Re: AD Design Question

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Jon (nospam_at_nowhere.com)
Date: 10/28/04

• Next message: Andrei Ungureanu: "Re: How to add W2k3 DC to Server 2000 Forest ?"
• Previous message: chv_at_anon.postalias: "Re: How to add W2k3 DC to Server 2000 Forest ?"
• In reply to: Mike Brannigan [MSFT]: "Re: AD Design Question"
• Next in thread: Mike Brannigan [MSFT]: "Re: AD Design Question"
• Reply: Mike Brannigan [MSFT]: "Re: AD Design Question"
• Messages sorted by: [ date ] [ thread ]

---

Date: Thu, 28 Oct 2004 08:48:21 -0700

At some of my sites, I currently have an ISA Server running. Could I use
that server as the DC for that site? Or does the ISA function task the
server too much to add the duty of DC? The boxes are PIII 800 2GB Ram,
36GB RAID 5.

Jon

"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:%23aWOPGQvEHA.2192@TK2MSFTNGP14.phx.gbl...
> "Jon" <nospam@nowhere.com> wrote in message
> news:utH7M%23PvEHA.2012@TK2MSFTNGP15.phx.gbl...
> > It is not that I want a Domain at each site. I wasn't sure if the
design
> > and the number of workstation gave merit to having a Domain at each
site.
> > So at each site, if I have a DC then I can keep authentication local to
> > that
> > site?
>
> Yes that is what setting up AD Sites is all about - it allows various
> functions to be aware of the physical network and use resources that are
> "close" to them.
>
> > Is there a problem with having 14 DC's in the same Domain? It sounds
> > like alot, but I do not know AD that well.
>
> We can happily support thousands of domain controllers and million of
> account per domain. Scale is not an issue,
>
> > If that is not a problem, then I
> > can go that route. I have a few sites that have 15-20 computers. Could
I
> > still have those authenticate over the WAN by not creating a site for
that
> > location? Or would that be too slow?
> >
>
> Any machine that cannot locate a DC in its site will authenticate over the
> network.
>
> > Also, what is the minimum security level for someone logging into a
> > workstation to join an AD Domain? Thanks again!
> >
>
> If the user account is in the domain then the question makes no sense. I
> you mean what level of privilege is required to add an additional machine
to
> the domain then a regular Domain User can add up to 10 machines to the
> Domain (by default - but you ca change this up to more or down to zero).
> Regular Domain Users (by default) cannot add addtional user accounts to
the
> domain.
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Jon" <nospam@nowhere.com> wrote in message
> news:utH7M%23PvEHA.2012@TK2MSFTNGP15.phx.gbl...
> > It is not that I want a Domain at each site. I wasn't sure if the
design
> > and the number of workstation gave merit to having a Domain at each
site.
> > So at each site, if I have a DC then I can keep authentication local to
> > that
> > site? Is there a problem with having 14 DC's in the same Domain? It
> > sounds
> > like alot, but I do not know AD that well. If that is not a problem,
then
> > I
> > can go that route. I have a few sites that have 15-20 computers. Could
I
> > still have those authenticate over the WAN by not creating a site for
that
> > location? Or would that be too slow?
> >
> > Also, what is the minimum security level for someone logging into a
> > workstation to join an AD Domain? Thanks again!
> >
> > Jon
> > "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> > news:emok37MvEHA.2624@TK2MSFTNGP11.phx.gbl...
> >> "Jon" <nospam@nowhere.com> wrote in message
> >> news:eFJeAWHvEHA.3080@TK2MSFTNGP12.phx.gbl...
> >> > Hello,
> >> >
> >> > I work for a school district where we have one central site and 12
> > school
> >> > sites. We are currently running Novell for all file and print
sharing.
> >> > We
> >> > need to implement a W2K network to sync users and passwords between
> > Novell
> >> > and W2K for my 2K and XP workstations. All the sites are linked via
> >> > T1.
> >> > Each site has between 300 and 800 computers. Can I setup one domain
> >> > for
> >> > all
> >> > of the sites without having a DC at each site?
> >>
> >> Yes a single Domain can span multiple sites. And there is no
requirement
> > to
> >> have a DC at each site BUT se next answer
> >>
> >> > Wanting to keep
> >> > authentication traffic off of the WAN, can you specify a GC Server at
> > each
> >> > site that is not a DC and tell the workstations to authenticate to
it?
> >>
> >> No - authentication is done by a DC. You also need to contact a GC
> >> during
> >> logon processing for evaluation of Universal Group membership.
> >> BUT a GC IS a DC by definition so if you place a GC at a site it IS a
DC
> > so
> >> will be doing the authentications locally instead of across the WAN.
> >>
> >> > If
> >> > not, then I would have to have each site be a separate domain,
> >> > therefore
> >> > requiring two W2K servers at each site?
> >> >
> >>
> >> No, see the answer above - if you are putting a GC at a site then it IS
a
> >> DC, if you went with a Domain per site then yes you would have
> >> notionally
> > 2
> >> DCs per site - but why do you want a Domain at each site ?
> >> Unless you are trying to either implement different security policies
at
> >> each site or you are trying to constrain the replication traffic - e.g.
> >> in
> > a
> >> single domain model all password changes as they occur will be
replicated
> > to
> >> all other sites. Of course inter site replication is extremely
> > controllable
> >> so that you could do this "after hours"
> >>
> >> > Any help is greatly appreciated!
> >> >
> >>
> >>
> >> --
> >>
> >> Regards,
> >>
> >> Mike
> >> --
> >> Mike Brannigan [Microsoft]
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights
> >>
> >> Please note I cannot respond to e-mailed questions, please use these
> >> newsgroups
> >>
> >> "Jon" <nospam@nowhere.com> wrote in message
> >> news:eFJeAWHvEHA.3080@TK2MSFTNGP12.phx.gbl...
> >> > Hello,
> >> >
> >> > I work for a school district where we have one central site and 12
> > school
> >> > sites. We are currently running Novell for all file and print
sharing.
> >> > We
> >> > need to implement a W2K network to sync users and passwords between
> > Novell
> >> > and W2K for my 2K and XP workstations. All the sites are linked via
> >> > T1.
> >> > Each site has between 300 and 800 computers. Can I setup one domain
> >> > for
> >> > all
> >> > of the sites without having a DC at each site? Wanting to keep
> >> > authentication traffic off of the WAN, can you specify a GC Server at
> > each
> >> > site that is not a DC and tell the workstations to authenticate to
it?
> > If
> >> > not, then I would have to have each site be a separate domain,
> >> > therefore
> >> > requiring two W2K servers at each site?
> >> >
> >> > Any help is greatly appreciated!
> >> >
> >> > Jon
> >> >
> >> >
> >>
> >>
> >
> >
>
>

---

• Next message: Andrei Ungureanu: "Re: How to add W2k3 DC to Server 2000 Forest ?"
• Previous message: chv_at_anon.postalias: "Re: How to add W2k3 DC to Server 2000 Forest ?"
• In reply to: Mike Brannigan [MSFT]: "Re: AD Design Question"
• Next in thread: Mike Brannigan [MSFT]: "Re: AD Design Question"
• Reply: Mike Brannigan [MSFT]: "Re: AD Design Question"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2004-10