Global Catalog Server needed?

Discussion in 'Active Directory' started by Jim, Sep 28, 2009.

  1. Jim

    Jim Guest

    Hello, I'm trying to get my head around the need for a GC server.

    I've read many documents dating back to 2003 and need some clarity.

    I've read that, in the case of a single domain, the GC server has nothing to
    do and thus unnecessary? I've read other documents stating that in a single
    domain network, every DC should be a GC server. I've also read that you
    should never put a GC on a PDC master DC. I've read that exchange uses GC
    servers so you better have one.

    I have a single domain network and currently two global catalog servers out
    of 5 DC's.

    The problem I'm having, is that if one DC goes down, users can not log onto
    the domain as they get no domain controllers can be found. I've run the
    DCDIAG tests and everything checks out fine. No errors, no warnings,

    I thought it might have something to do with GC's but I'm unsure.

    Any thoughts?

    Jim, Sep 28, 2009
    1. Advertisements

  2. In one domain, all DCs should be a GC.

    You may have read about the INfrastructure Master role. In a single domain,
    it has nothing to do, but as for the GC, it has a lot to do!

    As for two DC/GCs, and querying one then the other, it depends on the client
    side resolver service if it queried the first one and it were to be down,
    before it can query the second one in the DNS entries. THere is a time

    However, if you just make them all GCs, you should be good to go. After all,
    how often do expect your DC to go down?

    Basically the following link should explain it. I have more links down below
    for more corraborative info.

    Global Catalog vs. Infrastructure Master
    "If a single domain forest, you can have all DCs a GC. If multiple domains,
    it is recommended for a GC to not be on the FSMO IM Role, unless you make
    all DCs GCs"

    Here is more info on the IM role and the GC service:

    More info on the Infrastructure Master and Global Catalog relationship:

    As a whole, the IM updates references from other domains. What it basically
    does is updates "phantoms" in its own domain for the objects. The phantoms
    are actually "pointers" or references to the objects in the other domains.
    The phantoms are based on the following identities of the other domain's
    objects of members in another domain's objects. The reason why it doesn't
    pull in attributes such as the MemberOf or MemberIs, is because it's added
    work on the local domain's DC. Therefore it uses the phantoms as a pointer
    to query a DC in the other domain during activity when you request the
    object from the other domain, such as when adding a user or group to a local
    group in the domain in question.

    Distinguished name of the object
    Object GUID
    Object SID
    So they are basically the values that 'point' to the reference, and not
    necessarily using a MemberOf or MemberIs attribute.

    An example:
    1) User1 (DomainA) is a member of Group1 (DomainB)
    This means that when viewing membership of Group1, you should be able to see
    User1 there.

    2) User1 in DomainA gets renamed to User2

    3) this change gets replicated to all GCs across the forest

    4) IM in DomainB detects that its phantom for User1 is out of date, updates
    it, and replicates the update to all other DCs in DomainB. This means that
    when viewing membership of Group1, you should be able to see User2. Without
    IM, Group1 would still list User1 as its member


    In the meantime, please read the following links for more info. The first
    link explains what I summarized in more detail, which hopefully will give
    you a better understanding.

    Phantoms, tombstones and the infrastructure master role conflict with a
    global catalog

    Infrastructure Education:

    Global Catalog vs. Infrastructure Master
    "If a single domain forest, you can have all DCs a GC. If multiple domains,
    it is recommended for a GC to not be on the FSMO IM Role, unless you make
    all DCs GCs"

    FSMO placement and optimization on Active Directory domain controllers:

    Global Catalog vs. Infrastructure Master
    "If a single domain forest, you can have all DCs a GC. If multiple domains,
    it is recommended for a GC to not be on the

    FSMO IM Role, unless you make all DCs GCs"

    Infrastructure Master Education:
    "Global catalog and infrastructure master role conflicts only when there are
    more than one Domain in the Frost. We don’t need to worry about single
    Domain situation." - Mervyn Zhang, MSFT

    Windows 2000 Active Directory FSMO roles (Similar to 2003 & 2008):

    Also with the multiple locations, I suggest to create AD sites that
    correspond to each subnet. To do that, follow this article's steps:

    Step-by-Step Guide to Active Directory Sites and Services

    [DOC] Step-by-Step Guide to Active Directory Sites and ServicesFile Format:
    Microsoft Word - View as HTML
    Creating a site link between two or more sites is a way to influence
    replication topology. By creating a site link, you provide Active Directory
    with ...

