Re: Universal Group Membership Caching

And, Native mode would be: forestFunctionality 0=(DS_BEHAVIOR_WIN2000) as
opposed to what I stated earlier (DFL1 - no such thing apparently!)

Regards,

Austin
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:e88Ui.7263$zg.4590@xxxxxxxxxxxxxxxxxxxxxxxx
Just tried it and I did login EVEN THOUGH THE DC SAID I WOULDNT!
D**n! you live and learn. I won't forget that!

Dean, I also thought DFL1 refered to Native mode. I now know that "The
domain controller functionality represents the highest possible functional
level for this domain controller, not at the function level that the
domain controller is operating."

Apologies Jorge! You/It got me there.


"Dean Wells (MVP)" <dwells@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:usNWH20FIHA.5360@xxxxxxxxxxxxxxxxxxxxxxx
FWIW - I'm with Jorge on this one; a GC is not required.

Regarding the KDC: it knows of the number of domains within a forest
since all KDC are DCs and all DCs maintain a config. NC which, in turn,
maintains crossRef objects representing the entire partition structure of
the forest, it's fair to say that the KDC is indirectly (or certainly
able to be) aware of that. Out of interest, why do you mention domain
func. level 1?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l


"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:ehbgTj0FIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
I'm afraid Jorge you got it wrong there.
Once you flip the DFL switch to 1, the KDC when authenticating a client
really doesn't have visibility of the number of domains etc. that's why
it looks for a GC to create the users Security Token. If it doesn't find
one, it barfs. A failsafe measure.
That's why to cover that base, the first DC in a single domain forest is
a GC!
Also, docs here: http://support.microsoft.com/kb/216970

Regards,

Austin

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:%230TTsS0FIHA.4228@xxxxxxxxxxxxxxxxxxxxxxx
Hi
A GC will still need to be contacted for logon to succeed (Native mode
assumed).

This isn't totally true.
Actually this is only true for Forests with multiple domains, but there
are other situations where it doesn't apply, for example: in a single
domain environment it doesn't apply.

--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:eWFCbeyFIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
Hi RC,
Universal Group Membership Caching is a function of the DCs in the
site you've enabled it on. If you have no DCs in the site, it will
have no effect if the users logon to DCs in other sites that do not
have UGMC enabled and have no local GCs. A GC will still need to be
contacted for logon to succeed (Native mode assumed).

Regards,

Austin

"RC" <RichChristy@xxxxxxxxx> wrote in message
news:1193330500.425707.138770@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
If you create a site, assign the appropriate subnets, but it doesn't
have a DC associated with the site and enable UGMC (universal group
membership caching) does UGMC still effectively do what it is
designed
to do?

I would assume not unless you have a DC in that site right?

Thanks in advance.













.

Relevant Pages

  • Re: Universal Group Membership Caching
    ... Dean, I also thought DFL1 refered to Native mode. ... Regarding the KDC: it knows of the number of domains within a forest since ... all KDC are DCs and all DCs maintain a config. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Universal Group Membership Caching
    ... FWIW - I'm with Jorge on this one; ... Regarding the KDC: it knows of the number of domains within a forest ... since all KDC are DCs and all DCs maintain a config. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory in a huge single forest
    ... > If it MCS people, I would take the statements with a grain of salt. ... My last ops position was 250,000 users in a single forest ... > I would be a bit concerned with the number of DCs. ... A migration is planned but not in the near future. ...
    (microsoft.public.win2000.active_directory)
  • Re: Active Directory in a huge single forest
    ... I would be a bit concerned with the number of DCs. ... separate forest for Exchange. ... Since then> that recommendation has changed, but this is already in production and> migration has started. ... Win2K servers are the current infrastructure> servers Eventually we are talking 50000+> workstations in this forest. ...
    (microsoft.public.win2000.active_directory)
  • RE: Removing Child Domain
    ... You need to unjoin any workstations from that child domain or move them to another domain or they will be orphaned when the child disappears. ... You need to ensure you are not removing the first domain in the forest. ... If any of the DCs being removed are GCs, check to make sure that there are other GCs up otherwise you will find yourself unable to login because the only GCwere killed. ... Do a basic health check. ...
    (microsoft.public.windows.server.active_directory)