Full of I.T.

Kevin Remde's IT Pro WebLog

Best of Q&A from our TechNet Webcast: Successfully Implementing a Complex Active Directory Design (Level 200)

Planning a BIG Forest... Earlier Today I delivered a webcast (content number ADD-03) on considerations for planning a complex AD design.  I thought I’d post some of the Q&A here, and maybe expand on some of the answers also.

Thanks again to Blain Barton, Chris Avis, and Rob Westover, for helping out in a pinch to handle Q&A for all of us. 

Also, if you’re interested, here is the Resource Document I put together for this webcast. 

“Cross Forest GPO’s, can I use local resources in forest #2 with a forest #1 GPO’s? Should the users from forest #1 have ACL & Share permissions so they can access the resources instead of having them access the resources back on Forest #1 and across a WAN connection. Looking for some advice.”

Re: GPOs working cross-forest… this is not possible.  Group Policy is defined in a domain, and is applicable to domain member machines and users at the site, domain, OU, or sub-OU levels.  If you want Group Policy objects to exist or be applied in other forests, you can back them up from where they have been created and then IMPORT them into pre-existing or newly created Group Policy objects in the other forest. 

As for your ACL question… well, that’s the beauty of Forest trusts.  As long as Forest 2 trusts Forest 1, your users in Forest 1 can be granted access to resources in Forest 2.  

I am not sure if that answers all of your question.  If you have more, please contact me here or email me.

“I have a site without a DC. How can I force a client at that site to logon through a particular DC?”

If you have defined your site links properly, then the user should login using the path to the nearest (least cost path) DC.  However, as one of my Q&A helpers pointed out, there are situations where you can, for example, tell Outlook to contact a particular GC…

“In some situations, you may notice excessive network traffic when Microsoft Outlook attempts to contact the global catalog server. This article describes how to configure Outlook to a specific global catalog server or to the closest global catalog server. Note If the global catalog server and the Exchange Server computer are in the same site as the Outlook client, you do not need to make this registry setting. The normal referral mechanism provides the best performance. Check out: http://support.microsoft.com/default.aspx?scid=kb;en-us;319206

“Do you recommend to create a site corresponding a VLAN where there is no DC at remote site for a group of 20 users (20 users have a different VLAN or network ID)?”

You should at least apply Global Catalog caching, but I would make every attempt to have a DC in each site – purely for authentication reasons. The latency caused by authentication traffic just becomes too burdensome.

“Is there a source for these numbers being presented?”

Check this blog entry for the resources supporting the numbers presented.

“Can you briefly explain what is a schema master? We have not run into any usage of that particular term. We run a single domain.”

The domain controller that holds the schema master role is the only domain controller that can perform write operations to the directory schema.  Schema updates are replicated from the schema master to all other domain controllers in the forest.

“what happens when the needed bandwidth grows to exceed the allotted bandwidth”

Traffic slows down to levels below desired targets

“Which Performance monitors should i use to analyze AD replication traffic?”

Start Here –> http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd02.mspx

Holding the Sun