Solved

Question about Global Catalog and Infrastructure Master

Posted on 2010-08-31
6
674 Views
Last Modified: 2012-05-10
Hello,

I have recently came into the environment where we are having some random computer accounts authentication issues and I am trying to eliminate some of the AD configuration problems as a potential cause.  It may completely be unrelated however, but I want to make sure AD is configured correctly nonetheless

My particular question is regarding Global Catalog and Infrastructure Master Role.  Here are the things that you will find in every document regarding these functions.
-      You only need one Global Catalog per Site per Forest.
-      You should not make have same DC be Infrastructure Master and a Global Catalog server.
-      However, if ALL DCs are Global Catalog servers then it is ok.

Here is our environment:
Site 1
DC1.domain.com		GC
DC2.domain.com		IM
DC1.child.domain.com	GC
DC2.child.domain.com	GC, IM

Site 2
DC3.domain.com		GC
DC3.child.domain.com	GC

Open in new window


All DCs are Windows 2000 Server, Both Domain Functional levels are Windows 2000 Native and Forest is 2000 as well.

According to three facts/guidelines this configuration will cause problems.  Can anyone tell me if it is indeed a bad configuration and what exact problems may this cause.  To me it seems that DC2.child.domain.com should not be a Global Catalog.

Thanks,
Alex
0
Comment
Question by:Alexey91
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 33569986
That's correct. Without knowing what your exact problem is I would also go ahead and do a d2 non-authoritative restore on your IM's.

http://support.microsoft.com/kb/840674

MO
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570059
Thanks for response, so you are saying that I should remove Global Catalog from DC2.child.domain.com?  And also do non-authoritative restore on both DC2.domain.com and DC2.child.domain.com or just on DC2.child.domain.com.  Why do you think I need to do that?  This configuration has been in place for at least 2 months now.

Thanks,
Alex
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 300 total points
ID: 33570098
DC2.child should not be a GC in your setup.  I'd make them all GCs.  See bullet one

http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html

In 2008 the GC is selected by default during dcpromo.

Good short overview of the IM and GC (for others that come across this via google/bing)

http://blogs.dirteam.com/blogs/jorge/archive/2006/07/18/the-infrastructure-master-fsmo-and-the-gc-role.aspx

Thanks

Mike
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 16

Assisted Solution

by:Michael Ortega
Michael Ortega earned 200 total points
ID: 33570133
mkline71 is right about setting up all as GC's. It's actually cleaner that way. You can go with removing the GC on dc2.child, but it would be just as well making them all GC's. The non-authoritative restore will essentially restart a clean replication of active directory to the "backup dc's". They aren't really backup DC's anymore, but if there is a question that something is wrong with replication or authentication then I would do the non-authoritative restore on the DC's in question.

MO
0
 
LVL 70

Expert Comment

by:KCTS
ID: 33570608
Lets clear up a couple of points

1. You must have at least one GC per domain

2. Its normally fine to have the IM and GC on the same machine, the only case where it is a potential issue is if SOME but NOT ALL DCs are GCs in a multi-domain envirnonment.

3. I you don't have multiple domains its not an issue

4. If you happen to have all DCs as GCs (even in a milti-domain environment), then again its not an issue.
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33570845
KCTS, I was under impression that you must have at least one GC per Forest, and not per Domain.  In other words if you have 2 DCs in root domain and 2 DCs in child domain you are required to have GC on only one DC.  Is that correct?

As far as my original concern, I understand that I should either remove GC from DC2.child.domain.com or to make DC2.domain.com a CG.  However I just want to make sure I understand all the reasons and implications.

Thanks,
Alex
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question