[gptalk] Re: Temporarily running without a GC ...how to prepare for it.

  • From: "Mills, Mark" <Mark.Mills@xxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 21 Sep 2006 17:10:00 -0500

Thanks for the info Omar - you have a substantial amount of information
there which obviously shows your expertise in the matter.  From what I
gather when the clients can't find a local GC, DC, or ISTG server in
their site, they will then look outside their site for information. I
guess that means that they may still use a GC from another site as long
as the link between sites is up.  Obviously if the Exchange server is
not in the same site and the site link is down, then the users are
pretty well hosed for sending email, but if they were in cached mode
they would still have their contact list, calendar and a copy of all
email prior to the disaster. 


I guess as an admin you do what you can (within budget) and make sure
you have analyzed possible disaster scenarios before they happen.
Thanks again for all your help. 


Mark Mills 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Omar Droubi
Sent: Thursday, September 21, 2006 4:59 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Temporarily running without a GC ...how to prepare
for it.




Universal group caching is helps out with logons in remote sites that do
not have a GC local.


Your Exchange server does also require a GC and if there is no GC in the
AD site that Exchange is located in-you have will have many issues.


For your users with O2k3 in Cached mode- If they do not have a local GC-
the Exchange server will prompt them for logon and validate that against
the DC exchange is using (check Exchange System manager- server
properties- directory access tab) If the Exchange server does not have a
DC in the local AD site for the particular domain your user's AD account
is located in-it will do a DNS lookup for a DC in the particular domain
and pass the authentication check to that DC.


So in short- as long as the DC's and GC's are functioning in the same AD
site as the E2k3 server the worst thing will happen to your Outlook
2003- cached users is that they may be prompted for user Id and
password. This of course assumes that DNS resolution and probably DHCP
is still functional. please remember that if there is no local DC- the
client will attempt to connect to a remote DC if the DNS server that
this client is using is still functional.


Most o2k3 cached mode operations involve the local machine and the
Exchange server- If for some reason your user wished to browse the
address book and he/she chooses an address book other than the GAL or
the Outlook Address Book Then the request will go to the GC that
Exchange server has in its directory access list.


Now on a separate note- The GP setting that you are referencing  (cached
logon) I think is misleading- unless I have it mixed up. I believe that
setting is used to set the number of different users that are allowed to
logon to that particular machine using cached credentials if there is no
available dc to authenticate them. This has nothing to do with the
registry setting for the universal group caching.


I would be hesitant to add that key if your organization uses any
Universal Security groups (which may be used for resource access to
Exchange Public folders, etc)


hope that is helpful and makes sense.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mills, Mark
Sent: Thursday, September 21, 2006 2:39 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Temporarily running without a GC ...how to prepare for

Just curious, I just read the following article:


How to disable the requirement that a global catalog server be available
to validate user logons

http://support.microsoft.com/kb/241789  I've been told this method is
called running with Universal Group caching and works best with sites of
less than 100 users.


Does this mean that if for some reason your GC goes down (or maybe just
the link to them) your users can continue to work as normal, providing
that their Outlook is in "Exchange Cached Mode" or do you still need to
make sure that the Group Policy for cached logons is greater than the
default "10" in a pc's local security policy? 

That default "10" cached logon is found at Computer Configuration ->
Windows Settings -> Security Settings -> Local Policies -> Security
Options ->Interactive Logons

So if I had to run without a GC (temporarily) and users were using
Universal Group Caching , and the users had their Outlook set to run in
"Exchange Cache Mode"  would the downed GC have any effect on them? 


I'm always trying to stay abreast of what I would do if the unthinkable
happens.  I have multiple GC's in each site so this should never be a
problem - however if it did happen, I would like to know what to do to
keep the users up and running (without down time) while I would be
repairing the GC's (or link to them) 


Mark Mills 


Other related posts: