GC-Problems

[GIG]

Hello everyone

I Have 5 Diferent Sites with 2 domain controllers in each site, exist one
different subnet per site, and five diferent Tree root Domains, one for each
site.

3 of the 5 sites have 1 Global Catalog the the other Two sites have have
Universal group membership enabled.
Now the problem is if Wan link is down, and I try to make searches on AD to
other different Domains or if a user from other domain tries to logon on a
machine the logon is denied... Isn't suppose the GC to have all information
about the forest and serve all queries an logon requests??

What about the 2 Sites that have only the Universal Group Membership
Enabled, if I need to make searches to that domain which site or global
catalog should i make sure that has Wan connection available?? (Remember
they don't have any GC, THEY ONLY HAVE Group Membership Enabled, because the
Wan links are very slow).

Some help would be very appreciated.
Regards

 

[Bill]

I'm not sure I understand. I'd recommend you have one GC per site. You
mention that you don't have GC's there because of bandwidth considerations,
but you'd want a GC in those sites anyway. This should not increase network
utilization, it should decrease it because the GC is now on the local LAN
and you are only replicating delta changes to the catalog.

 

[GIG]

Hello Bill

Configuration - 5 Sites - 5 Diferent Subnets (One to each site) 5 Different
Domains (One in Each Site)- 2 Domain Controllers per Domain

1 - Site = 1 domain = 2 DomainControllers, 1 of the domain controllers is a
GC.
2 - Site = 2 domain = 2 DomainControllers, 1 of the domain controllers is a
GC.
3 - Site = 3 domain = 2 DomainControllers, 1 of the domain controllers is a
GC.

4 - Site = 4 domain = 2 DomainControllers, 1 Universal Group Membership
Enabled
5 - Site = 5 domain = 2 DomainControllers, 1 Universal Group Membership
Enabled


I have users from different sites or domains that need to logon on different
domains.

For example: I have one or more users from domain 1 and they go to the
domain 3 and try to logon on machines on Domain 3 with their users names
(DOMAIN1\USER01). If the wan link is down, the the logon is denied stating
that the domain couldn't be contacted. (In yhis situation the users are
trying to logon on machines that exists in domain3).

My question is if I have a GC on Site3-Domain3, why users aren't allowed to
logon with their user names??

The other question is:
When I try to make searches when the wan link is down.
For example: from Domain 1 to domain3- I open Ad Users and computers and
select Find, In search i have locations to define, if i select Entire
Directory, the search is ok and shows me all objects in all domains, but if
i select a especific domain, for example Domain3, the search can't find
anything. This only happens when the wan link is down.

 

[Bill]

OK, here's what is happening. To clarify all of this, let's define what a
GC is. A Global Catalog server stores a partial replica of informaion from
all domains in the forest. You have 5 domains, so each GC has replicas of
objects from all of those domains. The GC stores only a minimal set of
attributes of that object, and are primarily used for searches. They also
store information about where to find the full replica of the object, that
is, a DC for the domain.

OK, even though a GC stores information about objects in ALL domains, it is
not a domain controller for those domains, other than its own. So, if you
have a user from domain 1 in domain 3, that user cannot authenticate to
their domain unless the WAN is up. If you had a domain 1 DC in the same
location as domain 3, it would work, because you have a DC for that domain
locally. So you could set up two sites for domain 1, one which already
exists, and another at the site where domain 3 is. At the domain 3 site you
could deploy a new domain 1 DC, and the data would replicate back and forth.
If the WAN is down, no big deal, we have a DC for domain locally. Make
sense?

OK, now for the second question. When you search the entire directory, you
are looking at a GC. When you select a specific domain, you are attempting
to contact a DC for that domain. In your case, if the WAN is down, you have
no local DC to search for that information and your query fails.

 

[JMS]

Thank you so much Bill you've made thinks more clear.
Best Regards.

 

[JMS]

Just Another Thing

When Users from domain1 trying to logon on Domain3 they must be able to
contact the DomainController that is hosting the PDC role on Domain1
rigtht??

Thnks Again

 

[Bill]

Not necessarily. Any DC can authenticate a logon - but the authenticating DC
will check with the PDC if the password the user supplied does not match the
value it has. If this occurs, it checks with the PDC to see if the user's
password has changed within the last replication interval.

 

[JMS]

And if the PDC isn't available... No logon????