We have 438,000 students here. Every school has two vlans - an "administrative" one (office, etc) and an "instructional" one (classrooms). There's free access to DCs between them as well as some servers. I'm not saying it's bad to lock down access to different hosts between the vlans. That's fine and one of the reasons to create them. Locking down DC access doesn't really make sense. What data are you storing on your DCs that shouldn't be accessible to students? They should just have your domain & sysvol on them...
If one of the GCs goes down some Outlook clients may have issues until it returns. Clients will not have issues accessing resources. They will not be able to logon if at least one GC is not available. We still haven't established why all your DCs aren't GCs as well. --brian -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Wednesday, July 06, 2005 1:59 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GC Ok, I have 15 VLANs and filtering traffic between them because we have IT students who like to test if they can access their exams a head of the exam time through trying to hack their teacher's PCs, and students who tries to mess with their grading system , etc.... If you have students, then each student is a potential hacker, especially if they are high motivated and study computer! I filter all kind of traffic (ICMP,TCP,UDP) from student networks to faculty networks, also traffic to financial network or student information system network , etc.... I have almost a DC for each category of users who are accessing the same category of PCs and having the same ranges of IPs, the DC itself contains data that shouldn't be accessible to students for example, I of course have access controls in place, physical control, and almost all levels of security, but still I don't want a student to be able to ping a machine that she shouldn't know that it existed, you can call me paranoid, its ok, I am here to make sure my network is secure and every one is accessing only what they should be accessing. so back to the original subject, you are saying that the only problem if one of the GCs went down is outlook which will be fixed upon restarting it? but the client shouldn't have problems accessing other network services (thier network share, dns, dhcp, etc..) r.c. On 7/6/05, Brian Desmond <[EMAIL PROTECTED]> wrote: > Well, he can leave the filters in place between the vlans on the routers. > They're there for a good reason maybe. But add exceptions to these ACLs to > allow traffic from the clients to any DC. We have three DCs servicing I > don't know how many vlans in one building at the CO, I'd guess in the 500+ > range. Works like a charm. > > How many clients, outlook clients, exchange servers, etc in this > environment? 7 DCs in one place is a damn big number of DCs. Must be a > pretty big building. Then they should all be GCs too if its oen daomin. But > 7 DCs/GCs is a lot of them in one place. You'd usually have a maintenance > window which for one building is a lot easier than for four continents. This > way even if what you're doing affects clients, most of your users aren't on > Outlook at 11PM at night anyway, and if it's a scheduled window, well they > can deal. > > --brian > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, July 05, 2005 8:44 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] GC > > This configuration kind of scares me. The question that keeps bubbling to > the surface is why why why why? > > Sites are used to define well connected networks. This is both for > replication and for resource location services by clients looking for > resources. It sounds like you have a case where all DCs would be considered > equal to all clients but you are forcing them to only be able to use certain > DCs because they can only reach those. I would expect that the clients get > confused every now and then and work less than optimimally. I expect > watching network traces on your network for a while would be quite > entertaining. > > Personally I would tend to say, rip out the filters, if you have high > connectivity between all of these DCs then they should be in one site and > there should be no network filters in place. However before I would > recommend that to a customer, I would really need to understand why they are > doing what they are doing and what they think they are getting out of it. > You might have an amazingly good reason for doing this that isn't > immediately apparent. > > > On the Exchange topic, I think this is secondary to getting your network > topology straightened out. However, I dislike the idea of hard coding which > GCs Exchange uses, it can bite you as people often forget it is being done. > If someone wants to do that, I tend to recommmend that they create an > Exchange specific site and throw the Exchange servers and the Exchange GCs > into that site. Exchange can and will reach out of that site, but it will > tend to stay within it. It just makes the overall architecture more clear in > my opinion without having to dig into specifics. If you stop doing the VLAN > filtering I would then enable all DCs to be GCs. Then if you still have > Exchange issues, start working them individually and possibly find more > unusual design decisions. > > As previously mentioned, a