Single domain, need to make a remote DC a GC?

We have a single 2003 forest/domain env't.
We'll have 2 sites (currently only 1).
The HQ site has a few DCs (also a GC) and an Exchange mail server.
The remote site will have a dedicated DC for the users there to authenticate
against (configured in ADSS for their subnet).
Does this DC at this remote site need to be a GC as well to handle user
authentication in case they lose a connection to the HQ in a single
forest/domain env't?

Thanks

Hello ad2009,

In a single forest domain like domain.com make all DCs Global catalog. GC
is needed during logon only if you use UPN logon or universal groups are
in use. Make the remote DC also DNS server and don't forget to configure
AD sites and services according to the physical topology with the subnets
and sites where the DC is moved to.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We have a single 2003 forest/domain env't.
> We'll have 2 sites (currently only 1).
> The HQ site has a few DCs (also a GC) and an Exchange mail server.
> The remote site will have a dedicated DC for the users there to
> authenticate
> against (configured in ADSS for their subnet).
> Does this DC at this remote site need to be a GC as well to handle
> user
> authentication in case they lose a connection to the HQ in a single
> forest/domain env't?
> Thanks
>

"ad2009" <> wrote in message news:E43DA49E-3DE4-43C8-9B2D-...
>
> We have a single 2003 forest/domain env't.
> We'll have 2 sites (currently only 1).
> The HQ site has a few DCs (also a GC) and an Exchange mail server.
> The remote site will have a dedicated DC for the users there to authenticate
> against (configured in ADSS for their subnet).
> Does this DC at this remote site need to be a GC as well to handle user
> authentication in case they lose a connection to the HQ in a single
> forest/domain env't?
>
> Thanks


In addition to what Meinolf mentioned, any time you create an AD Site, a DC must exist in the site. Sites are designed to control replication traffic and logon/authentication traffic. Therefore, it is advisable to have a GC. In a single domain forest sceanrio, as Meinolf mentioned, all DCs should be GCs, so that answers your question about the DC in theother site being a GC. In a multi-domain forest, you would have to pick a DC that doesn't hold the IM FSMO Role to become a GC, but since you only have one domain in the forest, you need not worry about this rule.

I hope that helps!

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Ace,
Not sure if you realize, but you can make all dc's gc's in a forest and the
IM role is still unneeded and can reside on a GC since there is no need for
the role.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Ace Fekay [MVP-DS, MCT]" <> wrote in message
news:...
"ad2009" <> wrote in message
news:E43DA49E-3DE4-43C8-9B2D-...
>
> We have a single 2003 forest/domain env't.
> We'll have 2 sites (currently only 1).
> The HQ site has a few DCs (also a GC) and an Exchange mail server.
> The remote site will have a dedicated DC for the users there to
> authenticate
> against (configured in ADSS for their subnet).
> Does this DC at this remote site need to be a GC as well to handle user
> authentication in case they lose a connection to the HQ in a single
> forest/domain env't?
>
> Thanks


In addition to what Meinolf mentioned, any time you create an AD Site, a DC
must exist in the site. Sites are designed to control replication traffic
and logon/authentication traffic. Therefore, it is advisable to have a GC.
In a single domain forest sceanrio, as Meinolf mentioned, all DCs should be
GCs, so that answers your question about the DC in theother site being a GC.
In a multi-domain forest, you would have to pick a DC that doesn't hold the
IM FSMO Role to become a GC, but since you only have one domain in the
forest, you need not worry about this rule.

I hope that helps!

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

"Paul Bergson [MVP-DS]" <> wrote in message news:...
> Ace,
> Not sure if you realize, but you can make all dc's gc's in a forest and the
> IM role is still unneeded and can reside on a GC since there is no need for
> the role.
>

Are you referring to a single domain or multi-domain forest? Single domain, yes, I mentioned that. But I don't really agree with that in a multi-domain scenario. Let me rephrase that - you can get away with it, but I would rather follow the base rules and let the IM to handle the phantom objects from other domains. Is that what you meant?



