: Re: GC Question
- Index(es):
Relevant Pages
|