lot of Exchange failover is actually Outlook > failover which varies radically based on the client rev. Some versions of > outlook never fail over and you have to stop the client and restart it so it > will reask the Exchange server for a GC. Some will failover once it detects > a GC is unavailable. Exchange itself can be a little hokey, I have seen > cases where it gets confused (E2K) and won't start failing over properly for > 30 minutes. This is why it is critical to keep Exchange GCs generally > running well. > > > With WINS there was a subnet affinity built into the name resolution > process, a client would choose the IP address that was in the same subnet as > the client for any names it resolved that had multiple IP addresses. DNS is > not like this. It takes the first IP address returned and uses it unless it > can't reach it and then it uses the next and next, etc. It is up to the > server to return the addresses in some specific order. I haven't done a lot > of traces of Windows DNS servers but the general Bind/QIP configuration I > have seen is to round robin the addresses returned. > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > Sent: Tuesday, July 05, 2005 6:14 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] GC > > As I understand sites are used if you have a remote site and you want to > replicate AD traffic, this is not my case and so I have 1 site. > I have a backbone main switches which I create the VLANs on and setup > filters on these VLANs so which IP ranges can access which servers and > resources, I have 15 IP ranges and different DHCPs, I have DHCP relay agents > on all my edge switches so the IP addresses setup and distribution is being > taken care of properly. > > How to prevent users? through filtering all traffic from passing by from one > subnet to other subnets. easy but I don't' think it can be done depending on > AD and windows, I guess I can create child domains and prevent users from > logging in except for specific domains, but I didn't try that yet since my > solution is working fine for me currently. > > Why is that odd? :) > > > On 7/5/05, Ruston, Neil <[EMAIL PROTECTED]> wrote: > > I don't understand how this can work in one site :) > > > > If all DC/GCs are defined in the same site, then clients may be 'offered' > any of these DCs from a DNS perspective, since they are all 'equal'. > > > > You appear to several odd environmental issues which need to be addressed > before attacking the Outlook related issues. > > > > neil > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > > Sent: 05 July 2005 10:22 > > To: ActiveDir@mail.activedir.org > > Subject: Re: [ActiveDir] GC > > > > > > seems very good but I have 1 domain but I have 15 VLANs, not all domain > controllers accessible by all VLANs, if I set all the domain controllers to > GC will that cause a problem? the 2 that I chose to set as GCs are > accessible from all VLANs. > > > > thanks. > > r.c. > > > > > > On 7/5/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> > wrote: > > > I also don't agree with what you are saying concerning the > > > maintenance of the GCs. > > > > > > If you only have 1 domain in the forest there is NO OVERHEAD in > > > making all DCs GCs. The size of your DIT will not grow in size > > > because there are no other domains. For its own and single domain > > > the GCs will use pointers to the domain data. > > > > > > So if you have 1 domain, make all DCs GCs. > > > > > > Even if you have multiple domains there as less issues in W2K3 > > > compared to W2K because W2K3 DCs/GCs use Linked Value Replication > > > (only in FFL > > > w2k3) and for the partial attribute set it only replicates the deltas. > > > So even for a multiple domain forest I would consider making all DCs > > > GCs. > > > > > > Concerning exchange I would not manually define the DCs and GCs it > > > uses. Let exchange itself figure that out. What are the reasons to > > > manually define the DCs/GCs it uses? > > > > > > Cheers, > > > #JORGE# > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > > > Sent: dinsdag 5 juli 2005 10:51 > > > To: ActiveDir@mail.activedir.org > > > Subject: Re: [ActiveDir] GC > > > > > > One site and all servers in that one site. > > > > > > > > > On 7/5/05, Rops, Arjan <[EMAIL PROTECTED]> wrote: > > > > How many sites do you have configured in your AD? > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix > > > > cube > > > > Sent: dinsdag 5 juli 2005 10:34 > > > > To: ActiveDir@mail.activedir.org > > > > Subject: Re: [ActiveDir] GC > > > > > > > > Suffering = users loose connectivity to their mailbox (the Outlook > > > > shows a message saying Trying to connect to your exchange server), > > > > users can't use their home directories on the servers, users not > > > > being able to print, basically users goes offline, waiting for the > > > > GC to be online, now this I understand if there was only one GC, > > > > but if 2, then this shouldn't happen, > > > > > > > > i.e. the network appears to be seeing each GC as the only one. > > > > > > > > Is there anything else other than checking the Global Catalogue > > > > check box to make a server GC? (and add it in the system manager > > > > in the exchange server as a GC too) ? > > > > > > > > Thanks, > > > > r.c. > > > > > > > > On 