Re: GC Question
- From: "GIG" <gig@xxxxxxxxxxx>
- Date: Mon, 10 Apr 2006 23:17:42 +0100
So according to you if we need to find GCs or Domains we must make sure that
the toplevel Domain Root Dns Servers are always available, and we can't have
that folders that i mentioned previously on the others Dns servers that
exist on different Domains on the forest?
Is this right?
Regards.
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:ul%23t8PMXGHA.3972@xxxxxxxxxxxxxxxxxxxxxxx
"GIG" <gig@xxxxxxxxxxx> wrote in message
news:OszonyIXGHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
Two Last question please:
1st: In a large network with thousands of users what tool should I use to
make sure that no duplicate user accounts are being using (monitoring
purposes) between all existent domains, and when creating new user
accounts what tool should I use to make sure that i'm not using a user
account that is already being use in a different domain?
You can search for users in AD Users or Computers or with
common tools like DSQuery/Net User/or custom scripts.
2nd: This is a Dns question but I believe that someone could anwser me:
- Why some Dns folders are only available on the top root Domain? All
other domains in the forest don't have Several folders that the top root
domain has, example of the folders are:
_msdcs.domains (contains the GUIDs for existent domains)
_msdcs.Gc (Contains the existent Global Catalogs for the existent sites)
ForestDnsZone
Because _MSDCS (Microsoft Domain Controls) is really about
finding EVERY DC in the ENTIRE FOREST so it is more of a
forest thing than a "per domain" zone.
Also, _msdcs.gc since GCs are really a forest-wide job.
When I select the folder _msdcs in the to level Dns domain, in thr right
pane I can see the GUIDs for existent domains.
Domains or Domain Controllers? Usually you see the DC GUIDs.
Every DC has an alias record for it's own GUID.
Now, for example in the other Dns domains (Child or different trees)
shouldn't the Dns on their Domain have access to the _msdcs.Gc? this
seems
YES!!!!
And if they don't you will have problems.
Usual method is to either make those zones forest wide
(even DNS server holds a copy) or use Conditional Forwarding
or Stub zones etc.
to be an important folder to identify the existent Global Catalogs in
each site?
Yes.
And what about the _msdcs.domains folder that i dentifies the GUIDs for
all existent domains and their DCs, should this folder also be available
on other Dns server in different Domains?
Yes.
Annd The ForestDnsZone?
There is any way to make this folders available for all Dns servers?
Which are the consequences, or what do I lose or win doing that?
As above, make them forest wide (DNS-DCs) for AD Integrated,
hold cross stub zones, or secondaries, or conditional forward on
other DCs.
I like forest wide AD Integrated.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks again for your time.
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:eqWtARFXGHA.4768@xxxxxxxxxxxxxxxxxxxxxxx
"GIG" <gig@xxxxxxxxxxx> wrote in message
news:eDim1CEXGHA.4652@xxxxxxxxxxxxxxxxxxxxxxx
Hello Herb
To confirm this i seted up the Following Scenario:
1st Test
objective: (I read in a article that when no GC is available for a
domain that isn't a Root Domain (First Domain to be Created) no one is
able to logon on that domain including in the Domain Controller for
that Domain, that article also states that in this type of situations
only Domain Admins or Enterprise Admins of the Root Domain are able to
logon on "lower" domains to be able to fix sometthing or to make the
"lower" domain controllers Global Catalogs.
Results:
- Well it looks that is not truth - I was Able to logon with
Administrator Account.
No, it was the TRUTH -- you asked about USERS.
Since you specified USERS I didn't mention that there
is an exception for Admins (presumably so there is a way
to fix such problems.)
- I restarted the WXP - Wkst, and I tryed to logon with the User
account "User01" Guess what ... I wasn't able to logon hehehe....
- But then I try to logon with Administrator Account for the Child
Domain, and I was able to logon with no problems.
Conclusion:
The Administrator account for the local domain can logon in any machine
for that domain, including Dcs.
To create user accounts we need an available Gc. (I don't know
understand why...)
That is normal behavior.
- After I turned On the Gc, I was able to logon on the Child Domain.
Conclusion:
- We can create User accounts with the same name in different domains.
You can of course do this -- it is generally a poor practice
(especially if you wish to use a single EMAIL domain name
or if you wish to allow users to logon with a single-standard
User Principal Name.)
You can even create two users with the same name in the
SAME DOMAIN (but in different OUs) -- this is a MUCH
WORSE practice. Don't do it.
Both of these also cause problems for NetBIOS names.
In general, unless you have an overwhelmingly good reason
never create a Domain (or Workgroup), Computer, or User
with the same name as ANY other of any of these categories,
even though it is frequently legal.
Only exception: Workgroup for Win9x machines SHOULD be
the same as the domain to which they are associated.
- We can't logon with user accounts (not the administrator account for
the domain) if no Gc is available
Conclusion:
"Iqual" User Accounts in different domains always must have different
Upn Suffixes.
Yes, and they automatically have different "NetBIOS full names"
but will otherwise clash for email and many NetBIOS purposes.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Follow-Ups:
- Re: GC Question
- From: Herb Martin
- Re: GC Question
- References:
- GC Question
- From: GIG
- Re: GC Question
- From: Herb Martin
- Re: GC Question
- From: GIG
- Re: GC Question
- From: Herb Martin
- Re: GC Question
- From: GIG
- Re: GC Question
- From: Herb Martin
- GC Question
- Prev by Date: Replication issues
- Next by Date: Is it Domain Controller Replication problem?
- Previous by thread: Re: GC Question
- Next by thread: Re: GC Question
- Index(es):
Relevant Pages
|
