It's a nonissue because all your DCs are GCs. I don't remember whether they still contact the DC on 3268 or not.
Thanks, Brian Desmond [email protected] c - 312.731.3132 From: Christopher Bodnar [mailto:[email protected]] Sent: Friday, February 06, 2009 11:36 AM To: NT System Admin Issues Subject: RE: AD design question Right now I just wanted to focus on the user logon aspect of this issue. I am aware of application issues that require GC access such as Exchange. Specifically in a single domain forest do users need access to a GC for logon requests? From what I have read so far I don't think it is necessary. As long as they can hit a DC they should be authenticated. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ From: [email protected] [mailto:[email protected]] Sent: Friday, February 06, 2009 12:14 PM To: NT System Admin Issues Subject: RE: AD design question Hi Chris- I don't particularly like that choice of words, but... In a single domain forest you need to mark all your DCs as GCs so that they listen on 3268. You still need GCs to exist, simply if you query a GC it will always return the exact same results as if you query a DC. You definitely don't need UGC and in general I don't expect hardly anyone needs it in a multidomain forest. Thanks, Brian Desmond [email protected] c - 312.731.3132 From: Christopher Bodnar [mailto:[email protected]] Sent: Friday, February 06, 2009 9:52 AM To: NT System Admin Issues Subject: AD design question Working on a design for a Windows 2008 domain. My question is in regards to DC/GC placement and use. Specifically if we decide to go with a single domain model, it's my understanding that all DCs can authenticate logon requests, GCs are not required for logon: In a single-domain forest, all domain controllers act as "virtual global catalog servers" in that they can all respond to any authentication or service request. http://technet.microsoft.com/en-us/library/cc737269.aspx If this is correct, I would assume that Universal Group Membership caching would not be needed either. Can anyone confirm/deny/elaborate on this? Thank you, Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
