Re: Universal Group Membership Caching
- From: "Dean Wells \(MVP\)" <dwells@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 25 Oct 2007 17:25:08 -0400
FWIW - I'm with Jorge on this one; a GC is not required.
Regarding the KDC: it knows of the number of domains within a forest
since all KDC are DCs and all DCs maintain a config. NC which, in turn,
maintains crossRef objects representing the entire partition structure
of the forest, it's fair to say that the KDC is indirectly (or certainly
able to be) aware of that. Out of interest, why do you mention domain
func. level 1?
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:ehbgTj0FIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
I'm afraid Jorge you got it wrong there.
Once you flip the DFL switch to 1, the KDC when authenticating a
client really doesn't have visibility of the number of domains etc.
that's why it looks for a GC to create the users Security Token. If it
doesn't find one, it barfs. A failsafe measure.
That's why to cover that base, the first DC in a single domain forest
is a GC!
Also, docs here: http://support.microsoft.com/kb/216970
Regards,
Austin
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:%230TTsS0FIHA.4228@xxxxxxxxxxxxxxxxxxxxxxx
Hi
A GC will still need to be contacted for logon to succeed (Native
mode assumed).
This isn't totally true.
Actually this is only true for Forests with multiple domains, but
there are other situations where it doesn't apply, for example: in a
single domain environment it doesn't apply.
--
===================================
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
===================================
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:eWFCbeyFIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
Hi RC,
Universal Group Membership Caching is a function of the DCs in the
site you've enabled it on. If you have no DCs in the site, it will
have no effect if the users logon to DCs in other sites that do not
have UGMC enabled and have no local GCs. A GC will still need to be
contacted for logon to succeed (Native mode assumed).
Regards,
Austin
"RC" <RichChristy@xxxxxxxxx> wrote in message
news:1193330500.425707.138770@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
If you create a site, assign the appropriate subnets, but it
doesn't
have a DC associated with the site and enable UGMC (universal group
membership caching) does UGMC still effectively do what it is
designed
to do?
I would assume not unless you have a DC in that site right?
Thanks in advance.
.
- Follow-Ups:
- Re: Universal Group Membership Caching
- From: Austin Osuide
- Re: Universal Group Membership Caching
- References:
- Universal Group Membership Caching
- From: RC
- Re: Universal Group Membership Caching
- From: Austin Osuide
- Re: Universal Group Membership Caching
- From: Jorge Silva
- Re: Universal Group Membership Caching
- From: Austin Osuide
- Universal Group Membership Caching
- Prev by Date: Re: Universal Group Membership Caching
- Next by Date: Re: client locator service and DC searching
- Previous by thread: Re: Universal Group Membership Caching
- Next by thread: Re: Universal Group Membership Caching
- Index(es):
Relevant Pages
|
