We have a single 2003 forest/domain env't.
We'll have 2 sites (currently only 1).
The HQ site has a few DCs (also a GC) and an Exchange mail server.
The remote site will have a dedicated DC for the users there to authenticate 
against (configured in ADSS for their subnet).
Does this DC at this remote site need to be a GC as well to handle user 
authentication in case they lose a connection to the HQ in a single 
forest/domain env't?  

Thanks

Hello ad2009,

In a single forest domain like domain.com make all DCs Global catalog. GC 
is needed during logon only if you use UPN logon or universal groups are 
in use. Make the remote DC also DNS server and don't forget to configure 
AD sites and services according to the physical topology with the subnets 
and sites where the DC is moved to.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 


> We have a single 2003 forest/domain env't.
> We'll have 2 sites (currently only 1).
> The HQ site has a few DCs (also a GC) and an Exchange mail server.
> The remote site will have a dedicated DC for the users there to
> authenticate
> against (configured in ADSS for their subnet).
> Does this DC at this remote site need to be a GC as well to handle
> user
> authentication in case they lose a connection to the HQ in a single
> forest/domain env't?
> Thanks
> 

"ad2009" <ad2009@discussions.microsoft.com> wrote in message =
news:E43DA49E-3DE4-43C8-9B2D-EA7196AAB4CB@microsoft.com...
>=20
> We have a single 2003 forest/domain env't.
> We'll have 2 sites (currently only 1).
> The HQ site has a few DCs (also a GC) and an Exchange mail server.
> The remote site will have a dedicated DC for the users there to =
authenticate=20
> against (configured in ADSS for their subnet).
> Does this DC at this remote site need to be a GC as well to handle =
user=20
> authentication in case they lose a connection to the HQ in a single=20
> forest/domain env't? =20
>=20
> Thanks


In addition to what Meinolf mentioned, any time you create an AD Site, a =
DC must exist in the site. Sites are designed to control replication =
traffic and logon/authentication traffic. Therefore, it is advisable to =
have a GC. In a single domain forest sceanrio, as Meinolf mentioned, all =
DCs should be GCs, so that answers your question about the DC in =
theother site being a GC. In a multi-domain forest, you would have to =
pick a DC that doesn't hold the IM FSMO Role to become a GC, but since =
you only have one domain in the forest, you need not worry about this =
rule.

I hope that helps!

--=20
Ace

This posting is provided "AS-IS" with no warranties or guarantees and =
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit =
among responding engineers, and to help others benefit from your =
resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & =
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, =
please contact Microsoft PSS directly. Please check =
http://support.microsoft.com for regional support phone numbers.

Ace,
Not sure if you realize, but you can make all dc's gc's in a forest and the 
IM role is still unneeded and can reside on a GC since there is no need for 
the role.

-- 
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups.  This
posting is provided "AS IS" with no warranties and confers no rights.
"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message 
news:ukufHzs2KHA.5880@TK2MSFTNGP02.phx.gbl...
"ad2009" <ad2009@discussions.microsoft.com> wrote in message 
news:E43DA49E-3DE4-43C8-9B2D-EA7196AAB4CB@microsoft.com...
>
> We have a single 2003 forest/domain env't.
> We'll have 2 sites (currently only 1).
> The HQ site has a few DCs (also a GC) and an Exchange mail server.
> The remote site will have a dedicated DC for the users there to 
> authenticate
> against (configured in ADSS for their subnet).
> Does this DC at this remote site need to be a GC as well to handle user
> authentication in case they lose a connection to the HQ in a single
> forest/domain env't?
>
> Thanks


In addition to what Meinolf mentioned, any time you create an AD Site, a DC 
must exist in the site. Sites are designed to control replication traffic 
and logon/authentication traffic. Therefore, it is advisable to have a GC. 
In a single domain forest sceanrio, as Meinolf mentioned, all DCs should be 
GCs, so that answers your question about the DC in theother site being a GC. 
In a multi-domain forest, you would have to pick a DC that doesn't hold the 
IM FSMO Role to become a GC, but since you only have one domain in the 
forest, you need not worry about this rule.

I hope that helps!

-- 
Ace

This posting is provided "AS-IS" with no warranties or guarantees and 
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among 
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & 
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please 
contact Microsoft PSS directly. Please check http://support.microsoft.com 
for regional support phone numbers. 