    Now for DNS registration. On the child DC, delete the
    system32\config\netlogon.dns and netlogon.bak files. Then run:
    ipconfig /flushdns
    ipconfig /registerdns
    net stop netlogon
    net start netlogon

    Make sure the DC's A record, the LdapIpAddress record, which is the "same as
    parent" record that should show the child DC's IP, and the SRV data is
    showing up in the nl.linakorg.local zone. Check the Sites configuration to
    make sure the respective DCs in the child domain show up correctly. Check in
    the _gc._msdc.linakorg.local zone that the respective IPs of the DCs that
    you made GCs show up.

    Planning Domain Controller Capacity


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check for regional support phone numbers.
    Ace Fekay [MCT], Sep 29, 2009
    1. Advertisements

  3. Hello Jim,

    See inline.

    Best regards

    Meinolf Weber

    A GC is not unnecessary, the Infrastrucuter master has nothing to do. See
    here about more details:

    Exchange must have access to a GC server.
    It is ok with 2, but in a single forest domain make all DCs GC.
    This belongs to the DNS client side resolving, GC is not used for logon itself,
    except you use Universal groups.

    See "Global Catalog Processes and Interactions" in:
    Meinolf Weber [MVP-DS], Sep 29, 2009
  4. Jim

    Joe Dunn Guest

    A GC contains a subset of information from all the domains in a forest. A
    GC must be available for at login.

    So when planning GC placement you have to weigh up the extra network traffic
    that is required to replicate the extra information against ensuring high
    availability of GCs.

    In a single domain forest however the GC holds no extra information (there
    are no other domains in the forest for it to hold information about) so there
    is no extra replication. As there is no extra load on the server and GCs
    must be highly available you should just make them all GCs.

    Best Regards
    Joe Dunn
    Joe Dunn, Sep 29, 2009
  5. Jim

    Jim Guest

    Thanks Ace, I'm making all DC's a GC and will let you know what happens.
    Thanks for all the data.

    Jim, Sep 29, 2009

  6. You are welcome!

    Ace Fekay [MCT], Sep 29, 2009
  7. Jim

    Jim Guest

    The first quick test shows making them all GC's resolved the problem.

    Thanks for the info!
    Jim, Sep 29, 2009
  8. Jim

    Jim Guest

    Joe, you all had the same good advice.

    It seems to have made all the difference.

    Thanks for the quick help!
    Jim, Sep 29, 2009
  9. Jim

    Jim Guest

    You guys are bloody geniuses!
    That seems to have done the trick.

    Thanks for the help!

    Jim, Sep 29, 2009
  10. No problem, and no, not geniuses. Slept at a Holiday Inn last night...
    (reference to Holiday Inn's TV commercials).

    Wyle E. Coyote... :)

    Ace Fekay [MCT], Sep 29, 2009
  11. Jim

    Dave Warren Guest

    In message <#> "Ace Fekay [MCT]"
    My condolences -- I hope you didn't eat any of the pasty egg flavoured
    jello in the breakfast bar?
    Dave Warren, Sep 30, 2009

  12. No, I went to a Dunkin Donuts! ;-)
    Ace Fekay [MCT], Sep 30, 2009
  13. Jim

    Dave Warren Guest

    In message <> "Ace Fekay [MCT]"
    Now THAT is staying smart at a Holiday Inn Express: Leaving.
    Dave Warren, Oct 2, 2009

  14. LOL!! :)
    Ace Fekay [MCT], Oct 2, 2009
  15. make all DCs a GC (especially in a single domain environment)



    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!

    __________ Information from ESET Smart Security, version of virus signature database 4507 (20091014) __________

    The message was checked by ESET Smart Security.
    Jorge de Almeida Pinto [MVP - DS], Oct 14, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.