Re: Domain users cannot logon to domain
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Fri, 16 Jun 2006 20:45:25 +0100
Inline
So basicly what you say is i need to activate a GC on DC2 and DC3. i
will do that.
Be aware with the IM master role:
As a general rule, the infrastructure master should be located on a
non-global catalog server that has a direct connection object to some global
catalog in the forest, preferably in the same Active Directory site. Because
the global catalog server holds a partial replica of every object in the
forest, the infrastructure master, if placed on a global catalog server,
will never update anything, because it does not contain any references to
objects that it does not hold. Exceptions to the "do not place the
infrastructure master on a global catalog server" rule are:
* Single domain forest:
In a forest that contains a single Active Directory domain, there are no
phantoms, and so the infrastructure master has no work to do. The
infrastructure master may be placed on any domain controller in the domain,
regardless of whether that domain controller hosts the global catalog or
not.
*Multidomain forest where every domain controller in a domain holds the
global catalog:
If every domain controller in a domain that is part of a multidomain forest
also hosts the global catalog, there are no phantoms or work for the
infrastructure master to do. The infrastructure master may be put on any
domain controller in that domain.
This is not really clear to me so I have a question on this.
DC1 and DC2 are geographically in the same room and DC3 is not. DC3 is
connected to DC1 and DC2 via a vpn tunnel (3com gateways).
OK
At this moment there are NO subnets on any of the DC;'s. I can only
create a new subnet on DC1 and not on DC2 and DC3.
You mean that DC1 and DC2 are in the same subnet?
My question is: I don't understand why or it may be because they are
not yet GC's?
Now, I'm confused.
DC1 and DC2 are in the same subnet?
for example:
DC1 is on 10.10.20.254/24=255.255.255.0
DC1 is on 10.10.20.253/24=255.255.255.0
DC3 is in a different subnet?
for example:
DC3 is on 10.10.10.254/24=255.255.255.0
In this case you create:
Site1 (For DC1 and DC2) -> subnet = 10.10.20.0/24
Site2 (For DC3) -> subnet = 10.10.10.0/24
on previous post I said that you'll needed to create 2 subnets for site 1,
because I was assuming that you had 2 different subnets for it.
For example:
DC1 is on 10.10.20.254/24=255.255.255.0
DC2 is on 10.10.30.254/24=255.255.255.0
In this particular case you would need to create:
Site1 (For DC1 and DC2)
-> subnet = 10.10.20.0/24
-> subnet = 10.10.30.0/24
You can relate more than 1 subnet to an existent site. But it seem that
isn't your case.
Site(1) Child1.Domain.net = DC1 and DC2 are on subnet 255.255.255.0
and IP xxx.xxx.20.xxx
Site(2) Child2.Domain.net = DC3 is on subet 255.255.255.0 and IP
xxx.xxx.10.xxx
So my question is: What subnet do i need to create and on what dc?
My guess would need to create a subnet from one site to the other
site? So...
Ahhh. Ok,Ok.
Ok I believe that the previous answer respond that.
DC3 = subnet xxx.xxx.10.0 /24 - Site associated = Child1.Domain.net
DC2 = subnet xxx.xxx.20.0 /24 - Site associated = Child2.Domain.net
DC1 = no subnet so no site associated then
Is that correct?
- DC1 no site why?
- Sites have nothing to do it Domains.
- Sites represent Physical structures in an organization.
* A site is a combination of one or more IP subnets connected by a highly
reliable and fast link to localize as much network traffic as possible.
With Active Directory, sites are not part of the namespace. When you browse
the logical namespace, you see computers and users grouped into domains and
OUs, not sites. Sites contain only computer objects and connection objects
used to configure replication between sites
*Sites in Active Directory represent the physical structure, or topology, of
your network. Active Directory uses topology information, stored as site and
site link objects in the directory, to build the most efficient replication
topology. You use Active Directory Sites and Services to define sites and
site links. A site is a set of well-connected subnets. Sites differ from
domains; sites represent the physical structure of your network, while
domains represent the logical structure of your organization.
