Re: Universal Group Membership Caching - DNS?
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Fri, 23 May 2008 19:28:53 -0500
"Bob Smith" <BobSmith@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FB062415-D1D0-4143-9152-D14DDC5BC823@xxxxxxxxxxxxxxxx
Thanks for the reply Herb,
We are actualy consolidating a number of child domains into the root
forest
domain. there will abe aboout 25,000 user and group objects once we are
done
migrating. Druing the migration there will be many groups being
converted
to universal groups. Some of the sites that currently have domain
controllers
locally installed (for the child domains) are over 512k SAT links or less.
We
would like to reduce traffic related to replication but still allow local
authentication, if the network link goes down. What would your suggestion
be
to help speed up local authentication? We are a heavy user of group
policy.
Given the numbers and speed of the line (you don't actually say
how much of that 512K is available or the lag/latency) you need
to be careful as you are.
Nothing changes in the answer I gave originally -- UGC if you wish,
GC on some or all if your WAN/replication can tolerate it and
leave you effective.
Make sure you can resolve DNS for at least the local zone/domain
locally. Try to avoid excessive replication of other Large zones/domains
to small domain "only" sites.
Stub or conditional fowarding from the local DNS can avoid having
to copy all those other zones and records to each DNS server in
other sites/domains.
Notice that stub and conditional forwarding are ALMOST exactly
equivalent with these exceptions
CF: YOU get to pick AND MUST pick/update the master DNS server(s)
(perhaps more replicatin/WAN efficient but YOU must keep them
up to date if things change.)
Stub: DNS servers can be auto-updated if the stub server can find at
least one working DNS server as things change but this might not
be the most efficient choice sometimes
YOU have less work though as things change.
Be careful about your WINS Replication if you are using NetBIOS and
need forest wide Browsing etc to work.
Anywhere there is a LARGE domain (e.g., one of your domains had
20K users/computers) there wouldn't be much additional overhead
for every DC from that domain being a GC.
Where you get advantages from "no GC" is when there is NO GC
already in that site, and the "other domains" hold a relatively large
number of users/computers in one or many domains.
Once you have a GC in a Site (for any domain) the replication
burden is already a requirement so at that point adding more costs
little (for WAN replication.)
"Herb Martin" wrote:
"Bob Smith" <BobSmith@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:159C5D5E-C754-422B-9B8D-67220B190E4E@xxxxxxxxxxxxxxxx
I would like to install a Universal Group Membership Caching domain
controller at a site.
Why?
Do you have more than one LARGE domain in the forest?
Is your WAN line very slow compared to the size of the
the Forest?
Do you not have a GC there already for some domain in the forest?
We are AD Integrate DNS, will the configuration
partition, speficically related to providing DNS be available on this
machine? I woul dlike to ensure if the site becomes available, not only
can
users continue to logon, but also continue to resolve via DNS.
That will work if you make the local DC(s) DNS Servers and
provide either UGC or just make them GCs.
Unless you have multiple domains with a VERY LARGE one
not represented in this site by a DC and have a slow WAN there
is probably no good (sufficient) reason to avoid the GC.
If you have a single domain (or small forest) then every DC
should be a GC anyway (and then there is no need for UGC.)
.
- References:
- Re: Universal Group Membership Caching - DNS?
- From: Herb Martin
- Re: Universal Group Membership Caching - DNS?
- Prev by Date: Re: AD accounts randomly locking on 1st login attempt
- Next by Date: Re: Secure domain from higher
- Previous by thread: Re: Universal Group Membership Caching - DNS?
- Next by thread: Group Policy for setup printer Internet Explorer
- Index(es):
Relevant Pages
|
