Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Global Catalog Server needed?
Global Catalog Server needed? [message #161474] Mon, 28 September 2009 16:37 Go to next message
Jim  is currently offline Jim  United States
Messages: 1625
Registered: July 2009
Senior Member
Hello, I'm trying to get my head around the need for a GC server.

I've read many documents dating back to 2003 and need some clarity.

I've read that, in the case of a single domain, the GC server has nothing to
do and thus unnecessary? I've read other documents stating that in a single
domain network, every DC should be a GC server. I've also read that you
should never put a GC on a PDC master DC. I've read that exchange uses GC
servers so you better have one.

I have a single domain network and currently two global catalog servers out
of 5 DC's.

The problem I'm having, is that if one DC goes down, users can not log onto
the domain as they get no domain controllers can be found. I've run the
DCDIAG tests and everything checks out fine. No errors, no warnings,
nothing.

I thought it might have something to do with GC's but I'm unsure.

Any thoughts?

Thanks
Re: Global Catalog Server needed? [message #161476 is a reply to message #161474] Mon, 28 September 2009 18:04 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Jim" <jj@nospam.com> wrote in message
news:eqSOLxIQKHA.1360@TK2MSFTNGP05.phx.gbl...
> Hello, I'm trying to get my head around the need for a GC server.
>
> I've read many documents dating back to 2003 and need some clarity.
>
> I've read that, in the case of a single domain, the GC server has nothing
> to do and thus unnecessary? I've read other documents stating that in a
> single domain network, every DC should be a GC server. I've also read
> that you should never put a GC on a PDC master DC. I've read that
> exchange uses GC servers so you better have one.
>
> I have a single domain network and currently two global catalog servers
> out of 5 DC's.
>
> The problem I'm having, is that if one DC goes down, users can not log
> onto the domain as they get no domain controllers can be found. I've run
> the DCDIAG tests and everything checks out fine. No errors, no warnings,
> nothing.
>
> I thought it might have something to do with GC's but I'm unsure.
>
> Any thoughts?
>
> Thanks
>


In one domain, all DCs should be a GC.

You may have read about the INfrastructure Master role. In a single domain,
it has nothing to do, but as for the GC, it has a lot to do!

As for two DC/GCs, and querying one then the other, it depends on the client
side resolver service if it queried the first one and it were to be down,
before it can query the second one in the DNS entries. THere is a time
delay.

However, if you just make them all GCs, you should be good to go. After all,
how often do expect your DC to go down?

Basically the following link should explain it. I have more links down below
for more corraborative info.

Global Catalog vs. Infrastructure Master
"If a single domain forest, you can have all DCs a GC. If multiple domains,
it is recommended for a GC to not be on the FSMO IM Role, unless you make
all DCs GCs"
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx

Here is more info on the IM role and the GC service:

======
More info on the Infrastructure Master and Global Catalog relationship:

As a whole, the IM updates references from other domains. What it basically
does is updates "phantoms" in its own domain for the objects. The phantoms
are actually "pointers" or references to the objects in the other domains.
The phantoms are based on the following identities of the other domain's
objects of members in another domain's objects. The reason why it doesn't
pull in attributes such as the MemberOf or MemberIs, is because it's added
work on the local domain's DC. Therefore it uses the phantoms as a pointer
to query a DC in the other domain during activity when you request the
object from the other domain, such as when adding a user or group to a local
group in the domain in question.

Distinguished name of the object
Object GUID
Object SID
So they are basically the values that 'point' to the reference, and not
necessarily using a MemberOf or MemberIs attribute.

---
An example:
---
1) User1 (DomainA) is a member of Group1 (DomainB)
This means that when viewing membership of Group1, you should be able to see
User1 there.

2) User1 in DomainA gets renamed to User2

3) this change gets replicated to all GCs across the forest

4) IM in DomainB detects that its phantom for User1 is out of date, updates
it, and replicates the update to all other DCs in DomainB. This means that
when viewing membership of Group1, you should be able to see User2. Without
IM, Group1 would still list User1 as its member

---

In the meantime, please read the following links for more info. The first
link explains what I summarized in more detail, which hopefully will give
you a better understanding.

