Re: How many Global Catalog Servers are needed?
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Mon, 31 Jul 2006 20:30:02 -0400
Whatever DC is configured to be the PDC is used by the GPO editor as the GPO master. It doesn't absolutely have to use the PDC, but if it can't, it asks you the questions you are seeing to let you choose what to use.
Group policies themselves work FINE without the PDC up and running. It is only if you need to edit the GPOs that the PDC should be available. Again, this should not be a normal occurrence, you should set up GPOs and then mostly leave them alone.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
SEgerton wrote:
Joe, You really have been very helpful. Thank you very much!.
So, If i assume correctly; my first DC is the GPO Master. If that is down, GPO won't work unless i transfer that role? Can you not have two or more servers controlling this. Say the DC that is assuming this role goes down; is the only way to get it up is to transfer the role to another DC. Can you not just have this role on two DC's? Im pretty sure my DC1 is assuming this role. I haven't assigned roles to other DC's. Once this server goes down, users aren't get there Group Policies. I control logon scripts via Group Policies and their not working when DC1 goes down. I would like another server to hold this role in addition to DC1. But if only one server can hold this role, meeting i just have to transfer the role when it goes down; please let me know?
I hope you understand what i just wrote! It's been a long day.
I appreciate the help! Thanks,
Shannon
"Joe Richards [MVP]" wrote:
A single label domain is something like BOB instead of bob.com. You don't have this problem which is good.
The main issue that I am aware of that you could get into with companyname.local is with MAC clients which I guess have an issue with the .local, I don't know the details though.
As for your GPO item. The PDC emulator is targeted as the GPO master so that when you go to edit GPOs the edit only occurs in one place. This helps prevent multiple people from editing the same GPO on different DCs and waiting for replication to sort out which policy will get kept. GPO processing is still work, you are just seeing impact to GPO editing which shouldn't be something happening all that much anyway.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
SEgerton wrote:Joe, Thanks for the repply!!
Not sure what you meant by "As for the single label domains, yes you don't want to use those, several issues can pop up...". What do you mean by single label domains. Our domain we created was our companyname.local. We aren't connecting it to our external. Plus i went ahead and make my four DC Global Catalog servers; but im still having that issue when i shut down DC1 for testing. Group Policies aren't working. And if i go into a GPO from DC2 im still getting that message.
"The Domain Controller for Group Policy operations is not available. You may cancel this operation for this session or retry using one of the following Domain Controller choices. Here are the choices: -The one with the Operations Master token for the PDC emulator. -The one used by the Active Directory Snap-ins. -Use any available Domain Controller. OK or Cancel.
And when i log into the domain from a users pc, the group policies aren't working.
Thanks,
Shannon
"Joe Richards [MVP]" wrote:
Yes.
As for the single label domains, yes you don't want to use those, several issues can pop up. As for using .local, the biggest problems are related to Macintosh clients and the case where you might tie into an external forest that used the same name you did. Microsoft likes to recommend using a registered name so it will always be unique (assuming someone else didn't take your registered name and use it themselves, whoever has test.com and ad.com and joe.com might be surprised to learn I have test forests with those names even though I didn't register them) in the event you do for some reason connect to someone else. :) Basically they saw people setting up ad.local and realized that if at a later time those companies tried to connect the forests with trusts for some reason, they would be unable to.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
SEgerton wrote:One final note in addition to my last question. All my servers are 2003; does all the advise you guys gave me still apply?
Thanks,
Shannon
"SEgerton" wrote:
Guys, Thanks for all the replys!!
I have another question. When i was building the domain, I was advised by a Microsoft Tech when i called for support to use the .local extension. I posted my last post in another room other then this one and a person replying mentioned that it is not recommended to use .local. Do you guys have any comments on this. He did send me a link that mentioned it is not recommended; but why would a Microsoft Tech then tell me to do so? I don't know if this is useful, but we aren't using exchange and not concerned about linking our outside network with our internal. Here is the link he sent me.
http://technet2.microsoft.com/WindowsServer/en/library/4bb9f469-df87-4830-96a8-b28ec71bafa91033.mspx?mfr=true
Under Note...
