Re: GC Question

"GIG" <gig@xxxxxxxxxxx> wrote in message
news:%23jbvbyOXGHA.4212@xxxxxxxxxxxxxxxxxxxxxxx
So according to you if we need to find GCs or Domains we must make sure
that the toplevel Domain Root Dns Servers are always available, and we
can't have that folders that i mentioned previously on the others Dns
servers that exist on different Domains on the forest?

Is this right?

Sort of (I think but I became a little confused by your
sentence and back references etc.)

It means that ALL of your DNS servers must either HAVE
or be able to FIND that info (e.g., from the looking on the
root DNS or recursing, or using conditional forwarding or
etc.)

Every DNS server must FIND all of that info.

Just model how a (particular) DNS server would FIND
the info the clients all need.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Regards.



"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:ul%23t8PMXGHA.3972@xxxxxxxxxxxxxxxxxxxxxxx
"GIG" <gig@xxxxxxxxxxx> wrote in message
news:OszonyIXGHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
Two Last question please:

1st: In a large network with thousands of users what tool should I use
to make sure that no duplicate user accounts are being using (monitoring
purposes) between all existent domains, and when creating new user
accounts what tool should I use to make sure that i'm not using a user
account that is already being use in a different domain?

You can search for users in AD Users or Computers or with
common tools like DSQuery/Net User/or custom scripts.

2nd: This is a Dns question but I believe that someone could anwser me:

- Why some Dns folders are only available on the top root Domain? All
other domains in the forest don't have Several folders that the top root
domain has, example of the folders are:

_msdcs.domains (contains the GUIDs for existent domains)
_msdcs.Gc (Contains the existent Global Catalogs for the existent sites)
ForestDnsZone

Because _MSDCS (Microsoft Domain Controls) is really about
finding EVERY DC in the ENTIRE FOREST so it is more of a
forest thing than a "per domain" zone.

Also, _msdcs.gc since GCs are really a forest-wide job.

When I select the folder _msdcs in the to level Dns domain, in thr right
pane I can see the GUIDs for existent domains.

Domains or Domain Controllers? Usually you see the DC GUIDs.

Every DC has an alias record for it's own GUID.

Now, for example in the other Dns domains (Child or different trees)
shouldn't the Dns on their Domain have access to the _msdcs.Gc? this
seems

YES!!!!

And if they don't you will have problems.

Usual method is to either make those zones forest wide
(even DNS server holds a copy) or use Conditional Forwarding
or Stub zones etc.

to be an important folder to identify the existent Global Catalogs in
each site?

Yes.

And what about the _msdcs.domains folder that i dentifies the GUIDs for
all existent domains and their DCs, should this folder also be available
on other Dns server in different Domains?

Yes.

Annd The ForestDnsZone?

There is any way to make this folders available for all Dns servers?
Which are the consequences, or what do I lose or win doing that?

As above, make them forest wide (DNS-DCs) for AD Integrated,
hold cross stub zones, or secondaries, or conditional forward on
other DCs.

I like forest wide AD Integrated.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]



Thanks again for your time.





"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:eqWtARFXGHA.4768@xxxxxxxxxxxxxxxxxxxxxxx
"GIG" <gig@xxxxxxxxxxx> wrote in message
news:eDim1CEXGHA.4652@xxxxxxxxxxxxxxxxxxxxxxx
Hello Herb

To confirm this i seted up the Following Scenario:

1st Test
objective: (I read in a article that when no GC is available for a
domain that isn't a Root Domain (First Domain to be Created) no one is
able to logon on that domain including in the Domain Controller for
that Domain, that article also states that in this type of situations
only Domain Admins or Enterprise Admins of the Root Domain are able to
logon on "lower" domains to be able to fix sometthing or to make the
"lower" domain controllers Global Catalogs.

Results:
- Well it looks that is not truth - I was Able to logon with
Administrator Account.


No, it was the TRUTH -- you asked about USERS.

Since you specified USERS I didn't mention that there
is an exception for Admins (presumably so there is a way
to fix such problems.)


- I restarted the WXP - Wkst, and I tryed to logon with the User
account "User01" Guess what ... I wasn't able to logon hehehe....
- But then I try to logon with Administrator Account for the Child
Domain, and I was able to logon with no problems.

Conclusion:
The Administrator account for the local domain can logon in any
machine for that domain, including Dcs.
To create user accounts we need an available Gc. (I don't know
understand why...)

That is normal behavior.


- After I turned On the Gc, I was able to logon on the Child Domain.

Conclusion:
- We can create User accounts with the same name in different domains.

You can of course do this -- it is generally a poor practice
(especially if you wish to use a single EMAIL domain name
or if you wish to allow users to logon with a single-standard
User Principal Name.)

You can even create two users with the same name in the
SAME DOMAIN (but in different OUs) -- this is a MUCH
WORSE practice. Don't do it.

Both of these also cause problems for NetBIOS names.

In general, unless you have an overwhelmingly good reason
never create a Domain (or Workgroup), Computer, or User
with the same name as ANY other of any of these categories,
even though it is frequently legal.

Only exception: Workgroup for Win9x machines SHOULD be
the same as the domain to which they are associated.

- We can't logon with user accounts (not the administrator account for
the domain) if no Gc is available

Conclusion:
"Iqual" User Accounts in different domains always must have different
Upn Suffixes.

Yes, and they automatically have different "NetBIOS full names"
but will otherwise clash for email and many NetBIOS purposes.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]










.

Relevant Pages

  • Re: Event ID 7062 in DNS logs
    ... you advice me to let the default Internet root ... > hints in place and to use forwarders from the child DNS (DNS server in ... > the root DNS (DNS server on the forest root domain hosting the ... > AD-integrated forestroot.com zone). ...
    (microsoft.public.windows.server.dns)
  • Re: Child DNS problem
    ... But they do stay on the child domain. ... have a secondary zone of the Primary at the Root or does it have a primary ... Is the zone AD Integrated at either ... grayed out folder under the test.com zone on the root DNS server. ...
    (microsoft.public.win2000.dns)
  • Re: Missing Forwarders
    ... > zone, then delegate all the domains to the proper DNS server. ... > internet access at all this will work fine and it disables forwarders. ... Root zones all deleted. ...
    (microsoft.public.win2000.dns)
  • Event ID 7062 in DNS logs
    ... All domain controllers on the root and child domains are also DNS ... DNS zone. ... The DNS server encountered a packet addressed to itself on IP address ... you should make this delegation check (with nslookup or DNS ...
    (microsoft.public.windows.server.dns)
  • Re: Multihomed DNS Server Mailserver Webserver Fileserver
    ... You will have to recreate the accounts after ... Then I'll make a zone in DNS that is ... the zone "publicname.com" in that zone you will need to create a delegation ... In the publicname.com zone you will use the public name of your DNS server ...
    (microsoft.public.win2000.dns)