*Sites have two main roles:
- To facilitate authentication, by determining the nearest domain controller
when a user logs on from a workstation
- To facilitate the replication of data between sites Because site names are
used in the records registered in the Domain Name System (DNS) by the domain
locator, they must be valid DNS names
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"MartinH" <nick@xxxxxxxxxxxxxx> wrote in message
news:70u59293h9tjdobphg1c29sscnn4c4sdu2@xxxxxxxxxx
Hi Jorge,
Thanks for your help. Greatly appreciated. I have some more questions
on this.
On Fri, 16 Jun 2006 16:58:57 +0100, "Jorge Silva"
<jorgesilva_pt@xxxxxxxxxxx> wrote:
Hi
So far we were not able to reach our objective. When connection to DC1
is lost no domain users cannot logon anymore on DC3 and DC2. Also user
logon on Domain(3) is slow. Booting DC2 and DC3 when DC1 is not
available takes like 20 minutes.
1 - You need a GC available to validate logons (Unless- you have only one
domain or your DFL is in mixed mode) , so if you only have one GC (DC1)
when
IT GOES DOWN no logon can be performed.
So basicly what you say is i need to activate a GC on DC2 and DC3. i
will do that.
2 - Make sure that you link the apropriate subnets to their respective
sites. If DC1 and DC2 are in the same site make sure that you create the 2
subnets and link them to the same site, if DC3 is in a different site
create
a subnet to Site2.
This is not really clear to me so I have a question on this.
DC1 and DC2 are geographically in the same room and DC3 is not. DC3 is
connected to DC1 and DC2 via a vpn tunnel (3com gateways).
At this moment there are NO subnets on any of the DC;'s. I can only
create a new subnet on DC1 and not on DC2 and DC3.
My question is: I don't understand why or it may be because they are
not yet GC's?
Site(1) Child1.Domain.net = DC1 and DC2 are on subnet 255.255.255.0
and IP xxx.xxx.20.xxx
Site(2) Child2.Domain.net = DC3 is on subet 255.255.255.0 and IP
xxx.xxx.10.xxx
So my question is: What subnet do i need to create and on what dc?
My guess would need to create a subnet from one site to the other
site? So...
DC3 = subnet xxx.xxx.10.0 /24 - Site associated = Child1.Domain.net
DC2 = subnet xxx.xxx.20.0 /24 - Site associated = Child2.Domain.net
DC1 = no subnet so no site associated then
Is that correct?
3 - Make sure that all servers are reachable by FQDN, using Dns Secondary
zones, or Stub Zones, Forwarding, conditional Forwarding.
All servers are reachable in computername and in fully qualified name.
Example: ping Computer and ping Computer.Domain.net or ping
Computer.Child.Domain.net works in various combinations on themselves
and all other CD's. So thats okay.
4 - Make sure that your clients only use their local Dns servers.
IPconfig /all on clients report only the local DNS. So thats okay.
IP and DNS on all the DC' are manual and the dns on them are...
DC1 = dns DC1
DC2 = dns DC2 then dns DC1
DC3 = dns DC3 then dns DC1
Are these correct?
.
- Follow-Ups:
- Re: Domain users cannot logon to domain
- From: MartinH
- Re: Domain users cannot logon to domain
- References:
- Domain users cannot logon to domain
- From: MartinH
- Re: Domain users cannot logon to domain
- From: Jorge Silva
- Re: Domain users cannot logon to domain
- From: MartinH
- Domain users cannot logon to domain
- Prev by Date: SSL over Ldap June 2006 Posting
- Next by Date: Re: Mandatory User Profiles and Group Policy...delete locally cach
- Previous by thread: Re: Domain users cannot logon to domain
- Next by thread: Re: Domain users cannot logon to domain
- Index(es):
Relevant Pages
|
Loading
