Re: Global Catalog Server in Windows Server 2003
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sun, 18 Sep 2005 15:50:31 -0400
I see that Al responded by I wanted to respond as well, that way you have two answers...
> 1). If I recall from my training, the Global Catalog Server (hereinafter > referred to as “GCS”)
No, a global catalog is common referred to as a GC.
> would be created by default at the root domain > (company.com).
Yes, the first DC created in a forest is automatically a GC.
> 2). If #1 is correct, would the root (company.com) GCS have the complete > domain information information for the tree above?
There is no tree above. The root is the top of the hierarchy.
> (hereinafter referred to as a “DC”)
Why not DCS? It is a server too... j/k
> Would the GCS in turn only > replicate information regarding the dc1 child domain to a domain controller > (hereinafter referred to as a “DC”) in the dc1.company.com domain and > information regarding the dc2 child domain to a DC in the dc2.company.com?
A GC will not send information of a read only partition to a DC that holds a writeable copy of the partition. I.E. If you have a GC of Dom1 and it holds a readonly copy of Dom2, it will only pull Dom2 changes from a Dom2 DC, it will not send changes back to a Dom2 DC. It could, however send Dom2 changes to another GC that is in say Dom1 or Dom3.
> 3). Since domains are security boundaries,
BZZZZZ. Wrong, next question. Burn the book that says that, slap the person who told you it.
> Root: User must change passwords after 30 days > DC1: User must change passwords after 20 days > DC2: User must change passwords after 10 days > > If I can apply the above policies and I created a user on a DC in the DC1 > domain:
This is confusing way to give an example, when you say DC1 I think of a domain controller, not a domain, most of the folks here would do the same. Use D1, D2 or Dom1, Dom2.
So I am changing this now to
> Root: User must change passwords after 30 days > D1: User must change passwords after 20 days > D2: User must change passwords after 10 days > > If I can apply the above policies and I created a user on a DC in the D1 > domain:
> a). If that user logged into the domain from a workstation in D1, would the > user have to change their password after 20 days?
If the user logged into their account from a workation in any trusted domain they would follow the policy of the domain the account is a member of. I.E. Where you logon from or whether you logon at all has no bearing on when your account expires.
> b). What password policy would be in effect if that same user logged into > the domain on a workstation in the root domain? The DC2 domain?
See above.
> I realize that password policies do not replicate because they are not > Active Directory objects (only Active Directory objects replicate).
Where did you get that idea? Password policies actually replicate in two ways. The first is through Group Policies which are a combination of AD Objects and Files. The AD object points at the files. The AD Object replicates through AD replication and the files replicate through FRS. The second way password policies replicate is that they are actually implemented by setting attributes on the domain nc head object, like pwdHistoryLength or maxPwdAge and those replicate through AD Replication like normal items do.
> For these questions, assume that I have the tree above and there is another > tree called contoso.com with two child domains, d1.contoso.com and > d2.contoso.com that create a forest:
Again I changed your dc to d.
> 4). Will another GCS be created in the contoso.com root domain by default > (or design)
No, any other DCs you want to make into GCs, you need to specify.
> or does the GCS for the company.com domain handle the replication > for the contoso.com domain?
No, the contoso.com domain controllers would handle the contoso.com replication. Any GCs in the forest would have a read-only copy of contoso.com of course which at some point was pulled from a contoso.com domain controller. If your only GC were the company.com DC then it would directly speak with a contoso.com DC, a d1.contoso.com DC, and a d2.consoso.com DC as well as a d1.company.com DC and a d2.company.com DC.
> a). If the answer to the above is no, i.e. another GCS is not created, will > any users created in the company.com domain get replicated to the contoso.com > domain?
No. Users don't get replicated across domain lines. They could be in the GC partition of a domain controller that is a DC for another domain, but that doesn't isn't "replicated to" the other domain.
