Sites without a local DC/GC should still be covered by at
least one DC in every domain from a site with the best metric score to get to
that site. The times you should hit the random knocks on the door of your
segration site should be when all DCs registered for a given site are
unavailable whether those DCs reside in that site or are simply covering it.
You can quickly ascertain what DCs are covering a specific
site with a simple DNS query. From within NSLOOKUP do something
like
_ldap._tcp.<SITE>._sites.<DOMAIN>.
or for GCs
_gc._tcp.<SITE>._sites.<ROOT
DOMAIN>.
oh make sure you have it set to see SRV records (set
type=srv)
On the 32 bit subnet mask, Steve is absolutely correct and
doesn't need me to say so. :o) We did this for several machines and I have
also used it for troubleshooting at different times when I wanted a WAN site to
not use the local DC but I wanted that DC up and running. You also have the
option of hard coding specific sites as well. The 32 bit mask thing seems to
always be a surprise to people. In refreshing the O'Reilly Active Directory book
for 3E I noticed that it also specifically said a mask of up to 31 bits could be
used, I changed that to 32 just a few days ago when reviewing that chapter for
updates.
Overall, you can configure your subnets that are
defined in AD from least specific to most specific and the most specific for any
given machine will apply. This is often seen by large companies who have new
subnets being spun up all the time without the knowledge of AD Admins. I don't
know if I ever saw this documented anywhere but just assumed it worked way back
in the very earliest days of AD and configured it because we had the new subnets
all of the time issue cropping up and too many people complaining about
authenticating slowly. Anyway you set up say an 8 bit mask (or multiple if you
have multiple class A address ranges) entry for your top level IP range.
Then you spin up more specific class C's or in our case it was 23 bit masks as
needed. You can also further break them up into 30 bit or whatever bit masks
including 32 bit masks. You assign the subnets to the most specific sites you
can. For instance the 8 bit masks would be assigned to the corporate hub
data centers. Maybe 16 bit masks could be assigned to regional data centers, all
the way down to specific sites or clusters of ips within a site. If a client
spins up in a undefined subnet, it will at the very least know to use a hub data
center DC instead of picking randomly from all of the DCs and due to Murphy's
law getting the slowest oldest nastiest DC which you have hidden under a desk in
Kokomo, Indiana.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Thursday, July 21, 2005 1:02 PM
To: [email protected]
Subject: RE: [ActiveDir] Does a domain require a GC?
But won't I still have the problem that clients in sites
without a local DC/GC will randomly connect to this "isolated" root
GC?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, July 21, 2005 11:54 AM
To: '[email protected]'
Subject: RE: [ActiveDir] Does a domain require a GC?
Why
not create a new site and [logically] move the DC to that site. Restart netlogon
to update DNS records and viola, the DC is now a member of the new site. I have
seen this done for the PDCe so it receives less load than other DCs in the same
location.
neil
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 21 July 2005 17:36
To: [email protected]
Subject: RE: [ActiveDir] Does a domain require a GC?No it works just fine and is often used to isolate GC/DCs.Thanks,-Steve
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Thursday, July 21, 2005 11:21 AM
To: [email protected]
Subject: RE: [ActiveDir] Does a domain require a GC?I can define a site using a 32 bit subnet mask? That's a possibility I hadn't considered! I'd have been afraid that would confuse the heck out of the kcc!
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, July 20, 2005 7:53 PM
To: [email protected]
Subject: RE: [ActiveDir] Does a domain require a GC?Dean killed the first question pretty well I think. The second question or implied question that I got was "don't I have to set up a special IP subnet to do this?" and the answer is no. You do not need a physical network breakup to define a logical site in AD and assign subnets. I did this in DataCenters quite often. A single data center with tons of subnets would have different pieces carved out and added to various sites depending on what DCs they needed to be with. This was sometimes a pain but network didn't always want to work with us in terms of giving us whole ranges of physical subnets to work with. There were more than one single IP subnets (32 bit mask) defined in that directory.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, July 19, 2005 12:31 PM
To: [email protected]
Subject: RE: [ActiveDir] Does a domain require a GC?I don't understand your comment about converting universal groups to local groups. Can you explain what you mean here?Your suggestion about moving the root DCs to a separate site would work, but it would require me to set up a dedicated IP subnet at the two different locations where the DCs are located. The networking folks would not want to do that.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, July 18, 2005 6:09 PM
To: [email protected]
Subject: RE: [ActiveDir] Does a domain require a GC?Hi Ken,There is (at least) one requirement for a GC in every domain. If you don't have a GC in a domain, you cannot convert universal groups in that domain to local groups. However, this is probably not a big concern for your empty root domain...Also a couple of suggestions:- Why not have all the DCs of the child domain as GCs? This wouldn't add practically any replication, or the size of the NTDS.DIT on those new GCs.- Instead of removing GCs from the root domain (because of the Outlook issue), how about putting the root domain DCs (which would be GCs) on a site with no clients, and with such a replication topology, that a child domain GC is always closer to any client than a root domain GC?Yours, Sakari
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, July 18, 2005 7:19 PM
To: [email protected]; Exchange Discussions
Subject: [ActiveDir] Does a domain require a GC?We have two domains in our forest. The "empty" root domain, and a resource domain where everything else lives. The root domain has two DCs - one each in two different sites.Our main domain has several DCs, and most of those are GCs as well. The sites containing the root DCs each also have at least one resource domain DC, and at least one of these DCs is a GC. In other words, all sites have at least one resource domain DC and at least one of those is a GC as well.My question is: can I remove GC function from the two root DCs? I seem to recall reading that at least one DC in a domain had to be a GC, but I can't find that requirement now.All DCs are server 2003. The forest is 2000 native mode.Why do I want to do this? We configure Outlook to use the "closest" GC. We want to insure that Outlook can manage distribution lists (universal groups), and Outlook can only do that if the GC is in the same domain as the group. We are currently using a home-grown application to manage DL membership, but we'd like to switch back to outlook.
==============================================================================
Please
access the attached hyperlink for an important electronic communications
disclaimer:
http://www.csfb.com/legal_terms/disclaimer_external_email.shtml
==============================================================================