Phantoms, tombstones and the infrastructure master role conflict with a
global catalog
http://support.microsoft.com/kb/248047

Infrastructure Education:
http://social.answers.microsoft.com/Forums/en-US/winserverge n/thread/d238de68-3423-40cd-9bf1-8416bd1d4591

Global Catalog vs. Infrastructure Master
"If a single domain forest, you can have all DCs a GC. If multiple domains,
it is recommended for a GC to not be on the FSMO IM Role, unless you make
all DCs GCs"
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx

FSMO placement and optimization on Active Directory domain controllers:
http://support.microsoft.com/kb/223346

Global Catalog vs. Infrastructure Master
"If a single domain forest, you can have all DCs a GC. If multiple domains,
it is recommended for a GC to not be on the

FSMO IM Role, unless you make all DCs GCs"
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx

Infrastructure Master Education:
"Global catalog and infrastructure master role conflicts only when there are
more than one Domain in the Frost. We donít need to worry about single
Domain situation." - Mervyn Zhang, MSFT
http://social.answers.microsoft.com/Forums/en-US/winserverge n/thread/d238de68-3423-40cd-9bf1-8416bd1d4591

Windows 2000 Active Directory FSMO roles (Similar to 2003 & 2008):
http://support.microsoft.com/kb/197132

Also with the multiple locations, I suggest to create AD sites that
correspond to each subnet. To do that, follow this article's steps:

Step-by-Step Guide to Active Directory Sites and Services
http://www.activewin.com/win2000/step_by_step/active_directo ry/adsites.shtml

[DOC] Step-by-Step Guide to Active Directory Sites and ServicesFile Format:
Microsoft Word - View as HTML
Creating a site link between two or more sites is a way to influence
replication topology. By creating a site link, you provide Active Directory
with ...
http://filedb.experts-exchange.com/incoming/2008/08_w35/5372 9/Active-Directory-Sites-and-Servi.doc

Now for DNS registration. On the child DC, delete the
system32\config\netlogon.dns and netlogon.bak files. Then run:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon

Make sure the DC's A record, the LdapIpAddress record, which is the "same as
parent" record that should show the child DC's IP, and the SRV data is
showing up in the nl.linakorg.local zone. Check the Sites configuration to
make sure the respective DCs in the child domain show up correctly. Check in
the _gc._msdc.linakorg.local zone that the respective IPs of the DCs that
you made GCs show up.


Planning Domain Controller Capacity
http://technet.microsoft.com/en-us/library/cc738079.aspx
======

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Global Catalog Server needed? [message #161480 is a reply to message #161474] Tue, 29 September 2009 00:17 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Jim,

See inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello, I'm trying to get my head around the need for a GC server.
>
> I've read many documents dating back to 2003 and need some clarity.
>
> I've read that, in the case of a single domain, the GC server has
> nothing to do and thus unnecessary? I've read other documents stating
> that in a single domain network, every DC should be a GC server. I've
> also read that you should never put a GC on a PDC master DC. I've
> read that exchange uses GC servers so you better have one.

A GC is not unnecessary, the Infrastrucuter master has nothing to do. See
here about more details:
http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/03/08/ 37975.aspx

http://support.microsoft.com/kb/223346/en-us

Exchange must have access to a GC server.

> I have a single domain network and currently two global catalog
> servers out of 5 DC's.

It is ok with 2, but in a single forest domain make all DCs GC.

> The problem I'm having, is that if one DC goes down, users can not log
> onto the domain as they get no domain controllers can be found. I've
> run the DCDIAG tests and everything checks out fine. No errors, no
> warnings, nothing.

This belongs to the DNS client side resolving, GC is not used for logon itself,
except you use Universal groups.

See "Global Catalog Processes and Interactions" in:
http://technet.microsoft.com/en-us/library/cc737410(WS.10).aspx

> I thought it might have something to do with GC's but I'm unsure.
>
> Any thoughts?
>
> Thanks
>
RE: Global Catalog Server needed? [message #161482 is a reply to message #161474] Tue, 29 September 2009 02:58 Go to previous messageGo to next message
Joe Dunn  is currently offline Joe Dunn
Messages: 36
Registered: July 2009
Member
A GC contains a subset of information from all the domains in a forest. A
GC must be available for at login.

So when planning GC placement you have to weigh up the extra network traffic
that is required to replicate the extra information against ensuring high
availability of GCs.

In a single domain forest however the GC holds no extra information (there
are no other domains in the forest for it to hold information about) so there
is no extra replication. As there is no extra load on the server and GCs
must be highly available you should just make them all GCs.