--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

We might set up the remote site as a child domain instead and set up 2 DCs
there.
The bandwidth between us and the remote site is a T-1.
Should I make only 1 of them a GC (non IM)?
What happens if that 1 DC that's also a GC goes down in the child domain?
Would the clients in the child domain contact the parent domain's GC?

"Ace Fekay [MVP-DS, MCT]" wrote:

> "ad2009" <> wrote in message news:E43DA49E-3DE4-43C8-9B2D-...
> >
> > We have a single 2003 forest/domain env't.
> > We'll have 2 sites (currently only 1).
> > The HQ site has a few DCs (also a GC) and an Exchange mail server.
> > The remote site will have a dedicated DC for the users there to authenticate
> > against (configured in ADSS for their subnet).
> > Does this DC at this remote site need to be a GC as well to handle user
> > authentication in case they lose a connection to the HQ in a single
> > forest/domain env't?
> >
> > Thanks
>
>
> In addition to what Meinolf mentioned, any time you create an AD Site, a DC must exist in the site. Sites are designed to control replication traffic and logon/authentication traffic. Therefore, it is advisable to have a GC. In a single domain forest sceanrio, as Meinolf mentioned, all DCs should be GCs, so that answers your question about the DC in theother site being a GC. In a multi-domain forest, you would have to pick a DC that doesn't hold the IM FSMO Role to become a GC, but since you only have one domain in the forest, you need not worry about this rule.
>
> I hope that helps!
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
> .
>

Howdie!

Am 13.04.2010 19:43, schrieb ad2009:
> We might set up the remote site as a child domain instead and set up 2 DCs
> there.

Are there specific reasons why you want to do that? Make it a child
domain? Is there a good reason other than "it's a site and not in the
head quarter"? You save yourself a lot of headache and management
overhead (even hardware and licencing cost!) if you're just staying in
one domain and deploy a DC (maybe a RODC?) to that other AD-site.

> The bandwidth between us and the remote site is a T-1.
> Should I make only 1 of them a GC (non IM)?

If you go down that road, make both of them GC.

> What happens if that 1 DC that's also a GC goes down in the child domain?

Authentication can be affected by that as the online-DC needs to check
with a GC whether a logging-in user is member of universal groups and
where they are located.

> Would the clients in the child domain contact the parent domain's GC?

Yeah, that could happen.

Cheers,
Florian

Hello ad2009,

What advantages do you see with a child domain? I can see only more administrative
work, additional failure points and management for example.

The IM comes only into play when using multiple domain forest, then the IM
shouldn't be GC. For details see:
http://support.microsoft.com/kb/223346/en-us

http://msmvps.com/blogs/ulfbsimonwei.../08/37975.aspx

At the moment when the GC goes down nothing happens, except the DC is also
DNS server or you use UPN logon or universal groups. UPN/Universal groups
need a GC for authentication. For logon a DNS server must be reachable for
the domain and also configured on the client machines.

