[THIN] Re: slightly OT: ActiveDirectory resilience
- From: "Rob Beekmans" <RobBeekmans@xxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Sat, 13 Mar 2004 18:23:05 +0100
I've had that experience where the DC/GC crashed with other DC's =
available.
And even though it looked like users could log on normally, after a few
hours of joy and happines the complains started to roll in. We =
transfered
the roles just before the servers crashed and thought we were on safe =
ground
but somehow the first installed server has some hidden special tasks =
that
you can't transfer....
If the first server dies, all dies.....
We did a complete reinstall of the domain, a new domain....quickest =
solution
for them...
Met vriendelijke groeten / With kind regards
Rob Beekmans
Technical Consultant
A-Tree Automatisering
Business Phone: +31 24 6452000
Business Fax: +31 24 6450463
Business website: http://www.a-tree.nl
Business E-mail: R.Beekmans@xxxxxxxxx
Private E-mail: RobBeekmans@xxxxxxxxxxxxx
Private website: http://joulupukki.nl
=20
-----Oorspronkelijk bericht-----
Van: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] Namens
Corn=E9 Bogaarts
Verzonden: zaterdag 13 maart 2004 18:11
Aan: thin@xxxxxxxxxxxxx
Onderwerp: [THIN] Re: slightly OT: ActiveDirectory resilience
Assume the DC holding the GC-role crashed. As the remaining DC cannot =
verify
whether the user-account is member of a Universal group in an other =
Domain,=20
logon should be impossible in this case. This is by design.=20
(Attempt at an) explanation: an administrator can put 'deny'-permissions =
on
resources for a Universal group. Assume some user is a member of such a
Universal=20
group and knows about this configuration. He/She might BSOD the GC. =
Assume
logon in that case would still be possible. Then the user would be able =
to
gain=20
access to the resource that (s)he had been specifically denied.
11-3-2004 11:25:19, Brian Lilley <Brian.Lilley@xxxxxxxxxxxxx> wrote:
>"A termite walks into a bar and says s'the bar tender here?"
>
>My customer has a two domain controller win2k AD based forest hosting a =
>citrix fr3 farm. For reasons best known to the customer, they have a=20
>totally seperate win2k AD forest which hosts an NT4 workstation base.
>
>Some bloke in the pub told them that if their first dc which held all=20
>five operational master roles plus the global catalogue function=20
>failed, then users would be unable to logon?? I disagree with this=20
>comment because the failure of the three forest wide master roles plus=20
>the GC should not prevent user logon. It may prevent, in some=20
>circumstances, problems adding objects?? Other than, that I imagine=20
>that the domain would continue normally.
>
>As far as I am concerned, the GC simply holds a subset of the 'domain=20
>partition' bit of the active directory databases from other domains=20
>within the same forest and would have no bearing on logon??
>
>Please tell me I am right....
>
>
>Brianos McChips
>
>
********************************************************
This weeks sponsor Emergent Online.
Emergent OnLine is the leading server-based computing consulting integration
firm in the nation. Emergent OnLine delivers expert
consulting services you can depend on.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