Best Regards
Joe Dunn
MBCS, MCSE, MCTS, CCNA


"Jim" wrote:

> Hello, I'm trying to get my head around the need for a GC server.
>
> I've read many documents dating back to 2003 and need some clarity.
>
> I've read that, in the case of a single domain, the GC server has nothing to
> do and thus unnecessary? I've read other documents stating that in a single
> domain network, every DC should be a GC server. I've also read that you
> should never put a GC on a PDC master DC. I've read that exchange uses GC
> servers so you better have one.
>
> I have a single domain network and currently two global catalog servers out
> of 5 DC's.
>
> The problem I'm having, is that if one DC goes down, users can not log onto
> the domain as they get no domain controllers can be found. I've run the
> DCDIAG tests and everything checks out fine. No errors, no warnings,
> nothing.
>
> I thought it might have something to do with GC's but I'm unsure.
>
> Any thoughts?
>
> Thanks
>
>
Re: Global Catalog Server needed? [message #161493 is a reply to message #161476] Tue, 29 September 2009 07:38 Go to previous messageGo to next message
Jim  is currently offline Jim  United States
Messages: 1625
Registered: July 2009
Senior Member
Thanks Ace, I'm making all DC's a GC and will let you know what happens.
Thanks for all the data.

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:OfHithJQKHA.504@TK2MSFTNGP06.phx.gbl...
> "Jim" <jj@nospam.com> wrote in message
> news:eqSOLxIQKHA.1360@TK2MSFTNGP05.phx.gbl...
>> Hello, I'm trying to get my head around the need for a GC server.
>>
>> I've read many documents dating back to 2003 and need some clarity.
>>
>> I've read that, in the case of a single domain, the GC server has nothing
>> to do and thus unnecessary? I've read other documents stating that in a
>> single domain network, every DC should be a GC server. I've also read
>> that you should never put a GC on a PDC master DC. I've read that
>> exchange uses GC servers so you better have one.
>>
>> I have a single domain network and currently two global catalog servers
>> out of 5 DC's.
>>
>> The problem I'm having, is that if one DC goes down, users can not log
>> onto the domain as they get no domain controllers can be found. I've run
>> the DCDIAG tests and everything checks out fine. No errors, no warnings,
>> nothing.
>>
>> I thought it might have something to do with GC's but I'm unsure.
>>
>> Any thoughts?
>>
>> Thanks
>>
>
>
> In one domain, all DCs should be a GC.
>
> You may have read about the INfrastructure Master role. In a single
> domain, it has nothing to do, but as for the GC, it has a lot to do!
>
> As for two DC/GCs, and querying one then the other, it depends on the
> client side resolver service if it queried the first one and it were to be
> down, before it can query the second one in the DNS entries. THere is a
> time delay.
>
> However, if you just make them all GCs, you should be good to go. After
> all, how often do expect your DC to go down?
>
> Basically the following link should explain it. I have more links down
> below for more corraborative info.
>
> Global Catalog vs. Infrastructure Master
> "If a single domain forest, you can have all DCs a GC. If multiple
> domains, it is recommended for a GC to not be on the FSMO IM Role, unless
> you make all DCs GCs"
> http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx
>
> Here is more info on the IM role and the GC service:
>
> ======
> More info on the Infrastructure Master and Global Catalog relationship:
>
> As a whole, the IM updates references from other domains. What it
> basically does is updates "phantoms" in its own domain for the objects.
> The phantoms are actually "pointers" or references to the objects in the
> other domains. The phantoms are based on the following identities of the
> other domain's objects of members in another domain's objects. The reason
> why it doesn't pull in attributes such as the MemberOf or MemberIs, is
> because it's added work on the local domain's DC. Therefore it uses the
> phantoms as a pointer to query a DC in the other domain during activity
> when you request the object from the other domain, such as when adding a
> user or group to a local group in the domain in question.
