| Author | Messages | |
robertomb
Posts:12
 | | 07/28/2009 2:40 PM |
| I've applied the GPO (DC Locator) to my branch office DCs using security filtering and trough "gpresult" I saw it was properly applied. Since the GPO is being properly loaded, I still got the old result. When I ping my domain name from the central site it still replies with a branch office DC. What could be happening?
Roberto Mascarenhas Braga
Microsoft Student Partner
________________________________
De: Steven Griffiths <servernet1997@hotmail.com>
Para: ActiveDir.Org <activedir@mail.activedir.org>
Enviadas: Quarta-feira, 22 de Julho de 2009 13:22:43
Assunto: RE: Res: [ActiveDir] Name resolution in a one-domain forest
Roberto,
I've recently had this discussion with some colleagues following a Microsoft ADRAP.
The Best Practices for Delegating Active Directory Administration white paper (http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en) has the following note on page 58:
<snip>
The lowest level at which you can apply user rights for the Domain Controllers OU is the default OU. The Domain Controllers OU is the default container for all domain controller objects in a domain directory partition, and moving domain controllers out of this OU is not recommended and not supported. The user rights that apply to this OU apply to all domain controllers in the OU, and thus, in the domain. The default policies are applied to the Domain Controllers OU in a manner that prohibits the effective use of child OUs for domain controllers. Unlike other OUs, child OUs of the Domain Controllers OU cannot be used to override the policy that is applied at the Domain Controllers OU parent level. For this reason, creating child OUs and delegating administration for subsets of domain controllers is not supported.
</snip>
I can totally agree that creating child OUs for the purposes of administrative delegation would be a bad idea, but for simply applying policy, such as the DC Locator policy you mention, I can't see it would be a problem. You could accomplish the task using a group or by creating a child OU, so I'd go with whatever feels most comfortable. Having a child OU may draw the eye in ADUC and make a new administrator think there is something special about the DCs contained within, which may be no bad thing.
HTH
Steve G
________________________________
Date: Wed, 22 Jul 2009 06:55:44 -0700
From: redbullbrasil@yahoo.com.br
Subject: Res: [ActiveDir] Name resolution in a one-domain forest
To: activedir@mail.activedir.org
Jorge,
thanks for the posts, they were such helpful! Just a question... How do you recomend to apply the DC Locator GPO to Branch Office DCs? I was wondering to move that DCs to a child OU under Domain Controllers OU but suddenly remember that this was not recommended. Is it a good idea to apply a site GPO to each site that contains a branch office DC?
Thanks!
Roberto Mascarenhas Braga
Microsoft Student Partner
________________________________
De: Jorge de Almeida Pinto <Jorge.deAlmeidaPinto@oxfordcomputergroup.com>
Para: activedir@mail.activedir.org
Enviadas: Segunda-feira, 20 de Julho de 2009 16:40:55
Assunto: RE: [ActiveDir] Name resolution in a one-domain forest
Check my DC LOCATOR blog posts and see if that can help you
Met vriendelijke groeten / Kind regards,
Jorge de Almeida Pinto
Senior Technical Consultant, MVP Directory Services | Oxford Computer Group BeNeLux
(: +31 (0)6 26.26.62.80 | (: +31 (0)70 36.21.627 | 7: +31 (0)70 36.21.677
-: Sweelinckplein 9 (Unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com| Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
(MVP Profile) (Blog)
From:activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Roberto Braga
Sent: Monday, July 20, 2009 20:49
To: activedir@mail.activedir.org
Subject: [ActiveDir] Name resolution in a one-domain forest
Guys,
Here where I work we have a single-domain Forest with twenty-seven 2003 R2 DCs: 24 in remote sites, one per site, and three in the major site. In AD Sites and Services we’ve defined the subnets like this:
10.2.0.0/16 – Major site
10.10.x.0/24 – Remote site #x, x from 1 to 24
Recently we adopted DFS in our environment. It is working fine, except by the fact that sometimes machines in the major site resolve the domain principal name pointing to a remote DC instead of the DFS root name. This causes a notable delay in the access.
I got a suggestion to make explicit entries to all my subnets in the major site, instead of the generalist entry I have now. Does this make sense?
Roberto Mascarenhas Braga
Microsoft Student Partner
http://robertombraga.spaces.live.com
________________________________
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10 - Celebridades - Música - Esportes
________________________________
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10 - Celebridades - Música - Esportes
________________________________
Celebrate a decade of Messenger with free winks, emoticons, display pics, and more. Get Them Now
____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com
| | | |
|
|