You need GCs for determining universal group memberships. You can either enable universal group membership caching on your non-GC DCs (but users will need to have logged on so that the group memberships can be cached), or make the DCs GCs.
I would make all the DCs GCs, or remember that you need to put your Infrastructure Master FSMO role holder on a non-GC domain controller. Cheers Ken From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Thursday, 9 October 2008 7:38 AM To: NT System Admin Issues Subject: AD Sites Question Hi - Windows 2003 Native Mode AD, one forest, one domain (where user objects are contained) and one child domain. We've got a unique environment in that we have floating LAN's aboard our vessels. Each vessel is equipped with a radio that talks to receivers on islands but while they're sailing, they are in and out of communication with our network. Each vessel has 3-5 servers, including a DC. These vessels also have anywhere from 3-7 POS stations as well as 2-10 PC's for staff. The people here (before I joined) have set up a site for each ship. Each DC on the ship is a GC and a DNS server. There are 36 of these vessels floating around in and out of connectivity so the replication isn't all that great. I know best practices state that if you have a DC in a site, the DC should also be a GC. On a couple of ships, we tested removing the GC service from the DC and the users could not log on. This would happen when vessels were out of range. If they were in range, they could since they were able to reach a GC in the data center. Is this working as designed? Thanks, Tony Tony Woods | Team Lead, Windows Data Center Operations | British Columbia Ferry Services Inc. | Tel: (250) 978-1507 | Fax: (250) 405-3533 | [EMAIL PROTECTED] | www.bcferries.com<http://www.bcferries.com> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