>
> Distinguished name of the object
> Object GUID
> Object SID
> So they are basically the values that 'point' to the reference, and not
> necessarily using a MemberOf or MemberIs attribute.
>
> ---
> An example:
> ---
> 1) User1 (DomainA) is a member of Group1 (DomainB)
> This means that when viewing membership of Group1, you should be able to
> see User1 there.
>
> 2) User1 in DomainA gets renamed to User2
>
> 3) this change gets replicated to all GCs across the forest
>
> 4) IM in DomainB detects that its phantom for User1 is out of date,
> updates it, and replicates the update to all other DCs in DomainB. This
> means that when viewing membership of Group1, you should be able to see
> User2. Without IM, Group1 would still list User1 as its member
>
> ---
>
> In the meantime, please read the following links for more info. The first
> link explains what I summarized in more detail, which hopefully will give
> you a better understanding.
>
> Phantoms, tombstones and the infrastructure master role conflict with a
> global catalog
> http://support.microsoft.com/kb/248047
>
> Infrastructure Education:
> http://social.answers.microsoft.com/Forums/en-US/winserverge n/thread/d238de68-3423-40cd-9bf1-8416bd1d4591
>
> Global Catalog vs. Infrastructure Master
> "If a single domain forest, you can have all DCs a GC. If multiple
> domains, it is recommended for a GC to not be on the FSMO IM Role, unless
> you make all DCs GCs"
> http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx
>
> FSMO placement and optimization on Active Directory domain controllers:
> http://support.microsoft.com/kb/223346
>
> Global Catalog vs. Infrastructure Master
> "If a single domain forest, you can have all DCs a GC. If multiple
> domains, it is recommended for a GC to not be on the
>
> FSMO IM Role, unless you make all DCs GCs"
> http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx
>
> Infrastructure Master Education:
> "Global catalog and infrastructure master role conflicts only when there
> are more than one Domain in the Frost. We don't need to worry about single
> Domain situation." - Mervyn Zhang, MSFT
> http://social.answers.microsoft.com/Forums/en-US/winserverge n/thread/d238de68-3423-40cd-9bf1-8416bd1d4591
>
> Windows 2000 Active Directory FSMO roles (Similar to 2003 & 2008):
> http://support.microsoft.com/kb/197132
>
> Also with the multiple locations, I suggest to create AD sites that
> correspond to each subnet. To do that, follow this article's steps:
>
> Step-by-Step Guide to Active Directory Sites and Services
> http://www.activewin.com/win2000/step_by_step/active_directo ry/adsites.shtml
>
> [DOC] Step-by-Step Guide to Active Directory Sites and ServicesFile
> Format: Microsoft Word - View as HTML
> Creating a site link between two or more sites is a way to influence
> replication topology. By creating a site link, you provide Active
> Directory with ...
> http://filedb.experts-exchange.com/incoming/2008/08_w35/5372 9/Active-Directory-Sites-and-Servi.doc
>
> Now for DNS registration. On the child DC, delete the
> system32\config\netlogon.dns and netlogon.bak files. Then run:
> ipconfig /flushdns
> ipconfig /registerdns
> net stop netlogon
> net start netlogon
>
> Make sure the DC's A record, the LdapIpAddress record, which is the "same
> as parent" record that should show the child DC's IP, and the SRV data is
> showing up in the nl.linakorg.local zone. Check the Sites configuration to
> make sure the respective DCs in the child domain show up correctly. Check
> in the _gc._msdc.linakorg.local zone that the respective IPs of the DCs
> that you made GCs show up.
>
>
> Planning Domain Controller Capacity
> http://technet.microsoft.com/en-us/library/cc738079.aspx
> ======
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
> Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
Re: Global Catalog Server needed? [message #161498 is a reply to message #161493] Tue, 29 September 2009 08:54 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Jim" <jj@nospam.com> wrote in message
news:eJ8WboQQKHA.4244@TK2MSFTNGP06.phx.gbl...
> Thanks Ace, I'm making all DC's a GC and will let you know what happens.
> Thanks for all the data.
>