7/5/05, Ruston, Neil <[EMAIL PROTECTED]> wrote: > > > > > I don't agree with the below at all, to be candid. I would > > > > > rather > > > have > > > > 7 servers, knowing I can lose 1 or 2 without issue, rather than > > > working > > > > round the clock to keep 2 servers up all the time. To me, that's > > > > the beauty of systems like AD, where the system is distributed and > > > > self resilient. You however, have removed some of that resilience > > > > from the system and have thus moved the maintenance effort from > > > > the system onto your own lap. > > > > > > > > > > Anyway, now that's off my chest - I think you need to explain > > > > > what > > > > 'the network suffers' means. What symptoms do you see when a GC > > > > goes offline? I'd also like to know why your GCs are going offline. > > > > > > > > > > We have 100+ GCs here and we probably have 4-5 issues per year. > > > > > When > > > > we do have an issue, the net effect on the end user is negligible > > > > due > > > to > > > > the self healing and resilient nature of AD/GCs themselves. > > > > > > > > > > neil > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix > > > > cube > > > > > Sent: 05 July 2005 08:48 > > > > > To: ActiveDir@mail.activedir.org > > > > > Subject: Re: [ActiveDir] GC > > > > > > > > > > > > > > > Thanks for teh reply :) > > > > > > > > > > I will tell you, because now I have to maintain 2 servers (the > > > > > GCs) > > > > online 24/7 I can't take one offline for maitenance for a second > > > > cause the network goes down, imagine if I upgrade the other 5, > > > > then I will have to keep 7 servers alive 24/7!!!!!!! > > > > > > > > > > I configure the exchange to use multiple GC, but why the network > > > > suffers if one of them goes offline? I dont' know? is it by design? > > > > or am I missing something > > > > > > > > > > thaks, > > > > > r.c. > > > > > > > > > > > > > > > On 7/5/05, Ruston, Neil <[EMAIL PROTECTED]> wrote: > > > > > > "rough and ready" response :) > > > > > > > > > > > > 1. Client logons, Exchange GAL lookups and various other > > > components > > > > > > require a GC to be available, ideally in the same site. 2. Why > > > > > > are only 2 of the 7 DCs also GCs? > > > > > > > > > > > > Given that you are experiencing issues, I'd be inclined to > > > 'upgrade' > > > > > > the remaining 5 DCs to GC status and ensure that your Exchange > > > > servers > > > > > > are configured to use multiple GCs. > > > > > > > > > > > > When all DCs are GCs, the infra master FSMO becomes redundant > > > > > > too, > > > > so > > > > > > that's one less FSMO to worry about catering for :) > > > > > > > > > > > > neil > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of rubix > > > cube > > > > > > Sent: 05 July 2005 08:16 > > > > > > To: ActiveDir@mail.activedir.org > > > > > > Subject: [ActiveDir] GC > > > > > > > > > > > > > > > > > > Hi, > > > > > > I have 2 GC and 7 domain controllers, I made 2 GC so that if I > > > > > > had > > > > to > > > > > > take any one of them offline the other will be functional and > > > > > > the network will be ok, what happens is that if any of them > > > > > > goes > > > > offline, > > > > > > the network goes down, (includeing email service exchange). > > > > > > Any > > > > thing > > > > > > I should have done ? > > > > > > > > > > > > Thanks, > > > > > > r.c. > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > > ================================================================== > > > > == > > > > == > > > > > > ======== > > > > > > Please access the attached hyperlink for an important > > > > > > electronic > > > > communications disclaimer: > > > > > > > > > > > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtm > > > > > > l > > > > > > > > > > > > > > > > ================================================================== > > > > == > > > > == > > > > > > ======== > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > > > ==================================================================== > > > == > > > == > > > > ====== > > > > > Please access the attached hyperlink for an important electronic > > > > communications disclaimer: > > > > > > > > > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtml > > > > > > > > > > > > > > > > > ==================================================================== > > > == > > > == > > > > ====== > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > This e-mail and any attachment is for authorised use by the > > > > intended > > > recipient(s) only. It may contain proprietary material, confidential > > > information and/or be subject to legal privilege. It should not be > > > copied, disclosed to, retained or used by, any other party. If you > > > are not an intended recipient then please promptly delete this > > > e-mail and any attachment and all copies and inform the sender. Thank > you. > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > ====================================================================== > > ======== Please access the attached hyperlink for an important > > electronic communications disclaimer: > > > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtml > > > > ====================================================================== > > ======== > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
