> Hello:
> I've been working with AD for years and I understand what a GC does and
> why AD needs it, but I just ran across a question in a book that got me
> thinking. The question basically implied that a particular domain had no
> GC servers at all. The question stated that their were two domains in one
> forest (all AD 2008). Each domain was in its own site with two sites
> total--Site A for Domain A and Site B for Domain B. The question implied
> that Site B/Domain B did not have a GC.
> I don't have an AD 2008 forest/domain set up right now to test this, but I
> have an AD 2003 forest/domain with one DC and was able to uncheck the GC
> option for it. I found it interesting that AD doesn't actually required a
> GC and that I was able to disable the GC on my only DC. In a single domain
> forest this wouldn't really matter too much, but in a multi-domain forest,
> such as the example in the question, I would think that each domain would
> be required to have a GC. I just wanted to pass this along since I found
> it interesting.
> --
> Mel K.
> MCSA: M, Ex2000
> MCTS: Ex2007

Interesting. Actually, the one GC for the multidomain forest will work. In a
single domain forest, on one subnet (IIRC), you can get away without a GC if
the users logon without a UPN or not using Universal Groups, but then again,
Exchange, if installed, will fail, since it uses the GC for mail-enabled
object address book lookups, DSAccess and DSProxy referrals for Outlook. So
I would imagine if there are other directory enabled apps that use port 3268
for lookups (port that the GC uses).

Also, the following passage was from:

What is a global Catalog?

"In a single-domain forest, a global catalog server stores a full, writable
replica of the domain and does not store any partial replica. A global
catalog server in a single-domain forest functions in the same manner as a
non-global-catalog server except for the processing of forestwide searches."

So in a single domain forest, you can get away without a GC, since it has a
writeable copy, acting like a DC anyway, but then again, it depends on what
apps and services are running that may require a GC.

But not quite with a multi-domain forest.

IIRC, the only user account that can logon without a GC in a multi-domain
forest, is the built-in administrator account of all domains.


