Solved

Question about Global Catalog and Infrastructure Master

Posted on 2010-08-31
6
663 Views
Last Modified: 2012-05-10
Hello,

I have recently came into the environment where we are having some random computer accounts authentication issues and I am trying to eliminate some of the AD configuration problems as a potential cause.  It may completely be unrelated however, but I want to make sure AD is configured correctly nonetheless

My particular question is regarding Global Catalog and Infrastructure Master Role.  Here are the things that you will find in every document regarding these functions.
-      You only need one Global Catalog per Site per Forest.
-      You should not make have same DC be Infrastructure Master and a Global Catalog server.
-      However, if ALL DCs are Global Catalog servers then it is ok.

Here is our environment:
Site 1
DC1.domain.com		GC
DC2.domain.com		IM
DC1.child.domain.com	GC
DC2.child.domain.com	GC, IM

Site 2
DC3.domain.com		GC
DC3.child.domain.com	GC

Open in new window


All DCs are Windows 2000 Server, Both Domain Functional levels are Windows 2000 Native and Forest is 2000 as well.

According to three facts/guidelines this configuration will cause problems.  Can anyone tell me if it is indeed a bad configuration and what exact problems may this cause.  To me it seems that DC2.child.domain.com should not be a Global Catalog.

Thanks,
Alex
0
Comment
Question by:Alexey91
6 Comments
 
LVL 16
ID: 33569986
That's correct. Without knowing what your exact problem is I would also go ahead and do a d2 non-authoritative restore on your IM's.

http://support.microsoft.com/kb/840674

MO
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570059
Thanks for response, so you are saying that I should remove Global Catalog from DC2.child.domain.com?  And also do non-authoritative restore on both DC2.domain.com and DC2.child.domain.com or just on DC2.child.domain.com.  Why do you think I need to do that?  This configuration has been in place for at least 2 months now.

Thanks,
Alex
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 300 total points
ID: 33570098
DC2.child should not be a GC in your setup.  I'd make them all GCs.  See bullet one

http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html

In 2008 the GC is selected by default during dcpromo.

Good short overview of the IM and GC (for others that come across this via google/bing)

http://blogs.dirteam.com/blogs/jorge/archive/2006/07/18/the-infrastructure-master-fsmo-and-the-gc-role.aspx

Thanks

Mike
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 200 total points
ID: 33570133
mkline71 is right about setting up all as GC's. It's actually cleaner that way. You can go with removing the GC on dc2.child, but it would be just as well making them all GC's. The non-authoritative restore will essentially restart a clean replication of active directory to the "backup dc's". They aren't really backup DC's anymore, but if there is a question that something is wrong with replication or authentication then I would do the non-authoritative restore on the DC's in question.

MO
0
 
LVL 70

Expert Comment

by:KCTS
ID: 33570608
Lets clear up a couple of points

1. You must have at least one GC per domain

2. Its normally fine to have the IM and GC on the same machine, the only case where it is a potential issue is if SOME but NOT ALL DCs are GCs in a multi-domain envirnonment.

3. I you don't have multiple domains its not an issue

4. If you happen to have all DCs as GCs (even in a milti-domain environment), then again its not an issue.
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570845
KCTS, I was under impression that you must have at least one GC per Forest, and not per Domain.  In other words if you have 2 DCs in root domain and 2 DCs in child domain you are required to have GC on only one DC.  Is that correct?

As far as my original concern, I understand that I should either remove GC from DC2.child.domain.com or to make DC2.domain.com a CG.  However I just want to make sure I understand all the reasons and implications.

Thanks,
Alex
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now