Windows 03 AD and Global Catalogs

[ITJunkie]

What's the general rule of thumb regarding global catalogs?
I have 2 DC's and one global catalog but are any/most of you in a similar environment running your GC's on both DC's or just one?
Will the other DC automatically take over GC duties if the current one fails?

TIA for your advice,

~Bill

 

[RebateMonger]

A good KB on Global Catalog Servers.

How many Domains? If only a single Domain:

"GC servers can be domain controllers from any domain. When authentication occurs, the domain controller that is authenticating the user's logon request needs to locate a GC in order to construct the universal groups to which that user belongs. In the event that there is only one domain in the forest, all domain controllers contain the same data, so there is no need to locate a GC (even though any given server might be designated a GC). If the domain controller handling the user logon request is also a GC, there is no need to remote the request to another GC. There is no requirement that the GC selected to service the request be a member of the domain to which the authenticating domain controller belongs."

 

[ITJunkie]

This is exactly what I was trying to find. Thanks RM! for you.

 

[RebateMonger]

Well, I think it can get more complicated than that. If you lose your GC, even in a single-Domain environment, you'll apparently get errors when you try to add a new User (or other AD object). But I assume you won't leave your GC down for weeks at a time.....

You can also make that second DC a GC without adding any significant overhead. But THEN, there's another issue: Usually, a GC can't be an Infrastructure Master....(I don't know how Windows SBS 2003 handles this...I haven't looked).

Seriously, I doubt it makes much difference either way if there's only a single Domain and a single site.

 

[stash]

In a single domain, all DCs should be GCs.

 

[ITJunkie]

Usually, a GC can't be an Infrastructure Master....

It was my understanding that in a single domain environment this issue is not a factor and only applies to a forest with multiple domains. Is this incorrect?

Thanks Stash...can you tell me why though? I guess what I'm really asking is: does the added replication traffic really make that big a difference to network performance? It sounds like it is negligible and worth the redundancy...

 

[stash]

Originally posted by: ITJunkie

Usually, a GC can't be an Infrastructure Master....

It was my understanding that in a single domain environment this issue is not a factor and only applies to a forest with multiple domains. Is this incorrect?

Thanks Stash...can you tell me why though? I guess what I'm really asking is: does the added replication traffic really make that big a difference to network performance? It sounds like it is negligible and worth the redundancy...

That is generally correct, however, I think you will still get the error if you put the infrastructure FSMO on a GC in a single domain forest where there are other DCs that are not GCs. I don't think the infrastructure master is smart enough to realize that you don't have other domains in the forest. Or at least not smart enough to notice if you add domains to the forest.

Normally, when the two roles are separated, the i-master will create phantom objects for objects from other domains from the forest, such as when you add a user from another domain to a group in your domain. The i-master will then check the GC periodically to see if those objects its phantoms refer to still exist. It then replicates those phantoms to all the DCs within it's forest.

If the i-master is on a GC, it doesn't need to create phantoms, because it can see every object in the forest. But the other non GCs in the domain won't be able to see the objects from other domains (since nothing is being replicated from the i-master), and will have no idea if they are removed or modified. So if you make all DCs GCs, this problem goes away since all DCs now have access to every object in the forest.

 

[ITJunkie]

Originally posted by: stash

Originally posted by: ITJunkie

Usually, a GC can't be an Infrastructure Master....

It was my understanding that in a single domain environment this issue is not a factor and only applies to a forest with multiple domains. Is this incorrect?

Thanks Stash...can you tell me why though? I guess what I'm really asking is: does the added replication traffic really make that big a difference to network performance? It sounds like it is negligible and worth the redundancy...

That is generally correct, however, I think you will still get the error if you put the infrastructure FSMO on a GC in a single domain forest where there are other DCs that are not GCs. I don't think the infrastructure master is smart enough to realize that you don't have other domains in the forest. Or at least not smart enough to notice if you add domains to the forest.

Normally, when the two roles are separated, the i-master will create phantom objects for objects from other domains from the forest, such as when you add a user from another domain to a group in your domain. The i-master will then check the GC periodically to see if those objects its phantoms refer to still exist. It then replicates those phantoms to all the DCs within it's forest.

If the i-master is on a GC, it doesn't need to create phantoms, because it can see every object in the forest. But the other non GCs in the domain won't be able to see the objects from other domains (since nothing is being replicated from the i-master), and will have no idea if they are removed or modified. So if you make all DCs GCs, this problem goes away since all DCs now have access to every object in the forest.

Awesome...Thanks Stash!! for you too