"Paul Bergson [MVP-DS]" <pbbergs@no-spam.msn.com> wrote in message =
news:uIwEzLw2KHA.5004@TK2MSFTNGP04.phx.gbl...
> Ace,
> Not sure if you realize, but you can make all dc's gc's in a forest =
and the=20
> IM role is still unneeded and can reside on a GC since there is no =
need for=20
> the role.
>=20

Are you referring to a single domain or multi-domain forest? Single =
domain, yes, I mentioned that. But I don't really agree with that in a =
multi-domain scenario. Let me rephrase that - you can get away with it, =
but I would rather follow the base rules and let the IM to handle the =
phantom objects from other domains. Is that what you meant?



--=20
Ace

This posting is provided "AS-IS" with no warranties or guarantees and =
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit =
among responding engineers, and to help others benefit from your =
resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & =
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, =
please contact Microsoft PSS directly. Please check =
http://support.microsoft.com for regional support phone numbers.

We might set up the remote site as a child domain instead and set up 2 DCs 
there.
The bandwidth between us and the remote site is a T-1.
Should I make only 1 of them a GC (non IM)?
What happens if that 1 DC that's also a GC goes down in the child domain?  
Would the clients in the child domain contact the parent domain's GC?

"Ace Fekay [MVP-DS, MCT]" wrote:

> "ad2009" <ad2009@discussions.microsoft.com> wrote in message news:E43DA49E-3DE4-43C8-9B2D-EA7196AAB4CB@microsoft.com...
> > 
> > We have a single 2003 forest/domain env't.
> > We'll have 2 sites (currently only 1).
> > The HQ site has a few DCs (also a GC) and an Exchange mail server.
> > The remote site will have a dedicated DC for the users there to authenticate 
> > against (configured in ADSS for their subnet).
> > Does this DC at this remote site need to be a GC as well to handle user 
> > authentication in case they lose a connection to the HQ in a single 
> > forest/domain env't?  
> > 
> > Thanks
> 
> 
> In addition to what Meinolf mentioned, any time you create an AD Site, a DC must exist in the site. Sites are designed to control replication traffic and logon/authentication traffic. Therefore, it is advisable to have a GC. In a single domain forest sceanrio, as Meinolf mentioned, all DCs should be GCs, so that answers your question about the DC in theother site being a GC. In a multi-domain forest, you would have to pick a DC that doesn't hold the IM FSMO Role to become a GC, but since you only have one domain in the forest, you need not worry about this rule.
> 
> I hope that helps!
> 
> -- 
> Ace
> 
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
> 
> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
> 
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
> 
> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
> .
> 

Howdie!

Am 13.04.2010 19:43, schrieb ad2009:
> We might set up the remote site as a child domain instead and set up 2 DCs
> there.

Are there specific reasons why you want to do that? Make it a child 
domain? Is there a good reason other than "it's a site and not in the 
head quarter"? You save yourself a lot of headache and management 
overhead (even hardware and licencing cost!) if you're just staying in 
one domain and deploy a DC (maybe a RODC?) to that other AD-site.

> The bandwidth between us and the remote site is a T-1.
> Should I make only 1 of them a GC (non IM)?

If you go down that road, make both of them GC.

> What happens if that 1 DC that's also a GC goes down in the child domain?

Authentication can be affected by that as the online-DC needs to check 
with a GC whether a logging-in user is member of universal groups and 
where they are located.

> Would the clients in the child domain contact the parent domain's GC?

Yeah, that could happen.

Cheers,
Florian

"ad2009" <ad2009@discussions.microsoft.com> wrote in message =
news:777F0150-D74A-45B9-A744-79DCD154D9BE@microsoft.com...
> We might set up the remote site as a child domain instead and set up 2 =
DCs=20
> there.
> The bandwidth between us and the remote site is a T-1.
> Should I make only 1 of them a GC (non IM)?
> What happens if that 1 DC that's also a GC goes down in the child =
domain? =20
> Would the clients in the child domain contact the parent domain's GC?
>=20


As Florian and Meinolf stated, I wouldn't suggest creating a child =
domain. It's adminstrative overhead, and you need at least two more DCs. =
Each domain is recommened to have at least two DCs, with the only =
exception being SBS.

Anytime a DC, especially if it is a GC, goes down, authentication issues =
will occur. It is recommended to have a DR plan in place for when this =
occurs. An authenticating client will look for a GC in another domain, =
as Florian mentioned, which is the default redundancy that the client =
side GetDcList function runs when it is trying to logon or authenticate =
to a resource when the GC in its own Site cannot be contacted. Of course =
this also requires the WAN link to be up. A client will still be able to =
logon with cached credentials, but if it is part of any Universal =
groups, it will deny logon, as also Florian mentioned, because a user =
*may* be part of a Universal group that could have been denied to a =
resource during the time the user was not logged on, and all Universal =
groups are enumerated at logon.

