Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Question about Global Catalog and Infrastructure Master

Posted on 2010-08-31
6
Medium Priority
?
676 Views
Last Modified: 2012-05-10
Hello,

I have recently came into the environment where we are having some random computer accounts authentication issues and I am trying to eliminate some of the AD configuration problems as a potential cause.  It may completely be unrelated however, but I want to make sure AD is configured correctly nonetheless

My particular question is regarding Global Catalog and Infrastructure Master Role.  Here are the things that you will find in every document regarding these functions.
-      You only need one Global Catalog per Site per Forest.
-      You should not make have same DC be Infrastructure Master and a Global Catalog server.
-      However, if ALL DCs are Global Catalog servers then it is ok.

Here is our environment:
Site 1
DC1.domain.com		GC
DC2.domain.com		IM
DC1.child.domain.com	GC
DC2.child.domain.com	GC, IM

Site 2
DC3.domain.com		GC
DC3.child.domain.com	GC

Open in new window


All DCs are Windows 2000 Server, Both Domain Functional levels are Windows 2000 Native and Forest is 2000 as well.

According to three facts/guidelines this configuration will cause problems.  Can anyone tell me if it is indeed a bad configuration and what exact problems may this cause.  To me it seems that DC2.child.domain.com should not be a Global Catalog.

Thanks,
Alex
0
Comment
Question by:Alexey91
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 33569986
That's correct. Without knowing what your exact problem is I would also go ahead and do a d2 non-authoritative restore on your IM's.

http://support.microsoft.com/kb/840674

MO
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570059
Thanks for response, so you are saying that I should remove Global Catalog from DC2.child.domain.com?  And also do non-authoritative restore on both DC2.domain.com and DC2.child.domain.com or just on DC2.child.domain.com.  Why do you think I need to do that?  This configuration has been in place for at least 2 months now.

Thanks,
Alex
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1200 total points
ID: 33570098
DC2.child should not be a GC in your setup.  I'd make them all GCs.  See bullet one

http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html

In 2008 the GC is selected by default during dcpromo.

Good short overview of the IM and GC (for others that come across this via google/bing)

http://blogs.dirteam.com/blogs/jorge/archive/2006/07/18/the-infrastructure-master-fsmo-and-the-gc-role.aspx

Thanks

Mike
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Assisted Solution

by:Michael Ortega
Michael Ortega earned 800 total points
ID: 33570133
mkline71 is right about setting up all as GC's. It's actually cleaner that way. You can go with removing the GC on dc2.child, but it would be just as well making them all GC's. The non-authoritative restore will essentially restart a clean replication of active directory to the "backup dc's". They aren't really backup DC's anymore, but if there is a question that something is wrong with replication or authentication then I would do the non-authoritative restore on the DC's in question.

MO
0
 
LVL 70

Expert Comment

by:KCTS
ID: 33570608
Lets clear up a couple of points

1. You must have at least one GC per domain

2. Its normally fine to have the IM and GC on the same machine, the only case where it is a potential issue is if SOME but NOT ALL DCs are GCs in a multi-domain envirnonment.

3. I you don't have multiple domains its not an issue

4. If you happen to have all DCs as GCs (even in a milti-domain environment), then again its not an issue.
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570845
KCTS, I was under impression that you must have at least one GC per Forest, and not per Domain.  In other words if you have 2 DCs in root domain and 2 DCs in child domain you are required to have GC on only one DC.  Is that correct?

As far as my original concern, I understand that I should either remove GC from DC2.child.domain.com or to make DC2.domain.com a CG.  However I just want to make sure I understand all the reasons and implications.

Thanks,
Alex
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question