Solved

Question about Global Catalog and Infrastructure Master

Posted on 2010-08-31
6
668 Views
Last Modified: 2012-05-10
Hello,

I have recently came into the environment where we are having some random computer accounts authentication issues and I am trying to eliminate some of the AD configuration problems as a potential cause.  It may completely be unrelated however, but I want to make sure AD is configured correctly nonetheless

My particular question is regarding Global Catalog and Infrastructure Master Role.  Here are the things that you will find in every document regarding these functions.
-      You only need one Global Catalog per Site per Forest.
-      You should not make have same DC be Infrastructure Master and a Global Catalog server.
-      However, if ALL DCs are Global Catalog servers then it is ok.

Here is our environment:
Site 1
DC1.domain.com		GC
DC2.domain.com		IM
DC1.child.domain.com	GC
DC2.child.domain.com	GC, IM

Site 2
DC3.domain.com		GC
DC3.child.domain.com	GC

Open in new window


All DCs are Windows 2000 Server, Both Domain Functional levels are Windows 2000 Native and Forest is 2000 as well.

According to three facts/guidelines this configuration will cause problems.  Can anyone tell me if it is indeed a bad configuration and what exact problems may this cause.  To me it seems that DC2.child.domain.com should not be a Global Catalog.

Thanks,
Alex
0
Comment
Question by:Alexey91
6 Comments
 
LVL 16
ID: 33569986
That's correct. Without knowing what your exact problem is I would also go ahead and do a d2 non-authoritative restore on your IM's.

http://support.microsoft.com/kb/840674

MO
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570059
Thanks for response, so you are saying that I should remove Global Catalog from DC2.child.domain.com?  And also do non-authoritative restore on both DC2.domain.com and DC2.child.domain.com or just on DC2.child.domain.com.  Why do you think I need to do that?  This configuration has been in place for at least 2 months now.

Thanks,
Alex
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 300 total points
ID: 33570098
DC2.child should not be a GC in your setup.  I'd make them all GCs.  See bullet one

http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html

In 2008 the GC is selected by default during dcpromo.

Good short overview of the IM and GC (for others that come across this via google/bing)

http://blogs.dirteam.com/blogs/jorge/archive/2006/07/18/the-infrastructure-master-fsmo-and-the-gc-role.aspx

Thanks

Mike
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 200 total points
ID: 33570133
mkline71 is right about setting up all as GC's. It's actually cleaner that way. You can go with removing the GC on dc2.child, but it would be just as well making them all GC's. The non-authoritative restore will essentially restart a clean replication of active directory to the "backup dc's". They aren't really backup DC's anymore, but if there is a question that something is wrong with replication or authentication then I would do the non-authoritative restore on the DC's in question.

MO
0
 
LVL 70

Expert Comment

by:KCTS
ID: 33570608
Lets clear up a couple of points

1. You must have at least one GC per domain

2. Its normally fine to have the IM and GC on the same machine, the only case where it is a potential issue is if SOME but NOT ALL DCs are GCs in a multi-domain envirnonment.

3. I you don't have multiple domains its not an issue

4. If you happen to have all DCs as GCs (even in a milti-domain environment), then again its not an issue.
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570845
KCTS, I was under impression that you must have at least one GC per Forest, and not per Domain.  In other words if you have 2 DCs in root domain and 2 DCs in child domain you are required to have GC on only one DC.  Is that correct?

As far as my original concern, I understand that I should either remove GC from DC2.child.domain.com or to make DC2.domain.com a CG.  However I just want to make sure I understand all the reasons and implications.

Thanks,
Alex
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question