Best practice on AD

[Dan]

My setup is as follows, I have 2 DC and 1 exchange 2k member server. I know
that the root DC contains the global catalog and fsmo roles. What is the
best practice for protecting the global catalog server. Can i have the GC on
both DC. What do i do if the Root DC crashes and cant be fixed. I do a full
backup of it every night.

thanks
Dan

 

[Jeff]

My setup is as follows, I have 2 DC and 1 exchange 2k member server. I
know

that the root DC contains the global catalog and fsmo roles. What is the
best practice for protecting the global catalog server. Can i have the GC on
both DC. What do i do if the Root DC crashes and cant be fixed. I do a full
backup of it every night.

Ideally, it is best to have at least 2 global catalog servers for
redundancy. That way if one GC goes down or has issues, the other one is
available. Our environment is similar and at our main site we have 2 DCs,
both of which are GCs.

Jeff

 

[Herb Martin]

My setup is as follows, I have 2 DC and 1 exchange 2k member server. I know
that the root DC contains the global catalog and fsmo roles.

Actually in a single domain, neither is referred to as the "root DC."

They are only different (the DCs) due to the FSMO roles and
perhaps the GC.

What is the best practice for protecting the global catalog server.

As Jeff, said it is best to have at least GCs (per site actually.)

In a small single domain forest (or even a few domains of small size)
it frequently makes the most sense to just let them all be GCs.

Can i have the GC on both DC.

You can have as many GCs as you wish (up to the total of all DCs
in the forest.)

Reasons not to duplicate the GC further: The GC holds a PORTION
of the info on every object in the forest. In a single domain forest, all
the info is on every DC anyway and the GC job adds little but if you
imagine a LARGE forest with say, 5 domains of 100,000 users each
and then realize that the GC must hold a reference to 500,000 user
objects (plus machines etc.) it is obvious that as the domains and
sizes grow it makes more sense to use only as many GCs are
necessary for fault tolerance and performance.

Normal it two GCs per site, with more if you have large sites that
are slow to do forest wide searches (of AD info.)

What do i do if the Root DC crashes and cant be fixed. I do a full
backup of it every night.

If the ROLE HOLDER crashes (not the root) then you must EITHER
restore it expeditiously, OR you must (eventually) seize the roles.

If you seize the roles, then you must NEVER restore it even if it is
subsequently fixed -- SEIZING the roles is a serious step.

 

[Dan]

What are the steps on making the other dc a GC. Do i just check that one box
to make it a GC. Also i dont understand what you mean by seize the roles if
the ROLE HOLDER crashes. Is there any documentation on this.

thanks

 

[William Wang[MSFT]]

Hi Dan,

Thanks for your posting and thanks for others' great information.

What are the steps on making the other dc a GC. Do i just check that one

box to make it a GC.

Yes. You can refer to the following article for more information:

296882 How to promote a domain controller to a global catalog server
http://support.microsoft.com/?id=296882

To promote a domain controller to a global catalog server, follow these
steps:

1. On the domain controller, click Start, point to Programs, click
Administrative Tools, and then click Active Directory Sites and
Services.

2. In the console tree, double-click Sites, double-click the name of
the site, and then double-click Servers.

3. Double-click the target domain controller.

4. In the details pane, right-click NTDS Settings, and then click
Properties.

5. On the General tab, click to select the "Global catalog" check box.

6. Restart the domain controller.
~~~~~~

Also i dont understand what you mean by seize the roles if the ROLE HOLDER

crashes. Is there any documentation on this.

You can refer to these articles for more information.

255504.KB.EN-US: Using Ntdsutil.exe to Seize or Transfer the FSMO Roles to
a Domain
http://support.microsoft.com/default.aspx?scid=KB;EN-US;255504

255690.KB.EN-US HOW TO: View and Transfer FSMO Roles in the Graphical User
Interface
http://support.microsoft.com/default.aspx?scid=KB;EN-US;255690

If you have any further questions, please don't hesitate to let us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

 

[William Wang[MSFT]]

Hi Dan,

I'm just curious how things are going there. If you would, please update
the current status with your response at your earliest convenience. Should
you have any questions or concerns regarding to this issue, please don't
hesitate to let us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

X-Tomcat-ID: 173921357
References: <[email protected]>

MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: (e-mail address removed) (William Wang[MSFT])
Organization: Microsoft
Date: Thu, 25 Mar 2004 08:27:15 GMT
Subject: Re: Best practice on AD
X-Tomcat-NG: microsoft.public.win2000.active_directory
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
Lines: 128
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:71000
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Dan,

Thanks for your posting and thanks for others' great information.

What are the steps on making the other dc a GC. Do i just check that one

box to make it a GC.

Yes. You can refer to the following article for more information:

296882 How to promote a domain controller to a global catalog server
http://support.microsoft.com/?id=296882

To promote a domain controller to a global catalog server, follow these
steps:

1. On the domain controller, click Start, point to Programs, click
Administrative Tools, and then click Active Directory Sites and
Services.

2. In the console tree, double-click Sites, double-click the name of
the site, and then double-click Servers.

3. Double-click the target domain controller.

4. In the details pane, right-click NTDS Settings, and then click
Properties.

5. On the General tab, click to select the "Global catalog" check box.

6. Restart the domain controller.
~~~~~~

Also i dont understand what you mean by seize the roles if the ROLE

HOLDER
crashes. Is there any documentation on this.

You can refer to these articles for more information.

