Re: Domain Controller/Global Catalog Planning

From: Herb Martin (news_at_LearnQuick.com)
Date: 03/06/05 

Date: Sun, 6 Mar 2005 08:33:52 -0600

"Tokoloshe" <Tokoloshe@discussions.microsoft.com> wrote in message
news:C3B7F474-D0D4-4C79-B12A-1EF869E3F921@microsoft.com...
> I'm reviewing an AD design which consists of a 'Secure' Forest Root domain
> containing no objects and a single Child domain containing all the
objects.
>
> I've been confused by a planning assumption for DCs that implies that all
> DCs will be available for user logon, e.g 3 DCs required = 2 DCs in Child
+ 1
> DC in Root.
>
> From what I've read I think this assumption is appropriate for GCs, but
not
> for DCs, in the context of user logons at least.

As I understand you, you are correct. If there is
no need to authenticate users in a site then there
is (likely) no need for it to have DCs in that site.

A GC (from ANY domain) of the forest should
generally be available however.

In such forests as your describe (especially if the
user account domain is not large) there is usually
no reason to avoid making ALL DCs into GCs.

> FYI all DCs are GCs and both domains are in a single site.
>
> So, can someone confirm that;
> 1. Only local domain controllers can be counted for user capacity planning
> (2 in this example).

True unless you need access to resource in
the "other" domain.

> 2. All GCs would be available for an application located in the Child
> domain, Exchange for example (I'm aware that the initial Exchange schema
> changes would happen at the Root).

Yes. Since no ordinary resources exist in
 your parent, there is not need for authentication
there for ordinary users (Admins etc are another
story.)

Were you to have sibling domains with resources
the answer would be different due to the (normal,
default) authentication referral paths.

Relevant Pages

  • Re: Active Directory - security boundaries
    ... It doesn't actually make sense that the forest is the ONLY ... administrators in the internal domain (which is the forest root) will ... wouldn't be able to grant themselves access to resources in the other ... administrators of the standard domain can't grant themselves access to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory - security boundaries
    ... and hopefully from no one else the theory behind why the forest is the security boundary and what the holes are inside of a forest. ... > administrators in the internal domain will ... Obviously escalating a DA or Administrator or server operator in the root domain to EA is child's play, but the others are nearly as trivial. ... > wouldn't be able to grant themselves access to resources in the other ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory movements
    ... prod.local (root) all FSMO roles can't go over syst.local? ... >> In syst.local, the RID, PDC Emu, and IM roles resides ... >> I need move all servers, DC, resources, accounts .. ... How can i delete the root forest domain? ...
    (microsoft.public.win2000.active_directory)
  • Re: AD Forest Root
    ... All DCs in the forest must be able to connect to the DCs in the Root. ... > connectivity) accessible from the newly created child domain or can I just ...
    (microsoft.public.windows.server.active_directory)
  • PKI Certificate Server Install in AD Empty Root Domain
    ... Windows 2003 AD with an empty root ... We are installing an Enterprise CA in our Active Directory 2003 Forest. ... If I install the CA in the forest root, ... the resources, machines and users? ...
    (microsoft.public.windows.server.security)