[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10335
  • Last Modified:

Global Catalog servers - placement and how many is too many?

We have a single Windows 2003 AD domain with computers located at seven physcial locations connected as a WAN by point-to-point T1 lines.

My FSMO server is also a GC and DNS, and is located at the data center, and in addition at each physical location including the data center we have one AD server that is also set up as a GC and DNS.

All these computers and servers are on a single domain and in one AD Site.

My questions are:

1) Is it necessary to have all our (backup) AD/DNS servers be set up as GCs and if not why not? If we do keep it this way, are there any issues?

2) If we don't have all these servers set up as GCs, when someone from a remote location logs on to the domain, will they be authenticated only by the GC at the primary location?

3) We have Exchange 2k running with AD on that server. This is not set up as a GC. Should I enable GC on this as well? Could you please provide a reason as to yes or no?

4) Should I set up multiple AD Sites for these different physical locations? Please provide a reason.

Thank you very much.
0
cfgchiran
Asked:
cfgchiran
  • 2
  • 2
  • 2
  • +2
3 Solutions
 
kamalgopiCommented:
1)the reason for having GC to be setup in different location is mainly for faster response like as it hold the universal group info and the return the AD search list and domain objects info..
2) if you have not setup your AD sites and services they will mgith be authenticated in that fashiion. you have to setup the AD sites and services so that the users on that subnet/location will be authenticated by the local DC at their location.
3) yes i recommende to do that. just to let you know if you have once DC on that location with exchange installed on the same server it is recommende to have it made as GC by microsoft.
4) yes you need to setup multiple sites for every physical location so they can be replicated to each other in a timely manner.

Hope this helps
Cheers:)
Kamal
0
 
Malli BoppeCommented:
1.) If you have fairly good links between different sites then they shouldn't be problem having  dc's as global catlog.Only bandwidth consumption is the only issue
2.)No would still use the nearing available dc(same subnet). You can enable Universal Group memebership if you don't want to use GC.
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Whentouseandnotuseuniversalgroupmembershipcaching.html
3.)Exchange heavily uses GC so I would recommend having a GC
http://www.computerperformance.co.uk/exchange2003/exchange2003_global_catalog.htm
4.)Yeah you should for better management and replication.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx
0
 
KCTSCommented:
In general you should have at on GC per site - preferably two for redundancy as all logon authications need to query the GC server to establish univeral group membership - see http://support.microsoft.com/kb/216970

If you only have a single GC in your domain then if the server with the GC fails, then no logons can occur even if other DCs are available. It makes sence to have at least on GC per site to prevent unnccessary inter-site traffic at logon (which may also slow down logon)

Ideally Exchnage should NOT be on a server that is a domain controller - it complicates management - see http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx

If you have different physical locations then yes you should define subnets ans allocate them to sites ans put the DCs in the appropriate site. sites are used by AD (amongst other things) to determin which arethe local Domain Controllers and which are remote - logoin will use a local server in preference fo avoid inter-site traffic.see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx


0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
ajay_waliaCommented:
1) Is it necessary to have all our (backup) AD/DNS servers be set up as GCs and if not why not? If we do keep it this way, are there any issues?

**    It is not necessary but  If you can afford to do so then you should (in your case since you have T1 Connections  you should )as it will make User logons faster and will bring redundency into the enviorment (by having multiple GCs ) .The Only thing is it will increase replication Traffic which generally is not much .

2) If we don't have all these servers set up as GCs, when someone from a remote location logs on to the domain, will they be authenticated only by the GC at the primary location?

** If you have only 1 GC it will Authenticate all Users . . . . If you have more then 1 then there is nothing like primary User will be authenticated by the Nearest DC/GC . . . .

3) We have Exchange 2k running with AD on that server. This is not set up as a GC. Should I enable GC on this as well? Could you please provide a reason as to yes or no?
* *  As mentioned above Exchange Uses GCs heavily so it would make sense in your case to have a GC att each site .
4) Should I set up multiple AD Sites for these different physical locations? Please provide a reason.

*** In Your case it would be recommended as that would make replication more efficient .
0
 
cfgchiranAuthor Commented:
1) Thank you for the responses. It seems like there is a mixed response to whether the email should be a GC or not. But since the recommendation overall is that Exchange be set up as a member server (which is not my current case, but will be soon when we upgrade to Exchange 2003) I assume as long as I have a GC in the same site as the Exchange I am ok. Is that correct?

2) When setting up AD sites, does replication between the sites have to be done manually or automatically, and typically how often should this be set up to (if done manually)?

3) Since the sites will contain just the DCs - how exactly do the individual workstations know which site it belongs to?

Thank you.
0
 
kamalgopiCommented:
1) yes you are rite.
2) normally the best and the recommende way is to have the replication set manually based on the network / wan bandwidth. if not you might be expecting some more traffic if there s a frequent amount of replication going n the wan link between sites.
3) the workstaions based on the IP it know which DC it should contact for authenticating itself . this has to be properly set the AD sites and servrces if not the workstatiosn might be authenticating by the other DC in the other site , where the user may experience sometimes a slow time in loggging.

Hope this helps
Cheers:)
Kamal
0
 
Malli BoppeCommented:
1.)yes
2.)I wouldn't recommend the replication to be manually. It all depends on the network links between yur sites.If you have a really good link you can have replication every 15min or 1hr.Thats what I have setup in our network.Other you set the schedule to replicate after hrs say every 1hr.
3.)This depend on the subnet.Say you have DC with IP 192.168.1.1/24 then all the computers in the same subnet as that of the DC will logon to that DC.
0
 
cfgchiranAuthor Commented:
Great responses overall. Thank you. I tried to be fair with the points and awarded them to the answers I personally found the most accurate to my needs. Once again thank you all.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now