255504.KB.EN-US: Using Ntdsutil.exe to Seize or Transfer the FSMO Roles to
a Domain
http://support.microsoft.com/default.aspx?scid=KB;EN-US;255504

255690.KB.EN-US HOW TO: View and Transfer FSMO Roles in the Graphical User
Interface
http://support.microsoft.com/default.aspx?scid=KB;EN-US;255690

If you have any further questions, please don't hesitate to let us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

From: "Dan" <[email protected]>
References: <[email protected]>

Subject: Re: Best practice on AD
Date: Wed, 24 Mar 2004 14:04:13 -0600
Lines: 63
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: host-63-238-125-3.tncii.com 63.238.125.3
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:70931
X-Tomcat-NG: microsoft.public.win2000.active_directory

What are the steps on making the other dc a GC. Do i just check that one box
to make it a GC. Also i dont understand what you mean by seize the roles if
the ROLE HOLDER crashes. Is there any documentation on this.

thanks

 

[William Wang[MSFT]]

Hi Dan,

I'm just checking on the status of this issue. Is there anything else we
can do for you here? Please don't hesitate to let us know if you have any
questions at any time.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

X-Tomcat-ID: 287921233
References: <[email protected]>

<#[email protected]>

MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: (e-mail address removed) (William Wang[MSFT])
Organization: Microsoft
Date: Mon, 29 Mar 2004 13:51:16 GMT
Subject: Re: Best practice on AD
X-Tomcat-NG: microsoft.public.win2000.active_directory
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
Lines: 168
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:71364
NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182

Hi Dan,

I'm just curious how things are going there. If you would, please update
the current status with your response at your earliest convenience. Should
you have any questions or concerns regarding to this issue, please don't
hesitate to let us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

X-Tomcat-ID: 173921357
References: <[email protected]>

MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: (e-mail address removed) (William Wang[MSFT])
Organization: Microsoft
Date: Thu, 25 Mar 2004 08:27:15 GMT
Subject: Re: Best practice on AD
X-Tomcat-NG: microsoft.public.win2000.active_directory
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
Lines: 128
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:71000
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Dan,

Thanks for your posting and thanks for others' great information.

What are the steps on making the other dc a GC. Do i just check that one

box to make it a GC.

Yes. You can refer to the following article for more information:

296882 How to promote a domain controller to a global catalog server
http://support.microsoft.com/?id=296882

To promote a domain controller to a global catalog server, follow these
steps:

1. On the domain controller, click Start, point to Programs, click
Administrative Tools, and then click Active Directory Sites and
Services.

2. In the console tree, double-click Sites, double-click the name of
the site, and then double-click Servers.

3. Double-click the target domain controller.

4. In the details pane, right-click NTDS Settings, and then click
Properties.

5. On the General tab, click to select the "Global catalog" check box.

6. Restart the domain controller.
~~~~~~

Also i dont understand what you mean by seize the roles if the ROLE

HOLDER
crashes. Is there any documentation on this.

You can refer to these articles for more information.

255504.KB.EN-US: Using Ntdsutil.exe to Seize or Transfer the FSMO Roles to
a Domain
http://support.microsoft.com/default.aspx?scid=KB;EN-US;255504

255690.KB.EN-US HOW TO: View and Transfer FSMO Roles in the Graphical User
Interface
http://support.microsoft.com/default.aspx?scid=KB;EN-US;255690

If you have any further questions, please don't hesitate to let us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

From: "Dan" <[email protected]>
References: <[email protected]>

Subject: Re: Best practice on AD
Date: Wed, 24 Mar 2004 14:04:13 -0600
Lines: 63
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: host-63-238-125-3.tncii.com 63.238.125.3
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:70931
X-Tomcat-NG: microsoft.public.win2000.active_directory

What are the steps on making the other dc a GC. Do i just check that one box
to make it a GC. Also i dont understand what you mean by seize the roles if
the ROLE HOLDER crashes. Is there any documentation on this.

thanks

My setup is as follows, I have 2 DC and 1 exchange 2k member server. I
know
that the root DC contains the global catalog and fsmo roles.

Actually in a single domain, neither is referred to as the "root DC."

They are only different (the DCs) due to the FSMO roles and
perhaps the GC.

What is the best practice for protecting the global catalog server.

As Jeff, said it is best to have at least GCs (per site actually.)

In a small single domain forest (or even a few domains of small size)
it frequently makes the most sense to just let them all be GCs.

Can i have the GC on both DC.

You can have as many GCs as you wish (up to the total of all DCs
in the forest.)

Reasons not to duplicate the GC further: The GC holds a PORTION
of the info on every object in the forest. In a single domain forest, all
the info is on every DC anyway and the GC job adds little but if you
imagine a LARGE forest with say, 5 domains of 100,000 users each
and then realize that the GC must hold a reference to 500,000 user
objects (plus machines etc.) it is obvious that as the domains and
sizes grow it makes more sense to use only as many GCs are
necessary for fault tolerance and performance.

Normal it two GCs per site, with more if you have large sites that
are slow to do forest wide searches (of AD info.)

What do i do if the Root DC crashes and cant be fixed. I do a full
backup of it every night.

If the ROLE HOLDER crashes (not the root) then you must EITHER
restore it expeditiously, OR you must (eventually) seize the roles.

If you seize the roles, then you must NEVER restore it even if it is
subsequently fixed -- SEIZING the roles is a serious step.

--
Herb Martin

thanks
Dan