You are welcome!

Ace
Re: Global Catalog Server needed? [message #161515 is a reply to message #161480] Tue, 29 September 2009 14:11 Go to previous messageGo to next message
Jim  is currently offline Jim  United States
Messages: 1625
Registered: July 2009
Senior Member
Meinolf,
The first quick test shows making them all GC's resolved the problem.

Thanks for the info!

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d68ea8cc0ef46962bc2b@msnews.microsoft.com...
> Hello Jim,
>
> See inline.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hello, I'm trying to get my head around the need for a GC server.
>>
>> I've read many documents dating back to 2003 and need some clarity.
>>
>> I've read that, in the case of a single domain, the GC server has
>> nothing to do and thus unnecessary? I've read other documents stating
>> that in a single domain network, every DC should be a GC server. I've
>> also read that you should never put a GC on a PDC master DC. I've
>> read that exchange uses GC servers so you better have one.
>
> A GC is not unnecessary, the Infrastrucuter master has nothing to do. See
> here about more details:
> http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/03/08/ 37975.aspx
>
> http://support.microsoft.com/kb/223346/en-us
>
> Exchange must have access to a GC server.
>
>> I have a single domain network and currently two global catalog
>> servers out of 5 DC's.
>
> It is ok with 2, but in a single forest domain make all DCs GC.
>
>> The problem I'm having, is that if one DC goes down, users can not log
>> onto the domain as they get no domain controllers can be found. I've
>> run the DCDIAG tests and everything checks out fine. No errors, no
>> warnings, nothing.
>
> This belongs to the DNS client side resolving, GC is not used for logon
> itself, except you use Universal groups.
>
> See "Global Catalog Processes and Interactions" in:
> http://technet.microsoft.com/en-us/library/cc737410(WS.10).aspx
>
>> I thought it might have something to do with GC's but I'm unsure.
>>
>> Any thoughts?
>>
>> Thanks
>>
>
>
Re: Global Catalog Server needed? [message #161516 is a reply to message #161482] Tue, 29 September 2009 14:12 Go to previous messageGo to next message
Jim  is currently offline Jim  United States
Messages: 1625
Registered: July 2009
Senior Member
Joe, you all had the same good advice.

It seems to have made all the difference.

Thanks for the quick help!



"Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
news:44FE0E29-1030-4264-938C-150DAF7E00B2@microsoft.com...
>
> A GC contains a subset of information from all the domains in a forest. A
> GC must be available for at login.
>
> So when planning GC placement you have to weigh up the extra network
> traffic
> that is required to replicate the extra information against ensuring high
> availability of GCs.
>
> In a single domain forest however the GC holds no extra information (there
> are no other domains in the forest for it to hold information about) so
> there
> is no extra replication. As there is no extra load on the server and GCs
> must be highly available you should just make them all GCs.
>
> Best Regards
> Joe Dunn
> MBCS, MCSE, MCTS, CCNA
>
>
> "Jim" wrote:
>
>> Hello, I'm trying to get my head around the need for a GC server.
>>
>> I've read many documents dating back to 2003 and need some clarity.
>>
>> I've read that, in the case of a single domain, the GC server has nothing
>> to
>> do and thus unnecessary? I've read other documents stating that in a
>> single
>> domain network, every DC should be a GC server. I've also read that you
>> should never put a GC on a PDC master DC. I've read that exchange uses
>> GC
>> servers so you better have one.
>>
>> I have a single domain network and currently two global catalog servers
>> out
>> of 5 DC's.
>>
>> The problem I'm having, is that if one DC goes down, users can not log
>> onto
>> the domain as they get no domain controllers can be found. I've run the
>> DCDIAG tests and everything checks out fine. No errors, no warnings,
>> nothing.
>>
>> I thought it might have something to do with GC's but I'm unsure.
>>
>> Any thoughts?
>>
>> Thanks
>>
>>
Re: Global Catalog Server needed? [message #161517 is a reply to message #161493] Tue, 29 September 2009 14:14 Go to previous messageGo to next message
Jim  is currently offline Jim  United States
Messages: 1625
Registered: July 2009
Senior Member
You guys are bloody geniuses!
That seems to have done the trick.

Thanks for the help!


