Re: How many Global Catalog Servers are needed?

Let me add to this a comment or two.
What it sounds like you're trying to do is come up with a hot site recovery
plan. It sounds like you want the goal to be seamless operation in the
event of a domain controller failure. If that's the case, you're in luck
because Active Directory is a fabric type of authentication mechanism that
also can host your name resolution information and replicate it all over the
place.

The part you seem to be missing is the name resolution settings on the
clients, site definition, and fsmo role holders recovery.

I suggest some research into the sites and fsmo concepts but the short
answer here is to go ahead and configure two sites: production and recovery.
Place a DC/GC in each site. Have a plan to deal with the loss of fsmo role
holders. To do that, you'll need to better understand what they do for you
and what happens if you lose one at a given point in time. Some things can
continue while other things might require intervention on your part to pick
up that behavior. The criticality of each role varies by company and
depends largely on how you conduct business.

Since DNS is integrated, you'll want to be sure that your clients are
configured to be aware of both DNS hosts. i.e. member server 1 should be
configured to use either DNS server for name resolution + authentication. To
do this, you would configure the client settings to use the DNS host in it's
site as the primary dns server and the DNS host in the alternate site as the
secondary name resolution server. I think you may have missed this
configuration in your testing.

Al

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:ew4$Z2$sGHA.4600@xxxxxxxxxxxxxxxxxxxxxxx
Hi
- First: The GC enables finding directory information regardless of which
domain in the forest contains the data, and provides Universal Group
Membership Information. Applications also use the first (any object in the
forest) Exchange is the prototypical example of this. (Windows 2003 has
the UGMC (Universal Group Membership caching which isn't the same thing as
the GC).
- Second: The GC is only needed when you have DFL (Domain Functional Mode)
in Native Mode or later where Universal security groups are allowed, more
than one domain or if you use any app that needs to contact the GC
(Exchange is an example), if you need to logon with a UPN.

- Third: There's a registry setting "IgnoreGCFailures" that you can use in
particular scenarios to force a particular DC NOT TO CONTACT a GC for
authentication process. If you don't use Universal groups for securing
things then you can enable IgnoreGCFailures which will allow you to log on
even if a GC isn't abailable in a Native mode domain. However, if you have
a single domain there is no reason not to make every DC a GC. Note that
even with IgnoreGCFailures enabled, you could run into cases where a GC is
needed say when trying to logon with a UPN, etc.

- Fourth: Good practices are to have at least one GC per site, even in a
single domain forest, every DC ALREADY holds ALL of the info so making a
DC a GC costs practically nothing.
The above is also true in a SMALL forest with multiple domains.
As forest size increases the penalty for creating a GC (increase
replication, increased storage) increases.

- When Open a GPO console you received that error because by default the
console tries to contact the PDCe.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"SEgerton" <SEgerton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E2E6350-05B1-4DF8-88DD-C8F91ECE6369@xxxxxxxxxxxxxxxx
I'm new to Active Directory; and I just started testing a new domain I've
been working on. On one particular test, I started having issues that I
believe are related to Global Catalogs. Let me first give an overview of
the
structure of the domain, and the test that I was trying to perform. Then
I
will give the errors that I came across.

I have two offices. Office 1 is our production office. Office 2 is for
our
Disaster Recovery. In office 1 we have 3 servers. 2 servers are Active
Directory Domain Controllers, and the third server is a member server
used as
a File Server. Both Domain Controllers are both Active Directory
Integrated
DNS Servers. There is a T1 line that connects both Office1 and Office2.
In
Office 2, I have the same setup. I joined the first two servers to the
same
domain in Office 1 as Active Directory Domain Controllers. These two
servers
are also Active Directory Integrated DNS servers. The third server in
Office
2 is also a member server used as a File Server. The File Server in
Office 2
is only used at the moment for replication of the File Server in Office
1.
For this we are using a third party replication software. This setup was
put
together this way in the event of a disaster and office 1 goes down,
users
can go to Office 2 and work.

Here is the test I tried. I turned off both server 1 and server 2 in
Office
1, hoping that Active Directory would still work because of Server 1 and
Server 2 in Office 2. The redundancy is there for the Domain Controllers
and
for DNS. But after the server were down. I tried logging into the domain
on a
pc as a user, and the logon took a long time. At the same time, he got
into
his profile, but I don't think his Group Policies were in affect. Then I
got
an error. I forget what I was doing to generate it, but here it is.

"A Global Catalog cannot be located to retrieve the icons for the
member list. Some icons may not be shown."

Then in Office 2, I went into Users and Computers on Server 1 and tried
to
open a Group Policy Object and got this error.

"Domain controller not found for domain.local" The Domain Controller for
Group Policy operations is not available. You may cancel this operation
for
this session or retry using one of the following Domain Controller
choices.
Here are the choices:
-The one with the Operations Master token for the PDC emulator.
-The one used by the Active Directory Snap-ins.
-Use any available Domain Controller.
OK or Cancel.
I Canceled.

Due to these messages, I believe the problem is due to a Redundancy of
Global Catalog Servers. I don't fully understand them. But my
understanding
is that by default, Global Catalog is installed on the first Domain
Controller of a domain. Therefore I didn't install any additional and
only
have one. How many should I have for redundancy?

Thanks in advance.

Shannon




.

Relevant Pages

  • Re: Global Catalog %%5?
    ... Active Directory could not resolve the following DNS host name of the source ... domain controller to an IP address. ... server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE ...
    (microsoft.public.windows.server.active_directory)
  • Re: Global Catalog %%5?
    ... Active Directory could not resolve the following DNS host name of the source ... domain controller to an IP address. ... server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE ...
    (microsoft.public.windows.server.active_directory)
  • Re: NT to W2K3 Migration
    ... How to Upgrade from Windows NT Server 4.0 ... Best Practice Active Directory Design for Managing Windows Networks ... ensure that you have designed a DNS ...
    (microsoft.public.windows.server.active_directory)
  • Re: 1 Domain 3 Sites- How do I make sure users login to local/site DC?
    ... Just make sure that the clients use the correct DNS server, ... domain controller for client logon, services, and directory searches, Direct ... Active Directory Sites and Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: Migrating NT4 to Windows 2003
    ... Migrating from Windows NT Server 4.0 to Windows Server 2003 ... How to Upgrade from Windows NT Server 4.0 ... Best Practice Active Directory Design for Managing Windows Networks ... ensure that you have designed a DNS ...
    (microsoft.public.windows.server.active_directory)