Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Question about Global Catalog and Infrastructure Master

Posted on 2010-08-31
6
Medium Priority
?
685 Views
Last Modified: 2012-05-10
Hello,

I have recently came into the environment where we are having some random computer accounts authentication issues and I am trying to eliminate some of the AD configuration problems as a potential cause.  It may completely be unrelated however, but I want to make sure AD is configured correctly nonetheless

My particular question is regarding Global Catalog and Infrastructure Master Role.  Here are the things that you will find in every document regarding these functions.
-      You only need one Global Catalog per Site per Forest.
-      You should not make have same DC be Infrastructure Master and a Global Catalog server.
-      However, if ALL DCs are Global Catalog servers then it is ok.

Here is our environment:
Site 1
DC1.domain.com		GC
DC2.domain.com		IM
DC1.child.domain.com	GC
DC2.child.domain.com	GC, IM

Site 2
DC3.domain.com		GC
DC3.child.domain.com	GC

Open in new window


All DCs are Windows 2000 Server, Both Domain Functional levels are Windows 2000 Native and Forest is 2000 as well.

According to three facts/guidelines this configuration will cause problems.  Can anyone tell me if it is indeed a bad configuration and what exact problems may this cause.  To me it seems that DC2.child.domain.com should not be a Global Catalog.

Thanks,
Alex
0
Comment
Question by:Alexey91
6 Comments
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 33569986
That's correct. Without knowing what your exact problem is I would also go ahead and do a d2 non-authoritative restore on your IM's.

http://support.microsoft.com/kb/840674

MO
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570059
Thanks for response, so you are saying that I should remove Global Catalog from DC2.child.domain.com?  And also do non-authoritative restore on both DC2.domain.com and DC2.child.domain.com or just on DC2.child.domain.com.  Why do you think I need to do that?  This configuration has been in place for at least 2 months now.

Thanks,
Alex
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1200 total points
ID: 33570098
DC2.child should not be a GC in your setup.  I'd make them all GCs.  See bullet one

http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html

In 2008 the GC is selected by default during dcpromo.

Good short overview of the IM and GC (for others that come across this via google/bing)

http://blogs.dirteam.com/blogs/jorge/archive/2006/07/18/the-infrastructure-master-fsmo-and-the-gc-role.aspx

Thanks

Mike
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 16

Assisted Solution

by:Michael Ortega
Michael Ortega earned 800 total points
ID: 33570133
mkline71 is right about setting up all as GC's. It's actually cleaner that way. You can go with removing the GC on dc2.child, but it would be just as well making them all GC's. The non-authoritative restore will essentially restart a clean replication of active directory to the "backup dc's". They aren't really backup DC's anymore, but if there is a question that something is wrong with replication or authentication then I would do the non-authoritative restore on the DC's in question.

MO
0
 
LVL 70

Expert Comment

by:KCTS
ID: 33570608
Lets clear up a couple of points

1. You must have at least one GC per domain

2. Its normally fine to have the IM and GC on the same machine, the only case where it is a potential issue is if SOME but NOT ALL DCs are GCs in a multi-domain envirnonment.

3. I you don't have multiple domains its not an issue

4. If you happen to have all DCs as GCs (even in a milti-domain environment), then again its not an issue.
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570845
KCTS, I was under impression that you must have at least one GC per Forest, and not per Domain.  In other words if you have 2 DCs in root domain and 2 DCs in child domain you are required to have GC on only one DC.  Is that correct?

As far as my original concern, I understand that I should either remove GC from DC2.child.domain.com or to make DC2.domain.com a CG.  However I just want to make sure I understand all the reasons and implications.

Thanks,
Alex
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question