"Jim" <jj@nospam.com> wrote in message
news:eJ8WboQQKHA.4244@TK2MSFTNGP06.phx.gbl...
> Thanks Ace, I'm making all DC's a GC and will let you know what happens.
> Thanks for all the data.
>
> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
> news:OfHithJQKHA.504@TK2MSFTNGP06.phx.gbl...
>> "Jim" <jj@nospam.com> wrote in message
>> news:eqSOLxIQKHA.1360@TK2MSFTNGP05.phx.gbl...
>>> Hello, I'm trying to get my head around the need for a GC server.
>>>
>>> I've read many documents dating back to 2003 and need some clarity.
>>>
>>> I've read that, in the case of a single domain, the GC server has
>>> nothing to do and thus unnecessary? I've read other documents stating
>>> that in a single domain network, every DC should be a GC server. I've
>>> also read that you should never put a GC on a PDC master DC. I've read
>>> that exchange uses GC servers so you better have one.
>>>
>>> I have a single domain network and currently two global catalog servers
>>> out of 5 DC's.
>>>
>>> The problem I'm having, is that if one DC goes down, users can not log
>>> onto the domain as they get no domain controllers can be found. I've
>>> run the DCDIAG tests and everything checks out fine. No errors, no
>>> warnings, nothing.
>>>
>>> I thought it might have something to do with GC's but I'm unsure.
>>>
>>> Any thoughts?
>>>
>>> Thanks
>>>
>>
>>
>> In one domain, all DCs should be a GC.
>>
>> You may have read about the INfrastructure Master role. In a single
>> domain, it has nothing to do, but as for the GC, it has a lot to do!
>>
>> As for two DC/GCs, and querying one then the other, it depends on the
>> client side resolver service if it queried the first one and it were to
>> be down, before it can query the second one in the DNS entries. THere is
>> a time delay.
>>
>> However, if you just make them all GCs, you should be good to go. After
>> all, how often do expect your DC to go down?
>>
>> Basically the following link should explain it. I have more links down
>> below for more corraborative info.
>>
>> Global Catalog vs. Infrastructure Master
>> "If a single domain forest, you can have all DCs a GC. If multiple
>> domains, it is recommended for a GC to not be on the FSMO IM Role, unless
>> you make all DCs GCs"
>> http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx
>>
>> Here is more info on the IM role and the GC service:
>>
>> ======
>> More info on the Infrastructure Master and Global Catalog relationship:
>>
>> As a whole, the IM updates references from other domains. What it
>> basically does is updates "phantoms" in its own domain for the objects.
>> The phantoms are actually "pointers" or references to the objects in the
>> other domains. The phantoms are based on the following identities of the
>> other domain's objects of members in another domain's objects. The reason
>> why it doesn't pull in attributes such as the MemberOf or MemberIs, is
>> because it's added work on the local domain's DC. Therefore it uses the
>> phantoms as a pointer to query a DC in the other domain during activity
>> when you request the object from the other domain, such as when adding a
>> user or group to a local group in the domain in question.
>>
>> Distinguished name of the object
>> Object GUID
>> Object SID
>> So they are basically the values that 'point' to the reference, and not
>> necessarily using a MemberOf or MemberIs attribute.
>>
>> ---
>> An example:
>> ---
>> 1) User1 (DomainA) is a member of Group1 (DomainB)
>> This means that when viewing membership of Group1, you should be able to
>> see User1 there.
>>
>> 2) User1 in DomainA gets renamed to User2
>>
>> 3) this change gets replicated to all GCs across the forest
>>
>> 4) IM in DomainB detects that its phantom for User1 is out of date,
>> updates it, and replicates the update to all other DCs in DomainB. This
>> means that when viewing membership of Group1, you should be able to see
>> User2. Without IM, Group1 would still list User1 as its member
>>
>> ---
>>
>> In the meantime, please read the following links for more info. The first
>> link explains what I summarized in more detail, which hopefully will give
>> you a better understanding.
>>
>> Phantoms, tombstones and the infrastructure master role conflict with a
>> global catalog
>> http://support.microsoft.com/kb/248047
>>
>> Infrastructure Education:
>> http://social.answers.microsoft.com/Forums/en-US/winserverge n/thread/d238de68-3423-40cd-9bf1-8416bd1d4591
>>
>> Global Catalog vs. Infrastructure Master
>> "If a single domain forest, you can have all DCs a GC. If multiple
>> domains, it is recommended for a GC to not be on the FSMO IM Role, unless
>> you make all DCs GCs"
>> http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx
>>
>> FSMO placement and optimization on Active Directory domain controllers:
>> http://support.microsoft.com/kb/223346
>>
>> Global Catalog vs. Infrastructure Master
>> "If a single domain forest, you can have all DCs a GC. If multiple
>> domains, it is recommended for a GC to not be on the
>>
>> FSMO IM Role, unless you make all DCs GCs"
>> http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx
>>
>> Infrastructure Master Education:
>> "Global catalog and infrastructure master role conflicts only when there
>> are more than one Domain in the Frost. We don't need to worry about
>> single Domain situation." - Mervyn Zhang, MSFT
>> http://social.answers.microsoft.com/Forums/en-US/winserverge n/thread/d238de68-3423-40cd-9bf1-8416bd1d4591
>>
>> Windows 2000 Active Directory FSMO roles (Similar to 2003 & 2008):
>> http://support.microsoft.com/kb/197132
>>
>> Also with the multiple locations, I suggest to create AD sites that
>> correspond to each subnet. To do that, follow this article's steps:
>>
>> Step-by-Step Guide to Active Directory Sites and Services
>> http://www.activewin.com/win2000/step_by_step/active_directo ry/adsites.shtml
>>
>> [DOC] Step-by-Step Guide to Active Directory Sites and ServicesFile
>> Format: Microsoft Word - View as HTML
>> Creating a site link between two or more sites is a way to influence
>> replication topology. By creating a site link, you provide Active
>> Directory with ...
>> http://filedb.experts-exchange.com/incoming/2008/08_w35/5372 9/Active-Directory-Sites-and-Servi.doc
>>
>> Now for DNS registration. On the child DC, delete the
>> system32\config\netlogon.dns and netlogon.bak files. Then run:
>> ipconfig /flushdns
>> ipconfig /registerdns
>> net stop netlogon
>> net start netlogon
>>
>> Make sure the DC's A record, the LdapIpAddress record, which is the "same
>> as parent" record that should show the child DC's IP, and the SRV data
>> is showing up in the nl.linakorg.local zone. Check the Sites
>> configuration to make sure the respective DCs in the child domain show up
>> correctly. Check in the _gc._msdc.linakorg.local zone that the respective
>> IPs of the DCs that you made GCs show up.
>>
>>
>> Planning Domain Controller Capacity
>> http://technet.microsoft.com/en-us/library/cc738079.aspx
>> ======
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>> Messaging
>> Microsoft Certified Trainer
>>
>> For urgent issues, please contact Microsoft PSS directly. Please check
>> http://support.microsoft.com for regional support phone numbers.
>>
>
Re: Global Catalog Server needed? [message #161518 is a reply to message #161515] Tue, 29 September 2009 14:18 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Jim,

