I've had that experience where the DC/GC crashed with other DC's = available. And even though it looked like users could log on normally, after a few hours of joy and happines the complains started to roll in. We = transfered the roles just before the servers crashed and thought we were on safe = ground but somehow the first installed server has some hidden special tasks = that you can't transfer.... If the first server dies, all dies..... We did a complete reinstall of the domain, a new domain....quickest = solution for them... Met vriendelijke groeten / With kind regards Rob Beekmans Technical Consultant A-Tree Automatisering Business Phone: +31 24 6452000 Business Fax: +31 24 6450463 Business website: http://www.a-tree.nl Business E-mail: R.Beekmans@xxxxxxxxx Private E-mail: RobBeekmans@xxxxxxxxxxxxx Private website: http://joulupukki.nl =20 -----Oorspronkelijk bericht----- Van: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] Namens Corn=E9 Bogaarts Verzonden: zaterdag 13 maart 2004 18:11 Aan: thin@xxxxxxxxxxxxx Onderwerp: [THIN] Re: slightly OT: ActiveDirectory resilience Assume the DC holding the GC-role crashed. As the remaining DC cannot = verify whether the user-account is member of a Universal group in an other = Domain,=20 logon should be impossible in this case. This is by design.=20 (Attempt at an) explanation: an administrator can put 'deny'-permissions = on resources for a Universal group. Assume some user is a member of such a Universal=20 group and knows about this configuration. He/She might BSOD the GC. = Assume logon in that case would still be possible. Then the user would be able = to gain=20 access to the resource that (s)he had been specifically denied. 11-3-2004 11:25:19, Brian Lilley <Brian.Lilley@xxxxxxxxxxxxx> wrote: >"A termite walks into a bar and says s'the bar tender here?" > >My customer has a two domain controller win2k AD based forest hosting a = >citrix fr3 farm. For reasons best known to the customer, they have a=20 >totally seperate win2k AD forest which hosts an NT4 workstation base. > >Some bloke in the pub told them that if their first dc which held all=20 >five operational master roles plus the global catalogue function=20 >failed, then users would be unable to logon?? I disagree with this=20 >comment because the failure of the three forest wide master roles plus=20 >the GC should not prevent user logon. It may prevent, in some=20 >circumstances, problems adding objects?? Other than, that I imagine=20 >that the domain would continue normally. > >As far as I am concerned, the GC simply holds a subset of the 'domain=20 >partition' bit of the active directory databases from other domains=20 >within the same forest and would have no bearing on logon?? > >Please tell me I am right.... > > >Brianos McChips > > ******************************************************** This weeks sponsor Emergent Online. Emergent OnLine is the leading server-based computing consulting integration firm in the nation. Emergent OnLine delivers expert consulting services you can depend on. http://www.go-eol.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm