Re: no logon server to service your request problem
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Fri, 30 Jun 2006 20:28:08 +0100
I know I know... my fault
The Infrastructure master role: Ensures cross-domain object references are
handled properly, such as when objects in one domain are referenced by
objects in a different domain.
The domain controller assigned the infrastructure master role is responsible
for updating the group-to-user references whenever the members of groups are
renamed or changed. At any time, there can be only one domain controller
acting as the infrastructure master in each domain.
When you rename or move a member of a group (and the member resides in a
different domain from the group), the group might temporarily appear not to
contain that member. The infrastructure master of the group's domain is
responsible for updating the group so it knows the new name or location of
the member. The infrastructure master distributes the update via multimaster
replication.
The IM is responsible for updating cross-domain object references each DC in
the Domain, to do that it needs to check for changes on an available GC,
then compares its information with the information that the GC has, if any
changes, then updates its local information, and updates cross-domain object
references each DC in the Domain.
The Problem is that If the IM is also a GC, when is going to check for
changes he asks for a GC and because the IM is also a GC it "thinks" that it
has all information updated and there's no need to update the DCs on its
domain causing others DCs ending up with nonupdated information, remember
DCs in a domain only know everything about their domain, because the domain
partition is replicated between them.
Example:
2 Domains:
- Domain1
- Domain2
- You create a Universal Security group on Domain1, and add it a user from
Domain2.
- All GCs in the forest now that UNG on domain1 has a user from Domain2, and
all DCs in the Domain1 also know that, but DCs (non-GCs) in Domain2 don't
know anything about it, the IM in their Domain is responsible for update
that information and replica it to the DCs in their domain.
So in conclusion:
- If you have only 1 Domain you don't have cross-domain object references,
so there isn't job for the IM.
- If you have only 1 DC in a domain, doesn't matter if it is a GC or not
because that DC holds all roles for its domain, and it doesn't need to
update no other DC in its domain, so in this scenario doesn't matter if it
is a GC or not.
- If in your Domain only some DCs are GCs then you should take careful were
to put IM, as Jorge Pinto Said:
(2) If at least one or more other DCs in a domain (besides the
Infrastructure master) are not a GC, then the Infrastructure master
should
NOT be on a GC
- If all DCs in the Domain are GCs, then no problem here too because all of
them will be updated. As Jorge Pinto said:
(1) If all DCs in a domain are GC, there is no other choice where to put
the
Infrastructure master. So no issue here!
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Peter" <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D577C38-4E8C-4607-8E58-3EFE85F3949C@xxxxxxxxxxxxxxxx
Thanks for your answer. Sorry about my confusion even it's short and
sweet
answer.
From your saying, it's better to make every DC GC. Why does MS suggest
put
GC on the DC which is not I.M.?
Thanks for your both help.
"Jorge de Almeida Pinto [MVP]" wrote:
Short and sweet rule of thumb:
No matter what forest structure you have for each domain the following
rules
apply:
(1) If all DCs in a domain are GC, there is no other choice where to put
the
Infrastructure master. So no issue here!
(2) If at least one or more other DCs in a domain (besides the
Infrastructure master) are not a GC, then the Infrastructure master
should
NOT be on a GC
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Peter" <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:50CB2358-1B9B-4D8E-9AF4-7D3079FC6587@xxxxxxxxxxxxxxxx
What about the single forest with root and child domain (empty root)?
Can
the GC be placed on the I.M?
Thanks!
"Paul Bergson" wrote:
This is correct except if a single domain in a forest then it doesn't
matter
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:eyme7c7mGHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
Hi
Adding to Paul's response, you also have I.M on the GC. When this
happens
you can have other problems if you have more than one Domain:
As a general rule, the infrastructure master should be located on a
non-global catalog server that has a direct connection object to
some
global catalog in the forest, preferably in the same Active
Directory
site. Because the global catalog server holds a partial replica of
every
object in the forest, the infrastructure master, if placed on a
global
catalog server, will never update anything, because it does not
contain
any references to objects that it does not hold. Two exceptions to
the
"do
not place the infrastructure master on a global catalog server" rule
are:
- Single domain forest:
- In a forest that contains a single Active Directory domain, there
are
no
phantoms, and so the infrastructure master has no work to do. The
infrastructure master may be placed on any domain controller in the
domain, regardless of whether that domain controller hosts the
global
catalog or not.
- Multidomain forest where every domain controller in a domain holds
the
global catalog:
- If every domain controller in a domain that is part of a
multidomain
forest also hosts the global catalog, there are no phantoms or work
for
the infrastructure master to do. The infrastructure master may be
put
on
any domain controller in that domain.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%232gMdu5mGHA.5056@xxxxxxxxxxxxxxxxxxxxxxx
With only a single gc users will be unable to logon when this
server
is
unavailable.
http://support.microsoft.com/default.aspx?scid=kb;en-us;313994
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"George" <George@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C23EF84A-D456-468B-8473-67D5A2AF7FA5@xxxxxxxxxxxxxxxx
both DCs have DNS installed too and both dns are listed in DHCP;
just
the
first DC is global catalog
--
George
"Paul Bergson" wrote:
How many Global Catalogs do you have available? How many dns
servers
do you
have available? If you have more than one dns server do your
clients
point
to more than one of them?
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and confers
no
rights.
"George" <George@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E6A23605-E226-4C89-908C-55C31C84812C@xxxxxxxxxxxxxxxx
I have a remote w2k3 domain in windows 2000 mixed domain
functional
level
and
when the domain controller holder of all FSMO roles is down
everyone
can't
logon although there is one more DC on the network.
Do i need to transfer the PDC role to the other DC so that
authentication
doesn't fail while the first DC is rebooted? Any other ways I
can
approach
this?
--
George
.
- References:
- Re: no logon server to service your request problem
- From: Paul Bergson
- Re: no logon server to service your request problem
- From: Paul Bergson
- Re: no logon server to service your request problem
- From: Jorge Silva
- Re: no logon server to service your request problem
- From: Paul Bergson
- Re: no logon server to service your request problem
- From: Peter
- Re: no logon server to service your request problem
- From: Jorge de Almeida Pinto [MVP]
- Re: no logon server to service your request problem
- From: Peter
- Re: no logon server to service your request problem
- Prev by Date: Re: upgrading to 64 bit domain controller
- Next by Date: Re: Problem deleting a computer from AD
- Previous by thread: Re: no logon server to service your request problem
- Next by thread: Re: Setting profiles specific to machines using Group Policy
- Index(es):
Relevant Pages
|
