RE: [ActiveDir] Connectivity with FSMO role machines

[Gil Kirkpatrick]

Title: Message

Gnerally speaking, all DCs need to be able to contact the RID master periodically to get a RID allocation. I have some thoughts about how to work around the problem, but I've never tried them, so you get to be the test pilot on your first flight :)   1. You can change the size of the RID block allocated to the DC so that it gets "enough" RIDs to last a really long time. There's a reg setting is defined in KB316201. There are some caveats when setting the value to a really large number.   2. Point whatever processes are creating security principals (users, computers, groups) to a DC not in the DMZ. That way the DC in the DMZ won't have to allocate any RIDs.   HTH,   -gil Gil Kirkpatrick CTO, NetPro -----Original Message----- From: Abbiss, Mark [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 4:27 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Connectivity with FSMO role machines Probably a dumb question but here goes.   We have recently installed a new DC into our domain to manage an increasing number of machines located in a DMZ. The domain itself is spread across two locations Germany and France. The new DC has open connectivity to the DC's that are located in Germany, however thanks to various political and bureaucratic idocies, there is not open connectivity with the DMZ and the FSMO holding DC's in the French location.   This means that the new server is currently unable to create new users or other objects as it is unable to connect with the RID master.   My question: Is there a way around this problem apart from opening up the connectivity from the DMZ to France (which will never be allowed) or secondly moving the RID master to a DC in Germany (which will be a nightmare of discussions and arguements)   Many thanks