| Author |
GC server failure scenario
|
|
| Jonoplunk 2004-02-05, 9:15 am |
| Need some clarifying please. I am working through a question.
A forest with 2 native mode domains. domainA.com and domainB.com. There are 3 DC's in each domain. Domain B's Global catalogue DC server dies. What will the effect be on users that log in at domain B?
The answer says that the members of DomAdmins can log in and users with previously cached log ins can log in. This I agree with. Lastly they say that the users can access resources in DomainA.com. This I don't understand as I thought that the user needed to be authenticated in his own domain before being allowed to access resources in another domain.
Please can someone clarify this, I have been looking at the various websites, yet cannot seem to get a definite answer for this scenario.
Starting to think that this might be a badly worded answer, meaning that the Users (being in Domain A) can access the resources in Domain A. | |
| Blubells 2004-02-05, 11:56 am |
| If you're looking at the same question I am it states "Authenicated users can access resources on child.domain.com"
Those users would be authenticated on the other DC in the child domain. As the question assumes that "Authenticated Users" means from the Domain In Question.
It might be badly worded in your version of the question.
Hope that helps | |
| Jonoplunk 2004-02-05, 12:15 pm |
| Thank you for your response Blubells. The DomainB is a child of DomainA, lets call domainB Sales.DomainA.com instead.
The answer provided thus says,"Users can access resources in the domainA.com domain" It doesn't mention that they have been authenticated. If they were the authenticated users I would understand it to be the users with cached credentials.
I still don't understand how users in Sales.domainA.com can access resources in DomainA.com, as the way I have understood this is that the users need to be authenticated in their own domain before they will be allowed access over the trust.
I was thinking that maybe the users are finding the GC server in the DomainA.com domain when their own GC server went off line.
Mind is swirling, please someone help it stop spinning!!! | |
| Blubells 2004-02-05, 12:29 pm |
| The child domain would have it's own DC
Look at it like this
Domain.Com
Child.Domain.com
Domain.com 's GC dies. Domain Admins can log on there, users with cached credentials can log on there
Users in child.domain.com can log in there because..... All together now.... It has it's own DC.
Any clearer??
Cheers | |
| Jonoplunk 2004-02-05, 12:41 pm |
| Blubells, I don't think I have explained the question very well, let me try again.
2 Domains:
Domain.Com
Child.Domain.com
Each has 3 domain controllers.
Child.Domain.com's Global catalogue server dies. Domain Admins can log on there, users with cached credentials can log on there. That is all understood.
Question is how can users in Child.domain.com get access to resources in domain.com if their Global catalogue server is down.
As I have said, the way I have understood this is that you have to be authenticated by a Global catalogue server in order to use resources on another domain. Is this different if it is on a child domain.
Sorry if I appear dense/stubborn, but I am just looking for a hard and fast rule on this one  | |
| aznluvsmc 2004-02-05, 3:36 pm |
| I would assume that users will be asked for authentication each time they access a server in domainA.com. When they enter their username and password, the credentials will be forwarded to a DC in domainB for verification that it is correct. Remember that the domains are configured with a two-way transitive trust. | |
| Blubells 2004-02-05, 4:55 pm |
| Either that or the child domain also has it's own Global Catalogue which would authenticate users | |
| jeff_j_black 2004-02-05, 7:20 pm |
| GC holds a subset of schema data, therefore all GC hold the same data, regardless of which domain they are in within the forest. GC is required for first logon, logon by UPN and for searching the directory.
GC builds the list of universal groups a user is a member of at logon. The GC does not perform authentication, only required for the first time a user logs on, logon using UPN (user@domain.com). Therefore Admins can log on and users who have logged in previously (cached credentials) could log on and access resources in parent domain for which they have permission. You still have two dc to authenticate in the child domain, just not a GC. | |
| Jonoplunk 2004-02-06, 5:40 am |
| Thanks everybody.
Jeff would I be right in saying then that in the event of a GC server failure, Domain Admins and users that have logged in before will be able to access resources in both domains. Any other users logging in will get authenticated in the child domain and have access in the child domain, but not in the parent domain? Not until they have their group membership confirmed by a Global catalogue, or are they able to get this through the GC of the parent domain? | |
| jeff_j_black 2004-02-06, 10:14 am |
| That is a good question, if it were a single domain and a new user were to attempt to log in, the login would fail. I would think that if a GC for the forest were available at all, anywhere, the login should be okay. I am testing this right now in my virtual lab. | |
| jeff_j_black 2004-02-06, 10:34 am |
| First out, the first DC that I installed in the child domain is not a GC by default. You would have to manually assign the GC role to it. I created a user in Users within CHILD. No other group memberships were granted. I set the allow log in local policy on the CHILD DC, refreshed policy, and logged in as the new user. This was under the circumstance of only the GC being available in the parent domain, so there you have it. | |
| Jonoplunk 2004-02-06, 12:11 pm |
| Thanks Jeff, that answers my question then.
One final deduction from me then. You have shown that a Child domain will still be able to use the GC server on the Parent domain. Am I right then that if the GC fails on a domain in the forest then you cannot access resources on another Domain through group membership if your GC server is down.
Summary is:
Child Domain to Parent domain will be able to use resources upon GC server failure.
Domain to domain across trust will not be able to use resources upon GC server failure.
If I am right then this is starting to make sense at last. Thanks Jeff. | |
| jeff_j_black 2004-02-06, 12:35 pm |
| I think you would be able to as long as you did not recieve access to that resource via a newly assigned universal group membership.
a) No GC available, new users could not logon, nor could you logon via UPN.
b) Say the admin in domaina.com adds the user in child.domaina.com to a universal group to provide access to a resource. If no GC is available at that users next logon, then the group membership would not be added to his credentials.
c) Otherwise the user would have access based on cached credentials. | |
| Rock642 2004-02-06, 8:13 pm |
| Where did the question come from? |
|
|
|