Re: Domain users cannot logon to domain

On Fri, 16 Jun 2006 20:45:25 +0100, "Jorge Silva"
<jorgesilva_pt@xxxxxxxxxxx> wrote:

Inline

So basicly what you say is i need to activate a GC on DC2 and DC3. i
will do that.

Be aware with the IM master role:
As a general rule, the infrastructure master should be located on a
non-global catalog server that has a direct connection object to some global
catalog in the forest, preferably in the same Active Directory site. Because
the global catalog server holds a partial replica of every object in the
forest, the infrastructure master, if placed on a global catalog server,
will never update anything, because it does not contain any references to
objects that it does not hold. Exceptions to the "do not place the
infrastructure master on a global catalog server" rule are:


I expect the tree root server DC1 to be the Infrastructure Master so i
should disable the GC on DC1 then? Simply untick the GC box in Sites
and Computers on DC1?

I activated GC's on the 2 other DC's a few hours ago so replication
should be ready by now?


* Single domain forest:

In a forest that contains a single Active Directory domain, there are no
phantoms, and so the infrastructure master has no work to do. The
infrastructure master may be placed on any domain controller in the domain,
regardless of whether that domain controller hosts the global catalog or
not.



*Multidomain forest where every domain controller in a domain holds the
global catalog:
If every domain controller in a domain that is part of a multidomain forest
also hosts the global catalog, there are no phantoms or work for the
infrastructure master to do. The infrastructure master may be put on any
domain controller in that domain.


Thats my case i think. 3 DC's all GC and DC1 (tree root server)
Infrastructure Master and Schema Owner.

So when I untick the GC on DC1 all should be working and updating. It
is not realy a problem if the IM is not reachable for a moment once
and a while?

DC1 has no function other the being a DC and bridging the two child
domains. All users etc are on them.




This is not really clear to me so I have a question on this.
DC1 and DC2 are geographically in the same room and DC3 is not. DC3 is
connected to DC1 and DC2 via a vpn tunnel (3com gateways).

OK

At this moment there are NO subnets on any of the DC;'s. I can only
create a new subnet on DC1 and not on DC2 and DC3.

You mean that DC1 and DC2 are in the same subnet?


Yes...

Site(1): 192.168.10.1/24 for DC1 and 192.168.10.3/24 for DC2
Site(2): 196.168.20.3/24 for DC3

DC3 is on another subnet because its geographicly a couple of miles
away from site(1) where DC1 and DC2 are located

My question is: I don't understand why or it may be because they are
not yet GC's?

Now, I'm confused.


I dont get an option in the AD Sites and Services menu on DC2 and DC3
to add a new subnet. I do on DC1 tho.


DC1 and DC2 are in the same subnet?
for example:
DC1 is on 10.10.20.254/24=255.255.255.0
DC1 is on 10.10.20.253/24=255.255.255.0

DC3 is in a different subnet?
for example:
DC3 is on 10.10.10.254/24=255.255.255.0


In this case you create:

Site1 (For DC1 and DC2) -> subnet = 10.10.20.0/24

Hope you bear with me. I am new to this. Site(1) I create a subnet
192.168.20.0/24 where? In AD Sites and Services on DC1 or on DC2 or on
both?

Site2 (For DC3) -> subnet = 10.10.10.0/24

This is simple. I get. I create Site(2) in AD Sites and Services on
DC3 I create a new subnet 192.168.10.0/24

on previous post I said that you'll needed to create 2 subnets for site 1,
because I was assuming that you had 2 different subnets for it.
For example:
DC1 is on 10.10.20.254/24=255.255.255.0
DC2 is on 10.10.30.254/24=255.255.255.0

In this particular case you would need to create:
Site1 (For DC1 and DC2)
-> subnet = 10.10.20.0/24
-> subnet = 10.10.30.0/24

You can relate more than 1 subnet to an existent site. But it seem that
isn't your case.

Site(1) Child1.Domain.net = DC1 and DC2 are on subnet 255.255.255.0
and IP xxx.xxx.20.xxx
Site(2) Child2.Domain.net = DC3 is on subet 255.255.255.0 and IP
xxx.xxx.10.xxx
So my question is: What subnet do i need to create and on what dc?
My guess would need to create a subnet from one site to the other
site? So...


Ahhh. Ok,Ok.
Ok I believe that the previous answer respond that.

DC3 = subnet xxx.xxx.10.0 /24 - Site associated = Child1.Domain.net
DC2 = subnet xxx.xxx.20.0 /24 - Site associated = Child2.Domain.net
DC1 = no subnet so no site associated then

Is that correct?

- DC1 no site why?
- Sites have nothing to do it Domains.
- Sites represent Physical structures in an organization.


Yes i am messing up the naming.

* A site is a combination of one or more IP subnets connected by a highly
reliable and fast link to localize as much network traffic as possible.
With Active Directory, sites are not part of the namespace. When you browse
the logical namespace, you see computers and users grouped into domains and
OUs, not sites. Sites contain only computer objects and connection objects
used to configure replication between sites


*Sites in Active Directory represent the physical structure, or topology, of
your network. Active Directory uses topology information, stored as site and
site link objects in the directory, to build the most efficient replication
topology. You use Active Directory Sites and Services to define sites and
site links. A site is a set of well-connected subnets. Sites differ from
domains; sites represent the physical structure of your network, while
domains represent the logical structure of your organization.

*Sites have two main roles:
- To facilitate authentication, by determining the nearest domain controller
when a user logs on from a workstation

- To facilitate the replication of data between sites Because site names are
used in the records registered in the Domain Name System (DNS) by the domain
locator, they must be valid DNS names

.

Relevant Pages

  • Re: Domain users cannot logon to domain
    ... non-global catalog server that has a direct connection object to some global ... forest, the infrastructure master, if placed on a global catalog server, ... connected to DC1 and DC2 via a vpn tunnel. ... You mean that DC1 and DC2 are in the same subnet? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem with Sites and Services
    ... And i see that the user log in DC3 The site that i make has only the DC1 ... The subnet is correct and the user is in the subnet ... Do the DCPromo, or if you attempted this then ... If you only have a few users and a few machines such hacks are pretty ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem with Sites and Services
    ... And i see that the user log in DC3 The site that i make has only the DC1 ... The subnet is correct and the user is in the subnet ... Direct a Distributed File System client to the server that is ... file system that exists on each domain controller in a domain and is ...
    (microsoft.public.windows.server.active_directory)
  • Re: FIZMO Question/Move
    ... Emulator role to the remaining DC. ... I set> up a new dc as a global catalog. ... IS it safe to shut> down DC1 and move? ... > Do I have to remove the Global Catalog role from DC1 so> there is no conflect with the Infrastructure master when> DC1 comes back on line? ...
    (microsoft.public.win2000.active_directory)
  • Problem with Sites and Services
    ... I made it and i gave it a specific IP subnet & Domain controller ... But i didn't make very well (some users of this subnet log in to DC2 or DC3) ... contains the DC1 ...
    (microsoft.public.windows.server.active_directory)
Loading