RE: [ActiveDir] Does a domain require a GC?

[Ken Cornetet]

Putting the root GC in a dedicated site would work great, except that I'd have to get the networking folks to give me a dedicated IP subnet, which they aren't going to want to do.   Also, not all of our sites have a local DC/GC. Wouldn't these users connect to the root GC in the dedicated site at random times?   It's true that Outlook's normal operation is very painful across the WAN, but I can't do anything about that (well, we are deploying Outlook 2003 using cached mode - that helps). The fact is that having Outlook hit the local GC improves user experience a small, but non-trivial amount, so that's what management wants. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 20, 2005 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Does a domain require a GC? Well I helped. From what I heard another large organization joined the fray on that battle too.   The thing is though, my understanding of the fix, when/if it gets fixed will be targeted towards fixing the issue with updating the user's own attributes. If the groups happen to be in the same domain as the users, that will fix that as well, but if the groups are in another domain, the issue will still exist. They have no way of fixing that with the current architecture without doing two major things   1. Changing the GCs so that they will look at an NSPI request and redirect as necessary.   2. Make all NSPI requests go through the Exchange servers like what happens with older Outlook clients and have the DsProxy logic figure out on the fly what DCs requests should go to.     I am surprised that cross WAN GAL lookups would be an issue but cross WAN RPC used by outlook isn't. Outlook/Exchange RPC is very chatty and usually, I believe, the thing that kills you.     I would say throw your root GCs into special site(s) that don't house any Exchange servers or clients and be done with it.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, July 18, 2005 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Does a domain require a GC? The why is that I want all GCs in all sites to be in the resource domain. Why? Exchange 2K and 2003 has a, um, "design issue" (actually, I think joe has beat MS into submission on this issue and they now admit it is a bug) whereby Outlook attempts to maintain DL membership by asking GCs to modify the group. Since GCs have only a read-only copy of objects from domains other than their own, these updates fail unless the GC is in the same domain as the distribution list.   Joe's solution was attempted and rejected here early on because forcing remote users to go across the WAN for GAL lookups made for something less than a wonderful user experience.  However, all that testing was done with outlook 2002. We now have Outlook XP fully deployed, and running in cached mode. That may make enough of a difference to go back to a small number of GCs in a site that contains the exchange servers.   However, I'm still thinking that my proposed solution is a fairly elegant way to fix the problem. I don't need any of the root DCs to be GCs, since there are several other GCs in those sites.  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, July 18, 2005 1:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Does a domain require a GC? True.  Then let me clarify – ability to CONTACT a GC is mandatory.  Having it in the site of the authenticating object is not. So – now that I think about it for a minute, there are really two considerations to the question of removing GCs from the root domain.  Feasible and reasonable.  Though it might be feasible to do so, I’m not so sure that I understand the reasonable nature of removing all GCs from a domain.  Point and purpose of doing it doesn’t seem to fit any real justification to me. It would also be much less efficient, given the domain’s ability to do required lookups on a GC.  So, ultimately the question is – why? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 18, 2005 12:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Does a domain require a GC?   I wouldn't call the GC per site a requirement as much as I would call it a best practice. Environments can and do function fine without GCs (or even DCs) in every site. You can run into issues when network connectivity breaks, but it would be assumed you are thinking of this when you designed the topology.   If the OP's Exchange servers are all in a centralized location, then set up a special site for Exchange and only have GCs in that site from the domain with all of the groups and users. Then DSACCESS/DSPROXY will pick out and give those GCs to clients to use so that outlook doesn't have to be overridden from its default behavior on what it wants to do.       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, July 18, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Does a domain require a GC? Kevin,   As I recall, the requirement is on a PER SITE for GC’s – I don’t remember seeing a PER DOMAIN requirement.  Given that the GC is a forest-wide element, the domain function really doesn’t seem to make sense.  However, the site requirement for the GC is an obvious one – groups and specifically Universal groups.   Given that sites can span domains – I can’t think of a dependency that would require a GC in each domain, as long as site requirements are met.   Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, July 18, 2005 11:19 AM To: ActiveDir@mail.activedir.org; Exchange Discussions Subject: [ActiveDir] Does a domain require a GC?   We have two domains in our forest. The "empty" root domain, and a resource domain where everything else lives. The root domain has two DCs - one each in two different sites.   Our main domain has several DCs, and most of those are GCs as well. The sites containing the root DCs each also have at least one resource domain DC, and at least one of these DCs is a GC. In other words, all sites have at least one resource domain DC and at least one of those is a GC as well.   My question is: can I remove GC function from the two root DCs? I seem to recall reading that at least one DC in a domain had to be a GC, but I can't find that requirement now.   All DCs are server 2003. The forest is 2000 native mode.   Why do I want to do this? We configure Outlook to use the "closest" GC. We want to insure that Outlook can manage distribution lists (universal groups), and Outlook can only do that if the GC is in the same domain as the group. We are currently using a home-grown application to manage DL membership, but we'd like to switch back to outlook.