A Nice Domain\Forest Question

BF2MadBF2Mad Member Posts: 171

Not totally Cert related but I need some help with this question.

If I have two domains in the same forest, with 1 domain controller for each domain I understand that the Global Catalogue gets replicated to all domain controllers in a forest (correct me if I am wrong)

My question is with the above set-up as the same global catalogue sits on both Domain Controller will either domain controller be able to deal with requests for both domains?

So if one of the domain controller goes down will both domains will still function.

Obviously in a production environment you would have more than one domain controller for each domain

Phil icon_lol.gif


  • strauchrstrauchr Member Posts: 528
    The Global Catalogue is only replicated to Domain Controllers marked as a Global Catalogue Server (set in AD Sites and Services)

    You need at least one GC in each domain which is by default the first Domain Controller in a domain. In your setup all DCs will be a GC.

    While the Global catalogue holds information for the entire forest users will not be able to authenticate to a domain that has no Domain Controllers running (in theory).

    If you have the opportunity this would be a good experiment to try and run to see what happens but officially the domain without a DC should not function, regardless of a GC.
  • BF2MadBF2Mad Member Posts: 171
    Thanks for the reply.

    I think you are right, the only way to make sure is to give it a test.

    I will try this out on and let you know.

    Does anyone else have anything to add?
  • BF2MadBF2Mad Member Posts: 171
    What is there was a two way trust between the domains? do you think that would make a difference
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    In AD all domains in the same forest have an automatic transitive trust (2-way). Someone please correct me if I am wrong... icon_confused.gif:
    All things are possible, only believe.
  • TeKniquesTeKniques OSCE, OSCP, CISSP, CISA, SSCP, MCSE (03), Security+, Network+, A+, Project+ Member Posts: 1,262 ■■■■□□□□□□
    Just thought I would suggest here that it is best to have at least 2 DC's in each site.
    sprkymrk wrote:
    In AD all domains in the same forest have an automatic transitive trust (2-way). Someone please correct me if I am wrong

    That is correct. Two-way transitive trust I believe.
  • Lee HLee H Member Posts: 1,135

    some info on what exam i would be studying to gain all knowledge surrounding this question, i only have a very basic understanding of multi domain transitive trusts

    Lee H
  • BF2MadBF2Mad Member Posts: 171
    I have not got that far yet but I would guess 70-297 (MCSE) would cover this subject

    MCSE guys is that correct?
  • eurotrasheurotrash Member Posts: 817
    Or the 294.
    witty comment
  • evanderburgevanderburg Member Posts: 229 ■■■□□□□□□□
    The GC alone would not be enough to authenticate for another domain. It contains forest information but not at the level that a domain does. It contains more sparse information.
    "You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan
  • BF2MadBF2Mad Member Posts: 171

    Thanks Guys!!

    I have since tested (and read everything icon_eek.gif ) and found the same, while the Global Catalogue is replicated to all DC's in a forest it does not contain enough information.

    As a least one active DC is required per domain for users to be authenicated to that domain.

    2 way trusts are auto setup between domains in the same forest.

    How about this then.

    Can DHCP servers load balance? I know with 2003 Advance server you can cluster a couple of server but is there another way to add redundancy if you have 2 DHCP servers and one goes down?

    I have read about the 80/20 rule but cannot get my head around it crash.gif and how that would add redundancy or load balancing. Can anyone explain???
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    In the NT4 days the rule was something like 70/30 or 60/40. In other words, set up your scope on a primary DHCP server and include 60-70% of your addresses on this server, which is hopefully almost enough to cover the whole network. then you set up a second DHCP server with the remaining 30-40% of your addresses. The theory was that if either one failed, the other server would have enough addresses to assign any expired leases until you could get the primary server back up and running.
    All things are possible, only believe.
  • BF2MadBF2Mad Member Posts: 171

    From what I have read both DHCP server have the same scope but with IP address's excluded from the scope. e.g.

    DHCP Server 1
    Scope: to
    Exclude: to

    DHCP Server 2
    Scope: to
    Exclude: to

    The ratio is wrong but is that the idea?

    If DHCP Server 1 falls over how does DHCP Server 2 take over DHCP Server 1 IP's, is automatic or a manual thing?

    (full of questions today)

    Thanks again
  • BF2MadBF2Mad Member Posts: 171

    Its has just clicked, I get it now.

Sign In or Register to comment.