none
Global Catalog ?

    Question

  • Greetings!

    We have set up 2008 r2 x64 server in our company.
    -We promote this server as DC
    -We add AD roles
    -We have transfered FSMO roles on this server
    -We have add DNS role on this server

    Question:
    This server is going to be our primary DC, cause the old one is eventualy going to be shut down completely.
    We must still export and import dhcp to new server. But the problem/question is about global catalog.
    We have one forest, 2 domains. In primary domain three DC's (this new server is one of them), and in child domain we have 2 DC's.

    -Is it wrong if the new server holds the GLOBAL CATALOG? I read somewhere about FSMO roles and Global Catalog together, not recommended?
    -Would it be wrong if every DC in our company would be a GLOBAL CATALOG?

    With best regards,

    Bostjan


    bostjanc
    Thursday, February 10, 2011 1:11 PM

Answers

  • You have two domains. You need one Schema Master and one Domain Naming Master in the forest. It is usually recommended that these roles reside on DC's in the root domain, but it is not required. You need one PDC Emulator, RID Master, and Infrastructure Master for each domain. In this case, in both of your domains, either all DC's should be GC's, or the Infrastructure Master should be on a DC that is not a GC.

    In a domain with one DC, of course, all 5 FSMO roles and the GC are on the same DC. When there is more than one DC some like to keep all roles on one DC, others like to have one FSMO role per DC. With 2 DC's (and one domain) I like to have the PDC Emulator, RID Master, and Infrastructure Master on one DC, and I place the Schema Master and Domain Naming Master roles on the other DC. In your child domain, assuming the Schema Master and Domain Naming Master are in the root domain, I think you can split up the remaining 3 roles any way you wish. The most critical role for user impact is the PDS Emulator role, since users may not be able to change passwords if the DC with this role is not available. For latest guidance I know of, see this article:

    http://support.microsoft.com/kb/223346

    Richard Mueller


    MVP ADSI
    Monday, February 14, 2011 3:46 PM

All replies

  • global catalogs are a bit like a index for your ad, having partial data of your objects for quick lookups. its not wrong to have every dc be a global catalog, but can cause strain (replication of gc partition) on your resources in big ad environments. i havent heard so far about gc on a fsmo dc isnt recommended, in fact, the first dc you create will hold the fsmo roles and will be gc
    Friday, February 11, 2011 9:17 AM
  • How can I easily check which DCs are currently holding the Global Catalog "role" ?
    bostjanc
    Friday, February 11, 2011 10:51 AM
  • in your ad users and computers console you have the entry Domain Controllers, select you dc properties, theres DC Type, eg Global Catalog. On this dialog you have the button NTDS settings, there you can check if a dc is supposed to be gc or not (you can also reach the ntds setting via sites and services console)
    Friday, February 11, 2011 10:56 AM
  • When I try to put this new DC a GC role a receive a warning:

    The AD DC is serving as the infrastructure master role for this domain. The infrastructure master role should not be placed on an AD DC that is also a global catalog server unless all AD DCs in the domain are global catalog servers.

     


    bostjanc
    Friday, February 11, 2011 12:38 PM
  • hmm, ok, looks like i was wrong, http://support.microsoft.com/kb/248047/en-us describes in the last section potential conflict between gc and infrastructure master
    Friday, February 11, 2011 1:37 PM
  • Hi FZB!

    I have read the link you have provided. If I understand right the primary DC should be a GLOBAL catalog and our backup domain controller should holds the FSMO roles. What will happen if any of them would be down for a limited time?


    bostjanc
    Friday, February 11, 2011 1:55 PM
  • The infrastructure master maintains references to objects in other domains. If you have only one domain, the infrastructure master has nothing to do. In a single domain forest it is common to make every DC a GC, including the infrastructure master.

    Richard Mueller


    MVP ADSI
    Monday, February 14, 2011 1:58 AM
  • Thank you for all your replies.

    As I have mentioned in previous posts, we have 1 forest, 1 domain and inside this domain one child domain.

    Child domain has 2 DC's, primary domain has 3 DC's. What would be the most recommended MS settings in other words:

    Which DC's should be GC, and which DC should have FSMO role?

     

    With best regards,


    bostjanc
    Monday, February 14, 2011 7:06 AM
  • You have two domains. You need one Schema Master and one Domain Naming Master in the forest. It is usually recommended that these roles reside on DC's in the root domain, but it is not required. You need one PDC Emulator, RID Master, and Infrastructure Master for each domain. In this case, in both of your domains, either all DC's should be GC's, or the Infrastructure Master should be on a DC that is not a GC.

    In a domain with one DC, of course, all 5 FSMO roles and the GC are on the same DC. When there is more than one DC some like to keep all roles on one DC, others like to have one FSMO role per DC. With 2 DC's (and one domain) I like to have the PDC Emulator, RID Master, and Infrastructure Master on one DC, and I place the Schema Master and Domain Naming Master roles on the other DC. In your child domain, assuming the Schema Master and Domain Naming Master are in the root domain, I think you can split up the remaining 3 roles any way you wish. The most critical role for user impact is the PDS Emulator role, since users may not be able to change passwords if the DC with this role is not available. For latest guidance I know of, see this article:

    http://support.microsoft.com/kb/223346

    Richard Mueller


    MVP ADSI
    Monday, February 14, 2011 3:46 PM