Nice to hear. Thanks for the update.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Meinolf,
> The first quick test shows making them all GC's resolved the problem.
> Thanks for the info!
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911d68ea8cc0ef46962bc2b@msnews.microsoft.com...
>
>> Hello Jim,
>>
>> See inline.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hello, I'm trying to get my head around the need for a GC server.
>>>
>>> I've read many documents dating back to 2003 and need some clarity.
>>>
>>> I've read that, in the case of a single domain, the GC server has
>>> nothing to do and thus unnecessary? I've read other documents
>>> stating that in a single domain network, every DC should be a GC
>>> server. I've also read that you should never put a GC on a PDC
>>> master DC. I've read that exchange uses GC servers so you better
>>> have one.
>>>
>> A GC is not unnecessary, the Infrastrucuter master has nothing to do.
>> See here about more details:
>> http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/03/08/ 37975.asp
>> x
>>
>> http://support.microsoft.com/kb/223346/en-us
>>
>> Exchange must have access to a GC server.
>>
>>> I have a single domain network and currently two global catalog
>>> servers out of 5 DC's.
>>>
>> It is ok with 2, but in a single forest domain make all DCs GC.
>>
>>> The problem I'm having, is that if one DC goes down, users can not
>>> log onto the domain as they get no domain controllers can be found.
>>> I've run the DCDIAG tests and everything checks out fine. No
>>> errors, no warnings, nothing.
>>>
>> This belongs to the DNS client side resolving, GC is not used for
>> logon itself, except you use Universal groups.
>>
>> See "Global Catalog Processes and Interactions" in:
>> http://technet.microsoft.com/en-us/library/cc737410(WS.10).aspx
>>
>>> I thought it might have something to do with GC's but I'm unsure.
>>>
>>> Any thoughts?
>>>
>>> Thanks
>>>
Re: Global Catalog Server needed? [message #161522 is a reply to message #161517] Tue, 29 September 2009 16:27 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Jim" <jj@nospam.com> wrote in message
news:uzH2sFUQKHA.5068@TK2MSFTNGP05.phx.gbl...
> You guys are bloody geniuses!
> That seems to have done the trick.
>
> Thanks for the help!

No problem, and no, not geniuses. Slept at a Holiday Inn last night...
(reference to Holiday Inn's TV commercials).

Wyle E. Coyote... :-)


Ace
Re: Global Catalog Server needed? [message #161528 is a reply to message #161522] Wed, 30 September 2009 03:28 Go to previous messageGo to next message
Dave Warren  is currently offline Dave Warren  Canada
Messages: 162
Registered: July 2009
Senior Member
In message <#er0EQVQKHA.5068@TK2MSFTNGP05.phx.gbl> "Ace Fekay [MCT]"
<aceman@mvps.RemoveThisPart.org> was claimed to have wrote:

>No problem, and no, not geniuses. Slept at a Holiday Inn last night...

