Another solution to this problem (I have not seen mentioned) might be the use of DNS priorities or as I like to call them DNS costs. By default each SRV record is set to 0. A higher value (also possible to configure through GPOs) would the DC/GC would always be the last on the list for domain-wide or site-wide service questions. When DC/GC have the same value the order is random Cheers, #JORGE#
________________________________ From: [EMAIL PROTECTED] on behalf of Sakari Kouti Sent: Fri 7/22/2005 12:57 AM To: [email protected] Subject: RE: [ActiveDir] Does a domain require a GC? Hi Ken, A short explanation of the sentence "with such a replication topology, that a child domain GC is always closer to any client than a root domain GC?" that was in my original suggestion: Attach your new "isolation site" to the others with a new site link as the following: ISOLATION_SITE <=> NEW_SITE_LINK <=> TRADITIONAL_MAIN_SITE <=> everything else Now, if your TRADITIONAL_MAIN_SITE has GCs, they are always nearer to clients (in terms of metrics) than the GCs in the ISOLATION_SITE. Therefore, the "isolation" GCs should never need to answer (as long as the clients know their site, which joe covered quite well in his message). Yours, Sakari ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Thursday, July 21, 2005 8:02 PM To: [email protected] Subject: RE: [ActiveDir] Does a domain require a GC? But won't I still have the problem that clients in sites without a local DC/GC will randomly connect to this "isolated" root GC? ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, July 21, 2005 11:54 AM To: '[email protected]' Subject: RE: [ActiveDir] Does a domain require a GC? Why not create a new site and [logically] move the DC to that site. Restart netlogon to update DNS records and viola, the DC is now a member of the new site. I have seen this done for the PDCe so it receives less load than other DCs in the same location. neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 21 July 2005 17:36 To: [email protected] Subject: RE: [ActiveDir] Does a domain require a GC? No it works just fine and is often used to isolate GC/DCs. Thanks, -Steve ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Thursday, July 21, 2005 11:21 AM To: [email protected] Subject: RE: [ActiveDir] Does a domain require a GC? I can define a site using a 32 bit subnet mask? That's a possibility I hadn't considered! I'd have been afraid that would confuse the heck out of the kcc! ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 20, 2005 7:53 PM To: [email protected] Subject: RE: [ActiveDir] Does a domain require a GC? Dean killed the first question pretty well I think. The second question or implied question that I got was "don't I have to set up a special IP subnet to do this?" and the answer is no. You do not need a physical network breakup to define a logical site in AD and assign subnets. I did this in DataCenters quite often. A single data center with tons of subnets would have different pieces carved out and added to various sites depending on what DCs they needed to be with. This was sometimes a pain but network didn't always want to work with us in terms of giving us whole ranges of physical subnets to work with. There were more than one single IP subnets (32 bit mask) defined in that directory. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, July 19, 2005 12:31 PM To: [email protected] Subject: RE: [ActiveDir] Does a domain require a GC? I don't understand your comment about converting universal groups to local groups. Can you explain what you mean here? Your suggestion about moving the root DCs to a separate site would work, but it would require me to set up a dedicated IP subnet at the two different locations where the DCs are located. The networking folks would not want to do that. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, July 18, 2005 6:09 PM To: [email protected] Subject: RE: [ActiveDir] Does a domain require a GC? Hi Ken, There is (at least) one requirement for a GC in every domain. If you don't have a GC in a domain, you cannot convert universal groups in that domain to local groups. However, this is probably not a big concern for your empty root domain... Also a couple of suggestions: - Why not have all the DCs of the child domain as GCs? This wouldn't add practically any replication, or the size of the NTDS.DIT on those new GCs. - Instead of removing GCs from the root domain (because of the Outlook issue), how about putting the root domain DCs (which would be GCs) on a site with no clients, and with such a replication topology, that a child domain GC is always closer to any client than a root domain GC? Yours, Sakari ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, July 18, 2005 7:19 PM To: [email protected]; Exchange Discussions Subject: [ActiveDir] Does a domain require a GC? We have two domains in our forest. The "empty" root domain, and a resource domain where everything else lives. The root domain has two DCs - one each in two different sites. Our main domain has several DCs, and most of those are GCs as well. The sites containing the root DCs each also have at least one resource domain DC, and at least one of these DCs is a GC. In other words, all sites have at least one resource domain DC and at least one of those is a GC as well. My question is: can I remove GC function from the two root DCs? I seem to recall reading that at least one DC in a domain had to be a GC, but I can't find that requirement now. All DCs are server 2003. The forest is 2000 native mode. Why do I want to do this? We configure Outlook to use the "closest" GC. We want to insure that Outlook can manage distribution lists (universal groups), and Outlook can only do that if the GC is in the same domain as the group. We are currently using a home-grown application to manage DL membership, but we'd like to switch back to outlook. ============================================================================== Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ============================================================================== This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