> b). if the answer to the above is yes, i.e. another GCS is indeed created, > can I infer that any users and Active Directory objects created in the > company.com domain DO NOT get replicated over to the contoso.com domain and > that I would have to create new users (and other related Active Directory > objects) in the contoso.com domain?
Create them for what? The company.com users should be able to access resources in the contoso.com domain? You don't need duplicate users.
> 5). Does the automatic two-way transitive trust that is created between the > company.com tree and the contoso.com tree allow a user to access shared > folders, printers, and other Active Directory objects in the contoso.com > domain from a workstation in the company.com domain
Yes
> (and vice-versa) via the > GCS provided that the user has appropriate access permissions granted?
The GC doesn't matter. When a user from a domain in one of the company.com domains tries to access a resource in one of the contoso.com domains kerberos several tickets are aquired by the client machine to present to the resource in the contoso.com domains to allow access.
GCs do not authenticate anything, they do not control replication for anything. They are simply phone books holding a partial replica of all of the objects of all of the naming contexts that they do not maintain a writeable copy of. Every DC in a forest has a writeable copy of the schema, the config, and their default domain. Outside of that, a DC from any given domain that becomes a GC gets the read only copies of all of the other domain naming contexts, the only value that is though is for lookups. No authentication can occur for those domains against the GCs, the GCs can not replicate changes to the other DCs in the domains they hold writeable contexts for.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
rmente wrote:
Gentlemen:
I need clarification on the following issues regarding the Global Catalog Server in Windows Server 2003:
For these questions, assume that I have a root domain called company.com and two children domains called dc1.company.com and dc2.company.com:
1). If I recall from my training, the Global Catalog Server (hereinafter referred to as “GCS”) would be created by default at the root domain (company.com).
2). If #1 is correct, would the root (company.com) GCS have the complete domain information information for the tree above? Would the GCS in turn only replicate information regarding the dc1 child domain to a domain controller (hereinafter referred to as a “DC”) in the dc1.company.com domain and information regarding the dc2 child domain to a DC in the dc2.company.com?
3). Since domains are security boundaries, can I apply the following password policies to the domains, as follows:
Root: User must change passwords after 30 days DC1: User must change passwords after 20 days DC2: User must change passwords after 10 days
If I can apply the above policies and I created a user on a DC in the DC1 domain:
a). If that user logged into the domain from a workstation in DC1, would the user have to change their password after 20 days?
b). What password policy would be in effect if that same user logged into the domain on a workstation in the root domain? The DC2 domain?
I realize that password policies do not replicate because they are not Active Directory objects (only Active Directory objects replicate).
For these questions, assume that I have the tree above and there is another tree called contoso.com with two child domains, dc1.contoso.com and dc2.contoso.com that create a forest:
4). Will another GCS be created in the contoso.com root domain by default (or design) or does the GCS for the company.com domain handle the replication for the contoso.com domain?
a). If the answer to the above is no, i.e. another GCS is not created, will any users created in the company.com domain get replicated to the contoso.com domain?
b). if the answer to the above is yes, i.e. another GCS is indeed created, can I infer that any users and Active Directory objects created in the company.com domain DO NOT get replicated over to the contoso.com domain and that I would have to create new users (and other related Active Directory objects) in the contoso.com domain?
5). Does the automatic two-way transitive trust that is created between the company.com tree and the contoso.com tree allow a user to access shared folders, printers, and other Active Directory objects in the contoso.com domain from a workstation in the company.com domain (and vice-versa) via the GCS provided that the user has appropriate access permissions granted?
That is all I need to know - thank you for your help!
Bob Mente
.
- References:
- Global Catalog Server in Windows Server 2003
- From: rmente
- Global Catalog Server in Windows Server 2003
- Prev by Date: Re: Need to report all disabled users and their OU
- Next by Date: Re: Windows 2003 AD upgrade from Windows 2000
- Previous by thread: Re: Global Catalog Server in Windows Server 2003
- Next by thread: Logon Failure
- Index(es):
Relevant Pages
|
