Re: Global Catalog Server in Windows Server 2003
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Fri, 16 Sep 2005 23:00:00 -0400
Is that all? :)
See inline.
Al
"rmente" <rmente@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F32EC0C7-59FC-4DC4-9FC0-B23FF7C21394@xxxxxxxxxxxxxxxx
> Gentlemen:
>
>
> I need clarification on the following issues regarding the Global Catalog
> Server in Windows Server 2003:
>
> For these questions, assume that I have a root domain called company.com
> and
> two children domains called dc1.company.com and dc2.company.com:
>
> 1). If I recall from my training, the Global Catalog Server (hereinafter
> referred to as "GCS") would be created by default at the root domain
> (company.com).
>
The first server in a domain is also a GC. That allows logon to occur.
> 2). If #1 is correct, would the root (company.com) GCS have the complete
> domain information information for the tree above? Would the GCS in turn
> only
> replicate information regarding the dc1 child domain to a domain
> controller
> (hereinafter referred to as a "DC") in the dc1.company.com domain and
> information regarding the dc2 child domain to a DC in the dc2.company.com?
>
If it's the root, there is no tree above. But see if this helps: a GC keeps
a partial attribute set of all the domains in a forest (globally) so that
you can find information in other domains regardless of which domain you're
in. But it's only a partial set, not a complete set. And remote domains are
not a writeable copy.
> 3). Since domains are security boundaries, can I apply the following
> password policies to the domains, as follows:
>
Myth #1: Domains are security boundaries.
Snopes (if they put it on there, this is what they'd say) this is not true.
It only confuses things if you say it like that. Trust me :)
> Root: User must change passwords after 30 days
Root domain could have a password change policy that is different from a
child domain as you describe. As long as each of these represent a
different root/child domain then you could do this. If the DCs are in the
same domain, then no, it won't work as you expect.
> DC1: User must change passwords after 20 days
> DC2: User must change passwords after 10 days
>
> If I can apply the above policies and I created a user on a DC in the DC1
> domain:
>
> a). If that user logged into the domain from a workstation in DC1, would
> the
> user have to change their password after 20 days?
>
> b). What password policy would be in effect if that same user logged into
> the domain on a workstation in the root domain? The DC2 domain?
Password policies are applied to DCs. Therefore, when the user presents
credentials that the DC is responsible for, they'll have to follow that DC's
rules. Password policies included. In practice, it's a little stranger than
that, because you have to get notifications etc. But that's roughly how it
works.
>
> I realize that password policies do not replicate because they are not
> Active Directory objects (only Active Directory objects replicate).
>
> For these questions, assume that I have the tree above and there is
> another
> tree called contoso.com with two child domains, dc1.contoso.com and
> dc2.contoso.com that create a forest:
>
> 4). Will another GCS be created in the contoso.com root domain by default
> (or design) or does the GCS for the company.com domain handle the
> replication
> for the contoso.com domain?
Can you reword that? I think you just asked if a GC can handle information
from another forest, but not exactly sure. If that's what you're asking,
then no, it doesn't work like that. Replication happens within a forest
boundary (a forest is a security boundary for the record.) A GC is created
for each domain. At least one. You can create additional if you so choose.
>
> a). If the answer to the above is no, i.e. another GCS is not created,
> will
> any users created in the company.com domain get replicated to the
> contoso.com
> domain?
See above. Keep in mind if this did happen, people all over the internet
would be very unhappy with their purchase and subsequent installation of AD
because their forest would be replicating with a competitor's forest!
>
> b). if the answer to the above is yes, i.e. another GCS is indeed created,
> can I infer that any users and Active Directory objects created in the
> company.com domain DO NOT get replicated over to the contoso.com domain
> and
> that I would have to create new users (and other related Active Directory
> objects) in the contoso.com domain?
I think this is answered above. Let me know if not.
>
> 5). Does the automatic two-way transitive trust that is created between
> the
> company.com tree and the contoso.com tree allow a user to access shared
> folders, printers, and other Active Directory objects in the contoso.com
> domain from a workstation in the company.com domain (and vice-versa) via
> the
> GCS provided that the user has appropriate access permissions granted?
>
Tree as in domains in the same forest? That's the only time a two-way
transitive trust is automagically created. Can you reword that?
> That is all I need to know - thank you for your help!
>
Have you considered getting a consultant to help out? It might save you
some time and some errors down the road based on your long term plans.
>
> Bob Mente
>
.
- References:
- Global Catalog Server in Windows Server 2003
- From: rmente
- Global Catalog Server in Windows Server 2003
- Prev by Date: Re: Logon Failure
- Next by Date: Re: Assign Ownership on an Object
- Previous by thread: Global Catalog Server in Windows Server 2003
- Next by thread: Re: Global Catalog Server in Windows Server 2003
- Index(es):
Relevant Pages
|