Clients are able to contact the parent domain.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We might set up the remote site as a child domain instead and set up 2
> DCs
> there.
> The bandwidth between us and the remote site is a T-1.
> Should I make only 1 of them a GC (non IM)?
> What happens if that 1 DC that's also a GC goes down in the child
> domain?
> Would the clients in the child domain contact the parent domain's GC?
> "Ace Fekay [MVP-DS, MCT]" wrote:
>
>> "ad2009" <> wrote in message
>> news:E43DA49E-3DE4-43C8-9B2D-...
>>
>>> We have a single 2003 forest/domain env't.
>>> We'll have 2 sites (currently only 1).
>>> The HQ site has a few DCs (also a GC) and an Exchange mail server.
>>> The remote site will have a dedicated DC for the users there to
>>> authenticate
>>> against (configured in ADSS for their subnet).
>>> Does this DC at this remote site need to be a GC as well to handle
>>> user
>>> authentication in case they lose a connection to the HQ in a single
>>> forest/domain env't?
>>> Thanks
>>>
>> In addition to what Meinolf mentioned, any time you create an AD
>> Site, a DC must exist in the site. Sites are designed to control
>> replication traffic and logon/authentication traffic. Therefore, it
>> is advisable to have a GC. In a single domain forest sceanrio, as
>> Meinolf mentioned, all DCs should be GCs, so that answers your
>> question about the DC in theother site being a GC. In a multi-domain
>> forest, you would have to pick a DC that doesn't hold the IM FSMO
>> Role to become a GC, but since you only have one domain in the
>> forest, you need not worry about this rule.
>>
>> I hope that helps!
>>
>> -- Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007,
>> MCSE & MCSA 2003/2000, MCSA Messaging 2003
>>
>> Microsoft Certified Trainer
>>
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance,
>> please contact Microsoft PSS directly. Please check
>> http://support.microsoft.com for regional support phone numbers.
>>
>> .
>>

"ad2009" <> wrote in message news:777F0150-D74A-45B9-A744-...
> We might set up the remote site as a child domain instead and set up 2 DCs
> there.
> The bandwidth between us and the remote site is a T-1.
> Should I make only 1 of them a GC (non IM)?
> What happens if that 1 DC that's also a GC goes down in the child domain?
> Would the clients in the child domain contact the parent domain's GC?
>


As Florian and Meinolf stated, I wouldn't suggest creating a child domain. It's adminstrative overhead, and you need at least two more DCs. Each domain is recommened to have at least two DCs, with the only exception being SBS.

Anytime a DC, especially if it is a GC, goes down, authentication issues will occur. It is recommended to have a DR plan in place for when this occurs. An authenticating client will look for a GC in another domain, as Florian mentioned, which is the default redundancy that the client side GetDcList function runs when it is trying to logon or authenticate to a resource when the GC in its own Site cannot be contacted. Of course this also requires the WAN link to be up. A client will still be able to logon with cached credentials, but if it is part of any Universal groups, it will deny logon, as also Florian mentioned, because a user *may* be part of a Universal group that could have been denied to a resource during the time the user was not logged on, and all Universal groups are enumerated at logon.

The bandwidth is more than plenty to have one domain. Remember, AD Sites control replication traffic, too, which I mentioned, but I did forget to mention that replication traffic between DCs in different AD Sites will be compressed down to around 15% (IIRC). So the T1 is more than sufficient.

And as was stated, it is recommened to have all DCs be a GC in a single domain forest, whether you have one AD Site or many AD Sites. Each Site requires a GC anyway to take advantage of what an AD Site was meant for. The rule with the GC and the IM role is ONLY used when there are more than one domain, so in your case, if you do not create a child domain, *simply* make all your DCs GCs.

IMHO, the scenario you have with one domain and two DCs, is a rather common scenario that many companies have been running for many a multitude of years without problems. I'm not sure why there appears to be hesitancy in your decision based on the advise already given. Are you seeing any problems, or have you heard of others that have had problems in such a scenario? If so, please relate them to us, and we can evaluate or comment on what may have occured to cause them.

Ace

Yeah, multidomain forest. If all DC's are GC's in your forest it runs into
the same scenario as a single domain once a GC knows about all the other
objects in the forest it has no need for an IM.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Ace Fekay [MVP-DS, MCT]" <> wrote in message
news:%...
"Paul Bergson [MVP-DS]" <> wrote in message
news:...
> Ace,
> Not sure if you realize, but you can make all dc's gc's in a forest and
> the
> IM role is still unneeded and can reside on a GC since there is no need
> for
> the role.
>

Are you referring to a single domain or multi-domain forest? Single domain,
yes, I mentioned that. But I don't really agree with that in a multi-domain
scenario. Let me rephrase that - you can get away with it, but I would
rather follow the base rules and let the IM to handle the phantom objects
from other domains. Is that what you meant?



--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.