My condolences -- I hope you didn't eat any of the pasty egg flavoured
jello in the breakfast bar?
Re: Global Catalog Server needed? [message #161557 is a reply to message #161528] Wed, 30 September 2009 14:54 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Dave Warren" <dave-usenet@djwcomputers.com> wrote in message
news:vrn5c5919vgjl0ta9h18ii4pvjpcestq3q@4ax.com...
> In message <#er0EQVQKHA.5068@TK2MSFTNGP05.phx.gbl> "Ace Fekay [MCT]"
> <aceman@mvps.RemoveThisPart.org> was claimed to have wrote:
>
>>No problem, and no, not geniuses. Slept at a Holiday Inn last night...
>
> My condolences -- I hope you didn't eat any of the pasty egg flavoured
> jello in the breakfast bar?


No, I went to a Dunkin Donuts! ;-)
Re: Global Catalog Server needed? [message #161587 is a reply to message #161557] Thu, 01 October 2009 18:48 Go to previous messageGo to next message
Dave Warren  is currently offline Dave Warren  Canada
Messages: 162
Registered: July 2009
Senior Member
In message <O3JqwAhQKHA.1876@TK2MSFTNGP06.phx.gbl> "Ace Fekay [MCT]"
<aceman@mvps.RemoveThisPart.org> was claimed to have wrote:

>"Dave Warren" <dave-usenet@djwcomputers.com> wrote in message
>news:vrn5c5919vgjl0ta9h18ii4pvjpcestq3q@4ax.com...
>> In message <#er0EQVQKHA.5068@TK2MSFTNGP05.phx.gbl> "Ace Fekay [MCT]"
>> <aceman@mvps.RemoveThisPart.org> was claimed to have wrote:
>>
>>>No problem, and no, not geniuses. Slept at a Holiday Inn last night...
>>
>> My condolences -- I hope you didn't eat any of the pasty egg flavoured
>> jello in the breakfast bar?
>
>No, I went to a Dunkin Donuts! ;-)

Now THAT is staying smart at a Holiday Inn Express: Leaving.
Re: Global Catalog Server needed? [message #161591 is a reply to message #161587] Thu, 01 October 2009 21:35 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Dave Warren" <dave-usenet@djwcomputers.com> wrote in message
news:kjhac5llq097uud9g2k7kcah4l9h5el42o@4ax.com...
> In message <O3JqwAhQKHA.1876@TK2MSFTNGP06.phx.gbl> "Ace Fekay [MCT]"
> <aceman@mvps.RemoveThisPart.org> was claimed to have wrote:
>
>>"Dave Warren" <dave-usenet@djwcomputers.com> wrote in message
>>news:vrn5c5919vgjl0ta9h18ii4pvjpcestq3q@4ax.com...
>>> In message <#er0EQVQKHA.5068@TK2MSFTNGP05.phx.gbl> "Ace Fekay [MCT]"
>>> <aceman@mvps.RemoveThisPart.org> was claimed to have wrote:
>>>
>>>>No problem, and no, not geniuses. Slept at a Holiday Inn last night...
>>>
>>> My condolences -- I hope you didn't eat any of the pasty egg flavoured
>>> jello in the breakfast bar?
>>
>>No, I went to a Dunkin Donuts! ;-)
>
> Now THAT is staying smart at a Holiday Inn Express: Leaving.


LOL!! :-)
Re: Global Catalog Server needed? [message #162078 is a reply to message #161474] Wed, 14 October 2009 14:26 Go to previous message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
make all DCs a GC (especially in a single domain environment)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"Jim" <jj@nospam.com> wrote in message
news:eqSOLxIQKHA.1360@TK2MSFTNGP05.phx.gbl...
> Hello, I'm trying to get my head around the need for a GC server.
>
> I've read many documents dating back to 2003 and need some clarity.
>
> I've read that, in the case of a single domain, the GC server has nothing
> to do and thus unnecessary? I've read other documents stating that in a
> single domain network, every DC should be a GC server. I've also read
> that you should never put a GC on a PDC master DC. I've read that
> exchange uses GC servers so you better have one.
>
> I have a single domain network and currently two global catalog servers
> out of 5 DC's.
>
> The problem I'm having, is that if one DC goes down, users can not log
> onto the domain as they get no domain controllers can be found. I've run
> the DCDIAG tests and everything checks out fine. No errors, no warnings,
> nothing.
>
> I thought it might have something to do with GC's but I'm unsure.
>
> Any thoughts?
>
> Thanks
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4507 (20091014) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4507 (20091014) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Previous Topic:RODC DNS in DMZ
Next Topic:What are the risks of virtualizing DC's ?
Goto Forum:
  


Current Time: Wed Jan 17 04:15:20 MST 2018

Total time taken to generate the page: 0.02346 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software