Re: AD Design Question

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 10/28/04 

Date: Thu, 28 Oct 2004 19:15:50 +0100

"Jon" <nospam@nowhere.com> wrote in message
news:eDCmOWQvEHA.2680@TK2MSFTNGP10.phx.gbl...
> At some of my sites, I currently have an ISA Server running. Could I use
> that server as the DC for that site? Or does the ISA function task the
> server too much to add the duty of DC? The boxes are PIII 800 2GB Ram,
> 36GB RAID 5.
>

That box could be a DC but from a security perspective it should not be. 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"Jon" <nospam@nowhere.com> wrote in message 
news:eDCmOWQvEHA.2680@TK2MSFTNGP10.phx.gbl...
> At some of my sites, I currently have an ISA Server running.  Could I use
> that server as the DC for that site?  Or does the ISA function task the
> server too much to add the duty of DC?  The boxes are PIII 800  2GB Ram,
> 36GB RAID 5.
>
> Jon
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> news:%23aWOPGQvEHA.2192@TK2MSFTNGP14.phx.gbl...
>> "Jon" <nospam@nowhere.com> wrote in message
>> news:utH7M%23PvEHA.2012@TK2MSFTNGP15.phx.gbl...
>> > It is not that I want a Domain at each site.  I wasn't sure if the
> design
>> > and the number of workstation gave merit to having a Domain at each
> site.
>> > So at each site, if I have a DC then I can keep authentication local to
>> > that
>> > site?
>>
>> Yes that is what setting up AD Sites is all about - it allows various
>> functions to be aware of the physical network and use resources that are
>> "close" to them.
>>
>> > Is there a problem with having 14 DC's in the same Domain?  It sounds
>> > like alot, but I do not know AD that well.
>>
>> We can happily support thousands of domain controllers and million of
>> account per domain. Scale is not an issue,
>>
>> >  If that is not a problem, then I
>> > can go that route.  I have a few sites that have 15-20 computers. 
>> > Could
> I
>> > still have those authenticate over the WAN by not creating a site for
> that
>> > location?  Or would that be too slow?
>> >
>>
>> Any machine that cannot locate a DC in its site will authenticate over 
>> the
>> network.
>>
>> > Also, what is the minimum security level for someone logging into a
>> > workstation to join an AD Domain?  Thanks again!
>> >
>>
>> If the user account is in the domain then the question makes no sense.  I
>> you mean what level of privilege is required to add an additional machine
> to
>> the domain then a regular Domain User can add up to 10 machines to the
>> Domain (by default - but you ca change this up to more or down to zero).
>> Regular Domain Users (by default) cannot add addtional user accounts to
> the
>> domain.
>>
>> -- 
>>
>> Regards,
>>
>> Mike
>> --
>> Mike Brannigan [Microsoft]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>
>> Please note I cannot respond to e-mailed questions, please use these
>> newsgroups
>>
>> "Jon" <nospam@nowhere.com> wrote in message
>> news:utH7M%23PvEHA.2012@TK2MSFTNGP15.phx.gbl...
>> > It is not that I want a Domain at each site.  I wasn't sure if the
> design
>> > and the number of workstation gave merit to having a Domain at each
> site.
>> > So at each site, if I have a DC then I can keep authentication local to
>> > that
>> > site?  Is there a problem with having 14 DC's in the same Domain?  It
>> > sounds
>> > like alot, but I do not know AD that well.  If that is not a problem,
> then
>> > I
>> > can go that route.  I have a few sites that have 15-20 computers. 
>> > Could
> I
>> > still have those authenticate over the WAN by not creating a site for
> that
>> > location?  Or would that be too slow?
>> >
>> > Also, what is the minimum security level for someone logging into a
>> > workstation to join an AD Domain?  Thanks again!
>> >
>> > Jon
>> > "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in 
>> > message
>> > news:emok37MvEHA.2624@TK2MSFTNGP11.phx.gbl...
>> >> "Jon" <nospam@nowhere.com> wrote in message
>> >> news:eFJeAWHvEHA.3080@TK2MSFTNGP12.phx.gbl...
>> >> > Hello,
>> >> >
>> >> > I work for a school district where we have one central site and 12
>> > school
>> >> > sites.  We are currently running Novell for all file and print
> sharing.
>> >> > We
>> >> > need to implement a W2K network to sync users and passwords between
>> > Novell
>> >> > and W2K for my 2K and XP workstations.  All the sites are linked via
>> >> > T1.
>> >> > Each site has between 300 and 800 computers.  Can I setup one domain
>> >> > for
>> >> > all
>> >> > of the sites without having a DC at each site?
>> >>
>> >> Yes a single Domain can span multiple sites.  And there is no
> requirement
>> > to
>> >> have a DC at each site BUT se next answer
>> >>
>> >> > Wanting to keep
>> >> > authentication traffic off of the WAN, can you specify a GC Server 
>> >> > at
>> > each
>> >> > site that is not a DC and tell the workstations to authenticate to
> it?
>> >>
>> >> No - authentication is done by a DC.  You also need to contact a GC
>> >> during
>> >> logon processing for evaluation of Universal Group membership.
>> >> BUT a GC IS a DC by definition so if you place a GC at a site it IS a
> DC
>> > so
>> >> will be doing the authentications locally instead of across the WAN.
>> >>
>> >> > If
>> >> > not, then I would have to have each site be a separate domain,
>> >> > therefore
>> >> > requiring two W2K servers at each site?
>> >> >
>> >>
>> >> No, see the answer above - if you are putting a GC at a site then it 
>> >> IS
> a
>> >> DC,  if you went with a Domain per site then yes you would have
>> >> notionally
>> > 2
>> >> DCs per site - but why do you want a Domain at each site ?
>> >> Unless you are trying to either implement different security policies
> at
>> >> each site or you are trying to constrain the replication traffic - 
>> >> e.g.
>> >> in
>> > a
>> >> single domain model all password changes as they occur will be
> replicated
>> > to
>> >> all other sites.  Of course inter site replication is extremely
>> > controllable
>> >> so that you could do this "after hours"
>> >>
>> >> > Any help is greatly appreciated!
>> >> >
>> >>
>> >>
>> >> -- 
>> >>
>> >> Regards,
>> >>
>> >> Mike
>> >> --
>> >> Mike Brannigan [Microsoft]
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights
>> >>
>> >> Please note I cannot respond to e-mailed questions, please use these
>> >> newsgroups
>> >>
>> >> "Jon" <nospam@nowhere.com> wrote in message
>> >> news:eFJeAWHvEHA.3080@TK2MSFTNGP12.phx.gbl...
>> >> > Hello,
>> >> >
>> >> > I work for a school district where we have one central site and 12
>> > school
>> >> > sites.  We are currently running Novell for all file and print
> sharing.
>> >> > We
>> >> > need to implement a W2K network to sync users and passwords between
>> > Novell
>> >> > and W2K for my 2K and XP workstations.  All the sites are linked via
>> >> > T1.
>> >> > Each site has between 300 and 800 computers.  Can I setup one domain
>> >> > for
>> >> > all
>> >> > of the sites without having a DC at each site?  Wanting to keep
>> >> > authentication traffic off of the WAN, can you specify a GC Server 
>> >> > at
>> > each
>> >> > site that is not a DC and tell the workstations to authenticate to
> it?
>> > If
>> >> > not, then I would have to have each site be a separate domain,
>> >> > therefore
>> >> > requiring two W2K servers at each site?
>> >> >
>> >> > Any help is greatly appreciated!
>> >> >
>> >> > Jon
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
Quantcast