Multiple Global Catalog servers in Win2k Environment

[dgarner58]

I have a wide area network...all win2k servers. Currently the only Global catalog exists at HQ. The problem with this is if connection is lost between sites...those sites lose authentication....therefore some network resources. My question is this...the win2k servers at these remotes are also DC's....are there any issues to making them also global catalogs so that authentication could take place on those servers? Or is it simply click the check box and don't worry about it.

Any advice would be appreciated.

Thanks,

David Garner

 

[Davetoo]

All of my remote DC's in my child domains are GC's, and I've set both my DC's here (main site) as GC's as well. That way I can reboot any of my servers and don't have to worry about users not being able to log in.

I know I'm increasing my traffic by having two local GC's, but in my environment, that's the lesser of two evils.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[bracadar]

When you install Active Directory, the first DC created is also the first GC server.
To specify whether a server is a GC server, you use the Active Directory Sites and Services console. Open the Active Directory Sites and Services console, expand Sites, and then expand the site with the DC you want to be a GC server.
Next, expand Servers and find the Domain Controller object.If you right-click NTDS Settings and select Properties, you will have the option to enable or disable the GC on the DC you select.
Without proper planning, replication traffic can cause problems in a large network.
Sites help control replication traffic. Making the most of available bandwidth is an important factor in having a network that allows your users to be productive.
Logon and searching Active Directory are both affected by GC server placement. If users cannot find the information they need from Active Directory, they might not be able to log on or find the information or data they need.

 

[PushF1]

You should add GC's (Just tick the box) on at least 1 DC in each remote site. You need to make sure your DNS and Sites are setup and stable.

You will increase network traffic but this should be relatively small compared to what you clients are currently are doing now! Remember when clients logon they ALWAYS attempt to contact a glabal catalog server.

Cory

 

[dgarner58]

thanks alot. i am very familiar as to how to set it up. just wanted to make sure i wasnt going to cause undue strife. thanks for the info.

David Garner

 

[zakallen]

This is kind of on this subject but closer to GC's. Sorry if this should be opened elsewhere let me know and I will comply.

I have 2 DC's in the Corp Office, DC1 is the GC, DC2 is not.

My question is should the second DC be a GC as well?

If so will this have negative ramifications (besides the replication traffic?)

Thank you in advance.

 

[zakallen]

Sorry,

I missed lander215 's reply...(All of my remote DC's in my child domains are GC's..)

This answers my question.

Sorry for the extra post.

zakallen

 

[thedman00]

PushF1,

Are you sure they always try to contact a GC server?
I was under the impression that they a non GC server would only contact the GC if the account the user was trying to logon to was in a different domain. For example:

If a user’s account is located in example1.microsoft.com and the user decides to log on with a user principal name of user1@example1.microsoft.com from a computer
located in example2.microsoft.com, the domain controller in example2.microsoft.com will be unable to find the
user’s account, and will then contact a global catalog to complete the logon process.

http://www.microsoft.com/technet/tr...dowsserver2003/proddocs/entserver/gc_role.asp

 

[Seaspray0]

It's recommended you have a global catalog server for each remote location that is limited in bandwidth to other locations... basically one per site. The catalog is a catalog of the objects in your active directory. It will speed up logins and access to resources across site boundaries. Having 2 catalogs in the same site isn't necessary. It won't hurt if you have the bandwidth to accommodate it but it doesn't really help unless the DC with the catalog goes offline.

What will really help is keeping the size of the global catalog down. This means using care in your deployment of global groups in active directory since their info is stored in the global catalog. Keep global groups to a minimum. Microsoft help explains a great way to assign permissions through groups in a multidomain environment...

Put users into domain groups. If domain groups from different domains share a common need, then create a global group and make the domain groups members (not individual users but the domain group itself). Where a resource is shared, create a local group and give the local group permissions to the share. Make your domain and global groups members of the local group to access the share. By following this practice, you will keep your global catalogs from bloating in size. You will also have the flexibility to share resources effectively.