The bandwidth is more than plenty to have one domain. Remember, AD Sites =
control replication traffic, too, which I mentioned, but I did forget to =
mention that replication traffic between DCs in different AD Sites will =
be compressed down to around 15% (IIRC). So the T1 is more than =
sufficient.

And as was stated, it is recommened to have all DCs be a GC in a single =
domain forest, whether you have one AD Site or many AD Sites. Each Site =
requires a GC anyway to take advantage of what an AD Site was meant for. =
The rule with the GC and the IM role is ONLY used when there are more =
than one domain, so in your case, if you do not create a child domain, =
*simply* make all your DCs GCs.

IMHO, the scenario you have with one domain and two DCs, is a rather =
common scenario that many companies have been running for many a =
multitude of years without problems. I'm not sure why there appears to =
be hesitancy in your decision based on the advise already given. Are you =
seeing any problems, or have you heard of others that have had problems =
in such a scenario? If so, please relate them to us, and we can evaluate =
or comment on what may have occured to cause them.=20

Ace

Yeah, multidomain forest.  If all DC's are GC's in your forest it runs into 
the same scenario as a single domain once a GC knows about all the other 
objects in the forest it has no need for an IM.

-- 
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups.  This
posting is provided "AS IS" with no warranties and confers no rights.
"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message 
news:%23FMx2Sx2KHA.1624@TK2MSFTNGP06.phx.gbl...
"Paul Bergson [MVP-DS]" <pbbergs@no-spam.msn.com> wrote in message 
news:uIwEzLw2KHA.5004@TK2MSFTNGP04.phx.gbl...
> Ace,
> Not sure if you realize, but you can make all dc's gc's in a forest and 
> the
> IM role is still unneeded and can reside on a GC since there is no need 
> for
> the role.
>

Are you referring to a single domain or multi-domain forest? Single domain, 
yes, I mentioned that. But I don't really agree with that in a multi-domain 
scenario. Let me rephrase that - you can get away with it, but I would 
rather follow the base rules and let the IM to handle the phantom objects 
from other domains. Is that what you meant?



-- 
Ace

This posting is provided "AS-IS" with no warranties or guarantees and 
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among 
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & 
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please 
contact Microsoft PSS directly. Please check http://support.microsoft.com 
for regional support phone numbers. 

"Paul Bergson [MVP-DS]" <pbbergs@no-spam.msn.com> wrote in message =
news:e0bCC382KHA.4716@TK2MSFTNGP06.phx.gbl...
> Yeah, multidomain forest.  If all DC's are GC's in your forest it runs =
into=20
> the same scenario as a single domain once a GC knows about all the =
other=20
> objects in the forest it has no need for an IM.

Ok. I've never tried it that way and have always followed the IM/GC =
rules in this scenario. It would make sense, but the only caveat I see =
is there are no phantoms for other objects that may not be cached by a =
GC. I don't have the ability to test this, but it's the only caveat that =
comes to mind.

Ace

haven't tested either, but gotten this from other big dog MVP's.

-- 
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups.  This
posting is provided "AS IS" with no warranties and confers no rights.
"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message 
news:Oe%23SqnK3KHA.556@TK2MSFTNGP04.phx.gbl...
"Paul Bergson [MVP-DS]" <pbbergs@no-spam.msn.com> wrote in message 
news:e0bCC382KHA.4716@TK2MSFTNGP06.phx.gbl...
> Yeah, multidomain forest.  If all DC's are GC's in your forest it runs 
> into
> the same scenario as a single domain once a GC knows about all the other
> objects in the forest it has no need for an IM.

Ok. I've never tried it that way and have always followed the IM/GC rules in 
this scenario. It would make sense, but the only caveat I see is there are 
no phantoms for other objects that may not be cached by a GC. I don't have 
the ability to test this, but it's the only caveat that comes to mind.

Ace

"Paul Bergson [MVP-DS]" <pbbergs@no-spam.msn.com> wrote in message =
news:e3xAtHO3KHA.5820@TK2MSFTNGP06.phx.gbl...
> haven't tested either, but gotten this from other big dog MVP's.
>=20
> --=20

Then I assume they've tested it? I think I know the guys you are =
referring to, from the RSS feed. I've been reading through alot of it, =
but I haven't responded. I remember seeing something on this awhile =
back.

Either way, I still may follow the basic rules... :-)

Ace