****************************************************
Note
.. Using single label names or unregistered suffixes, such as .local, is not recommended.
****************************************************
Thanks again!!
Shannon
"Joe Richards [MVP]" wrote:
If you have but a single domain, make every DC a GC. There is no additional overhead to do so.
As you found out, GCs are needed during authentication. Specifically they are needed for cracking UPNs if a UPN logon is used and for resolving universal group memberships. You can disable the requirement for a GC for auth but it is only safe to do if you are not using Universal Groups for security, you can check into the IgnoreGCFailures reg value.
You can also instead of those things enable Global Catalog Caching but I really don't recommend it, there are more issues associated with it, IMO, than benefits. It is just another hack workaround for issues that shouldn't exist in the first place.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
SEgerton wrote:I’m new to Active Directory; and I just started testing a new domain I’ve been working on. On one particular test, I started having issues that I believe are related to Global Catalogs. Let me first give an overview of the structure of the domain, and the test that I was trying to perform. Then I will give the errors that I came across.
I have two offices. Office 1 is our production office. Office 2 is for our Disaster Recovery. In office 1 we have 3 servers. 2 servers are Active Directory Domain Controllers, and the third server is a member server used as a File Server. Both Domain Controllers are both Active Directory Integrated DNS Servers. There is a T1 line that connects both Office1 and Office2. In Office 2, I have the same setup. I joined the first two servers to the same domain in Office 1 as Active Directory Domain Controllers. These two servers are also Active Directory Integrated DNS servers. The third server in Office 2 is also a member server used as a File Server. The File Server in Office 2 is only used at the moment for replication of the File Server in Office 1. For this we are using a third party replication software. This setup was put together this way in the event of a disaster and office 1 goes down, users can go to Office 2 and work.
Here is the test I tried. I turned off both server 1 and server 2 in Office 1, hoping that Active Directory would still work because of Server 1 and Server 2 in Office 2. The redundancy is there for the Domain Controllers and for DNS. But after the server were down. I tried logging into the domain on a pc as a user, and the logon took a long time. At the same time, he got into his profile, but I don’t think his Group Policies were in affect. Then I got an error. I forget what I was doing to generate it, but here it is.
"A Global Catalog cannot be located to retrieve the icons for the member list. Some icons may not be shown."
Then in Office 2, I went into Users and Computers on Server 1 and tried to open a Group Policy Object and got this error.
"Domain controller not found for domain.local" The Domain Controller for Group Policy operations is not available. You may cancel this operation for this session or retry using one of the following Domain Controller choices. Here are the choices:
-The one with the Operations Master token for the PDC emulator.
-The one used by the Active Directory Snap-ins.
-Use any available Domain Controller.
OK or Cancel.
I Canceled.
Due to these messages, I believe the problem is due to a Redundancy of Global Catalog Servers. I don't fully understand them. But my understanding is that by default, Global Catalog is installed on the first Domain Controller of a domain. Therefore I didn't install any additional and only have one. How many should I have for redundancy?
Thanks in advance.
Shannon
- References:
- Re: How many Global Catalog Servers are needed?
- From: Joe Richards [MVP]
- Re: How many Global Catalog Servers are needed?
- From: SEgerton
- Re: How many Global Catalog Servers are needed?
- From: SEgerton
- Re: How many Global Catalog Servers are needed?
- From: Joe Richards [MVP]
- Re: How many Global Catalog Servers are needed?
- From: SEgerton
- Re: How many Global Catalog Servers are needed?
- From: Joe Richards [MVP]
- Re: How many Global Catalog Servers are needed?
- From: SEgerton
- Re: How many Global Catalog Servers are needed?
- Prev by Date: Re: How many Global Catalog Servers are needed?
- Next by Date: Re: Active Directory design
- Previous by thread: Re: How many Global Catalog Servers are needed?
- Next by thread: Re: How many Global Catalog Servers are needed?
- Index(es):
Relevant Pages
|
