Active Directory confusion

ehnde

I'd like some guidance in a couple of 70-640 topics that I can't understand by simply reading about. Anyone want to take a crack at this?

Question #1: Global catalog best practices
I understand that a global catalog can generate large amounts of replication traffic. What do you do if you have 20 sites (let's say they are all connected by T1s, so pretty slow). Where do you place your global catalog? Is it best to have multiple global catalogs or just one?

Question #2: What is the difference between a global group and domain local group?

Michael.J.Palmer

1. In a situation like this you'll probably have multiple DC's and Global Catalogs at each of the 20 sites (at least one per site) and each will replicate off of each other. It's never a good idea to just have one Global Catalog anyways, even if you're dealing with just one site. Redundancy is the key to ensuring your AD environment stays up, never a bad idea to double up on the important things.

2. Copied the following from the microsoft technet website.

Group Scope
Groups can have different scopes—domain local, built-in local, global, and universal. That is, the groups have different areas in which they are valid.

• Domain local groups Groups that are used to grant permissions within a single domain. Members of domain local groups can include only accounts (both user and computer accounts) and groups from the domain in which they are defined.
• Built-in local groups Groups that have a special group scope that have domain local permissions and, for simplicity, are often referred to as domain local groups. The difference between built-in local groups and other groups is that built-in local groups can't be created or deleted. You can only modify built-in local groups. References to domain local groups apply to built-in local groups unless otherwise noted.
• Global groups Groups that are used to grant permissions to objects in any domain in the domain tree or forest. Members of global groups can include only accounts and groups from the domain in which they are defined.
• Universal groups Groups that are used to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include accounts and groups from any domain in the domain tree or forest.

Source: Understanding User and Group Accounts

Essendon

Sorry man too lazy to type , so here are some links that I have bookmarked:

For question 1: Planning Global Catalog Server Placement: Active Directory

For question 2: Active Directory Users, Computers, and Groups

ehnde

OK, I get the part about the global catalog. Thanks! The only thing I'm left wondering is why the book talks so extensively about global catalog placement if it's that simple. My book made it seem like you should choose wisely where the global catalog is placed.

I had to read those definitions for domain local and global groups literally 8 times before it sunk in. In my own words, if I'm understanding this correctly:

Both domain local and global groups can contain only objects from the domain they are defined in. Domain local groups are used to assign permissions inside a domain. Global groups are used to assign permissions to anything in the forest.

TYVM guys, this helped alot.

Michael.J.Palmer

Yep you got it regarding the groups, as for global catalog placement that's always giong to differ based on the size of the AD in the first place. Me personally whenever I was labbing with virtual box I'd just make the DC the Global Catalog as well and be done with it... of course I was never using more than four or five running servers at a time, and the others were hosting DHCP, DNS, etc. But you won't need to worry about complete placements of everything like that until you take (or if you are) the 642.

spd3432

ehnde wrote: »

OK, I get the part about the global catalog. Thanks! The only thing I'm left wondering is why the book talks so extensively about global catalog placement if it's that simple. My book made it seem like you should choose wisely where the global catalog is placed.

I had to read those definitions for domain local and global groups literally 8 times before it sunk in. In my own words, if I'm understanding this correctly:

Both domain local and global groups can contain only objects from the domain they are defined in. Domain local groups are used to assign permissions inside a domain. Global groups are used to assign permissions to anything in the forest.

TYVM guys, this helped alot.

Errr -- no.

Domain local groups can contain objects from any domain but can only be assigned to resources within its own domain. Think of a funnel -- you pour AD objects from it and other domains into the top and the only exit is to the domain in which its defined.

Global groups contain objects from within one domain and can be assigned to resources outside its domain. Think of a sprinkler -- you push the AD objects from your domain into one end and it sprays everywhere.

===========

As for global catalog placement, if you have 'site-aware' applications (Exchange, etc) then you should have a global catalog at any site in which one of the site-aware application servers resides. Exchange services won't start until it can contact a global catalog server and it constantly queries it while running. Some of the older Microsoft documents give a 'magic' number of 100 users. If a site has more than 100 users, then stick a global catalog there (if you haven't already got one) unless its got a full-time always-on high-speed WAN link to a site with a global catalog.

Keep the FSMO roles in mind. In a multi-domain forest, unless ALL domain controllers are global catalog servers, you need to keep the global catalog role on a separate DC from the infrastructure master.

Sean

Essendon

Why you shouldnt put the GC and Infrastructure Master on the same server? Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are

Single domain forest:

In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

Multidomain forest where every domain controller in a domain holds the global catalog:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.

Great answer there by spd.