Re: Global Catalog Placement

From: Rostislav Nedosekin (rostik-xeon_at_remove_it.yandex.ru)
Date: 06/08/04 

Date: Tue, 8 Jun 2004 21:36:23 +0400

Ok, thank you very much, that what I wanted to know.

"Jimmy Andersson [MVP]" <jimmy_noSpam_@mvps.org> сообщил/сообщила в новостях
следующее: news:%23QWSNyXTEHA.3580@TK2MSFTNGP09.phx.gbl...
> If I'm reading your Q correctly it seems that you have 2 domains?
> A DC/GC only authN users from their own naming context which means you
need
> to have at least one DC from each domain in the site where the users are,
> unless you wan't them to authN over the WAN.
>
> Regards,
> /Jimmy
> --
> Jimmy Andersson, Q Advice AB
> Microsoft MVP - Directory Services
> ---------- www.qadvice.com ----------
>
>
> "Rostislav Nedosekin" <rostik-xeon@remove_it.yandex.ru> wrote in message
> news:O0N7WoXTEHA.2128@TK2MSFTNGP11.phx.gbl...
> > You gave answer is not for the question I asked it seems to me.
> > I understand all troubles with GC unavailability. But the question was
"is
> > it nessesary to place 2 DC for each domain in Site1, if I don't want
users
> > login in Central site. I thought, that GC will serve to clients from
both
> > domains..
> >
> > Dmitry Korolyov seems to me gave the answer.
> > So thank you all.
> > "Eric Fleischman [MSFT]" <efleis@online.microsoft.com> ???????/????????
?
> > ???????? ?????????: news:%236vmAYWTEHA.3700@TK2MSFTNGP09.phx.gbl...
> > I'd add a little bit here.....
> > Once the domain functional level is >=2k native, a GC is required for
> > authentication of users. That said, if you have a DC in such a domain
that
> > can not contact a GC and other criteria are not the case (namely, you
> aren't
> > using universal group caching on 2k03 and you haven't set NoGCLogon on
the
> > DC) user auth will fail.
> >
> > In your case, that would mean if the GC in the site goes down and the
> remote
> > GC is not reachable, users would have authentication problems.
> >
> > I'd recommend making all DCs in to GCs.
> > In the case of the IM being on a GC, that is not a problem in two
> > conditions:
> > 1) If you only have a single domain, the IM can be on a GC - not your
> > condition
> > 2) If all DCs in the domain in question (as the IM is a domain FSMO
role)
> > are GCs, then the IM can be on a GC. - this is the situation you are in,
> as
> > making the IM in to a GC would mean both DCs in each domain (you said
> there
> > are two in each) will be GCs, and that would be ok.
> >
> > ~Eric
> >
> > --
> > Eric Fleischman [MSFT]
> > This posting is provided "AS IS" with no warranties, and confers no
rights
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> >
> > "Dmitry Korolyov [MVP]" <d__k@removethispart.mail.ru> wrote in message
> > news:uBp1jEWTEHA.2336@TK2MSFTNGP10.phx.gbl...
> > Global catalog can only process logon requests for accounts in the same
> > domain for which it is a domain controller. Only a DC for appropriate
> domain
> > can process logon requests and authenticate users. So I believe what you
> > described seems fine.
> >
> > --
> > Dmitry Korolyov [d__k@removethispart.mail.ru]
> > MVP: Windows Server - Active Directory
> >
> >
> > "Rostislav Nedosekin" <anonymous@discussions.microsoft.com> wrote in
> message
> > news:1960f01c44d5b$906446b0$a601280a@phx.gbl...
> > Hello. I've got such situation.
> > I have 2 domains: "company.com" and "child.company.com"
> > I've got 2 sites, "Central" and remote "Site1"
> > I've got 2 Domain controllers (DC) for both domains in
> > central site. One of each DC is Global Catalog (GC) and
> > the second is Infrastructure Master (IM).
> > I place one more DC of company.com domain in Site1 and
> > make it GC.
> > All site information, it's subnet is configured properly
> > in active directory.
> > In Site1 I have workstations which belongs to company.com
> > and child.company.com domain. Workstations IP's belongs to
> > Site1 subnet. When user login to company.com domain, his
> > logon server is DC for company.com in Site1. When user
> > login to child.company.com, his logon server is DC for
> > child.company.com in site Central.
> > The question is: "is it ok? I expected, that domain
> > controller for company.com in Site1, which is GC will be
> > logon server for all workstations in all domains in Site1.
> > Is there any misconfigure?
> >
> >
>
>

Relevant Pages

  • Re: Talktalk: Anyone have a clue as to what this idiot is on about?
    ... All settings known to be saved and correct. ... From 10am today, 'Authentication failed' at router. ... authentication problems are caused by two things: ...
    (uk.telecom.broadband)
  • Re: ASP application using ASP.NET Forms Authentication
    ... Then all calls will go through ASP.NET first, and thus through FormsAuth. ... I´m working in an already developed and complex ASP Application, ... are now with some authentication problems and reading about it, ... discovered that Forms Authentication can solve our problems. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Login problem
    ... I've seen lots of similar problems to do with the SQL server or Windows ... Authentication problems, but nothing exactly the same as mine. ...
    (microsoft.public.sqlserver.security)
  • Re: ASP application using ASP.NET Forms Authentication
    ... I´m working in an already developed and complex ASP Application, ... are now with some authentication problems and reading about it, ... discovered that Forms Authentication can solve our problems. ... it enables permission settings in the web.config ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Global Catalog Servers and WAN traffic
    ... However we have be told that we should not go to native mode as ALL authentication would have to go to one of only four gcs in the forest/worldwide, and to put a gcs in all major sites would bring our network to it's knees. ... Surely the reason for ms recommending gcs in all major sites is to cut down on network traffic. ...
    (microsoft.public.windows.server.active_directory)