Re: How many Global Catalog Servers are needed?
- From: SEgerton <SEgerton@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 31 Jul 2006 15:58:01 -0700
Joe, You really have been very helpful. Thank you very much!
So, If i assume correctly; my first DC is the GPO Master. If that is down,
GPO won't work unless i transfer that role? Can you not have two or more
servers controlling this. Say the DC that is assuming this role goes down; is
the only way to get it up is to transfer the role to another DC. Can you not
just have this role on two DC's? Im pretty sure my DC1 is assuming this role.
I haven't assigned roles to other DC's. Once this server goes down, users
aren't get there Group Policies. I control logon scripts via Group Policies
and their not working when DC1 goes down. I would like another server to hold
this role in addition to DC1. But if only one server can hold this role,
meeting i just have to transfer the role when it goes down; please let me
know?
I hope you understand what i just wrote! It's been a long day.
I appreciate the help!
Thanks,
Shannon
"Joe Richards [MVP]" wrote:
A single label domain is something like BOB instead of bob.com. You.
don't have this problem which is good.
The main issue that I am aware of that you could get into with
companyname.local is with MAC clients which I guess have an issue with
the .local, I don't know the details though.
As for your GPO item. The PDC emulator is targeted as the GPO master so
that when you go to edit GPOs the edit only occurs in one place. This
helps prevent multiple people from editing the same GPO on different DCs
and waiting for replication to sort out which policy will get kept. GPO
processing is still work, you are just seeing impact to GPO editing
which shouldn't be something happening all that much anyway.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
SEgerton wrote:
Joe, Thanks for the repply!!
Not sure what you meant by "As for the single label domains, yes you don't
want to use those, several issues can pop up...". What do you mean by single
label domains. Our domain we created was our companyname.local. We aren't
connecting it to our external. Plus i went ahead and make my four DC Global
Catalog servers; but im still having that issue when i shut down DC1 for
testing. Group Policies aren't working. And if i go into a GPO from DC2 im
still getting that message.
"The Domain Controller for Group Policy operations is not available. You may
cancel this operation for this session or retry using one of the following
Domain Controller choices.
Here are the choices:
-The one with the Operations Master token for the PDC emulator.
-The one used by the Active Directory Snap-ins.
-Use any available Domain Controller.
OK or Cancel.
And when i log into the domain from a users pc, the group policies aren't
working.
Thanks,
Shannon
"Joe Richards [MVP]" wrote:
Yes.
As for the single label domains, yes you don't want to use those,
several issues can pop up. As for using .local, the biggest problems are
related to Macintosh clients and the case where you might tie into an
external forest that used the same name you did. Microsoft likes to
recommend using a registered name so it will always be unique (assuming
someone else didn't take your registered name and use it themselves,
whoever has test.com and ad.com and joe.com might be surprised to learn
I have test forests with those names even though I didn't register them)
in the event you do for some reason connect to someone else. :)
Basically they saw people setting up ad.local and realized that if at a
later time those companies tried to connect the forests with trusts for
some reason, they would be unable to.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
SEgerton wrote:
One final note in addition to my last question. All my servers are 2003; does
all the advise you guys gave me still apply?
Thanks,
Shannon
"SEgerton" wrote:
Guys, Thanks for all the replys!!
I have another question. When i was building the domain, I was advised by a
Microsoft Tech when i called for support to use the .local extension. I
posted my last post in another room other then this one and a person replying
mentioned that it is not recommended to use .local. Do you guys have any
comments on this. He did send me a link that mentioned it is not recommended;
but why would a Microsoft Tech then tell me to do so? I don't know if this is
useful, but we aren't using exchange and not concerned about linking our
outside network with our internal. Here is the link he sent me.
http://technet2.microsoft.com/WindowsServer/en/library/4bb9f469-df87-4830-96a8-b28ec71bafa91033.mspx?mfr=true
Under Note...
****************************************************
Note
.. Using single label names or unregistered suffixes, such as .local, is not
recommended.
****************************************************
Thanks again!!
Shannon
"Joe Richards [MVP]" wrote:
If you have but a single domain, make every DC a GC. There is no
additional overhead to do so.
As you found out, GCs are needed during authentication. Specifically
they are needed for cracking UPNs if a UPN logon is used and for
resolving universal group memberships. You can disable the requirement
for a GC for auth but it is only safe to do if you are not using
Universal Groups for security, you can check into the IgnoreGCFailures
reg value.
You can also instead of those things enable Global Catalog Caching but I
really don't recommend it, there are more issues associated with it,
IMO, than benefits. It is just another hack workaround for issues that
shouldn't exist in the first place.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
SEgerton wrote:
I’m new to Active Directory; and I just started testing a new domain I’ve
been working on. On one particular test, I started having issues that I
believe are related to Global Catalogs. Let me first give an overview of the
structure of the domain, and the test that I was trying to perform. Then I
will give the errors that I came across.
I have two offices. Office 1 is our production office. Office 2 is for our
Disaster Recovery. In office 1 we have 3 servers. 2 servers are Active
Directory Domain Controllers, and the third server is a member server used as
a File Server. Both Domain Controllers are both Active Directory Integrated
DNS Servers. There is a T1 line that connects both Office1 and Office2. In
Office 2, I have the same setup. I joined the first two servers to the same
domain in Office 1 as Active Directory Domain Controllers. These two servers
are also Active Directory Integrated DNS servers. The third server in Office
2 is also a member server used as a File Server. The File Server in Office 2
is only used at the moment for replication of the File Server in Office 1.
For this we are using a third party replication software. This setup was put
together this way in the event of a disaster and office 1 goes down, users
can go to Office 2 and work.
Here is the test I tried. I turned off both server 1 and server 2 in Office
1, hoping that Active Directory would still work because of Server 1 and
Server 2 in Office 2. The redundancy is there for the Domain Controllers and
for DNS. But after the server were down. I tried logging into the domain on a
pc as a user, and the logon took a long time. At the same time, he got into
his profile, but I don’t think his Group Policies were in affect. Then I got
an error. I forget what I was doing to generate it, but here it is.
"A Global Catalog cannot be located to retrieve the icons for the
member list. Some icons may not be shown."
Then in Office 2, I went into Users and Computers on Server 1 and tried to
open a Group Policy Object and got this error.
"Domain controller not found for domain.local" The Domain Controller for
Group Policy operations is not available. You may cancel this operation for
this session or retry using one of the following Domain Controller choices.
Here are the choices:
-The one with the Operations Master token for the PDC emulator.
-The one used by the Active Directory Snap-ins.
-Use any available Domain Controller.
OK or Cancel.
I Canceled.
Due to these messages, I believe the problem is due to a Redundancy of
Global Catalog Servers. I don't fully understand them. But my understanding
is that by default, Global Catalog is installed on the first Domain
Controller of a domain. Therefore I didn't install any additional and only
have one. How many should I have for redundancy?
Thanks in advance.
Shannon
- Follow-Ups:
- Re: How many Global Catalog Servers are needed?
- From: Joe Richards [MVP]
- Re: How many Global Catalog Servers are needed?
- References:
- Re: How many Global Catalog Servers are needed?
- From: Joe Richards [MVP]
- Re: How many Global Catalog Servers are needed?
- From: SEgerton
- Re: How many Global Catalog Servers are needed?
- From: SEgerton
- Re: How many Global Catalog Servers are needed?
- From: Joe Richards [MVP]
- Re: How many Global Catalog Servers are needed?
- From: SEgerton
- Re: How many Global Catalog Servers are needed?
- From: Joe Richards [MVP]
- Re: How many Global Catalog Servers are needed?
- Prev by Date: Re: How many Global Catalog Servers are needed?
- Next by Date: Re: How many Global Catalog Servers are needed?
- Previous by thread: Re: How many Global Catalog Servers are needed?
- Next by thread: Re: How many Global Catalog Servers are needed?
- Index(es):
Relevant Pages
|
Loading
