All servers that are dc's are assigned a rid pool and for a good length = of time users can continue to change passwords, add workstations, etc... = The key like you say is the GC. I have been involved in a situation where we cutoff ALL fsmo roles. We created a second domain just by putting up a firewall and not allowing = the domain controllers from one side of the firewall from talking to the = domain controllers on the other side of the firewall. We waited a couple of = weeks to make sure there were no problems and we then seized all roles in the second domain. I wouldn't recommend this but there was never a loss of anything. Users never even realized what happened even though we split = the company off. It was fast, cheap (time wise) and effective. =20 Thanks =20 Paul -----Original Message----- From: Corn=E9 Bogaarts [mailto:c.bogaarts@xxxxxxxxx]=20 Sent: Tuesday, March 16, 2004 5:21 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: slightly OT: ActiveDirectory resilience For Windows2000 Domain: http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;255690 For a Windows2003 Domain: http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;324801 13-3-2004 18:23:05, "Rob Beekmans" <RobBeekmans@xxxxxxxxxxxxx> wrote: >I've had that experience where the DC/GC crashed with other DC's =3D >available. >And even though it looked like users could log on normally, after a = few >hours of joy and happines the complains started to roll in. We =3D >transfered >the roles just before the servers crashed and thought we were on safe = =3D >ground >but somehow the first installed server has some hidden special tasks = =3D >that >you can't transfer.... > >If the first server dies, all dies..... >We did a complete reinstall of the domain, a new domain....quickest = =3D >solution >for them... > > > >Met vriendelijke groeten / With kind regards > >Rob Beekmans >Technical Consultant >A-Tree Automatisering > >Business Phone: +31 24 6452000 >Business Fax: +31 24 6450463 >Business website: http://www.a-tree.nl >Business E-mail: R.Beekmans@xxxxxxxxx > >Private E-mail: RobBeekmans@xxxxxxxxxxxxx >Private website: http://joulupukki.nl > =3D20 > > > >-----Oorspronkelijk bericht----- >Van: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] = Namens >Corn=3DE9 Bogaarts >Verzonden: zaterdag 13 maart 2004 18:11 >Aan: thin@xxxxxxxxxxxxx >Onderwerp: [THIN] Re: slightly OT: ActiveDirectory resilience > > >Assume the DC holding the GC-role crashed. As the remaining DC cannot = =3D >verify >whether the user-account is member of a Universal group in an other = =3D >Domain,=3D20 >logon should be impossible in this case. This is by design.=3D20 > >(Attempt at an) explanation: an administrator can put = 'deny'-permissions =3D >on >resources for a Universal group. Assume some user is a member of such = a >Universal=3D20 >group and knows about this configuration. He/She might BSOD the GC. = =3D >Assume >logon in that case would still be possible. Then the user would be = able =3D >to >gain=3D20 >access to the resource that (s)he had been specifically denied. > > >11-3-2004 11:25:19, Brian Lilley <Brian.Lilley@xxxxxxxxxxxxx> wrote: > >>"A termite walks into a bar and says s'the bar tender here?" >> >>My customer has a two domain controller win2k AD based forest hosting = a =3D > >>citrix fr3 farm. For reasons best known to the customer, they have = a=3D20 >>totally seperate win2k AD forest which hosts an NT4 workstation base. >> >>Some bloke in the pub told them that if their first dc which held = all=3D20 >>five operational master roles plus the global catalogue function=3D20 >>failed, then users would be unable to logon?? I disagree with = this=3D20 >>comment because the failure of the three forest wide master roles = plus=3D20 >>the GC should not prevent user logon. It may prevent, in some=3D20 >>circumstances, problems adding objects?? Other than, that I = imagine=3D20 >>that the domain would continue normally. >> >>As far as I am concerned, the GC simply holds a subset of the = 'domain=3D20 >>partition' bit of the active directory databases from other = domains=3D20 >>within the same forest and would have no bearing on logon?? >> >>Please tell me I am right.... >> >> >>Brianos McChips >> >> > >******************************************************** >This weeks sponsor Emergent Online. >Emergent OnLine is the leading server-based computing consulting integration firm in the nation. Emergent OnLine delivers expert=20 >consulting services you can depend on. >http://www.go-eol.com >********************************************************** >Useful Thin Client Computing Links are available at: >http://thin.net/links.cfm >*********************************************************** >For Archives, to Unsubscribe, Subscribe or=20 >set Digest or Vacation mode use the below link: >http://thin.net/citrixlist.cfm > > ******************************************************** This weeks sponsor Emergent Online. Emergent OnLine is the leading server-based computing consulting = integration firm in the nation. Emergent OnLine delivers expert=20 consulting services you can depend on. http://www.go-eol.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor Emergent Online. Emergent OnLine is the leading server-based computing consulting integration firm in the nation. Emergent OnLine delivers expert consulting services you can depend on. http://www.go-eol.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm