Try not to use Domain Local Groups to grant READ access to data in any partition that can replicate to domain controllers outside of the Domain Local Group’s scope. This can cause a very inconsistent experience and absolute chaos for anyone affected by that permissioning.
Like data that can go into the PAS of a Global Catalog or something that lives in the Configuration NC or App NCs that span domain controllers for multiple domains (like DNS App NCs).
ABSOLUTELY DO NOT USE Domain Local Groups to grant WRITE access to data in any partition that is writeable on domain controllers outside of the Domain Local Group’s scope.
Like data that lives in the Configuration NC or App NCs that span domain controllers for multiple domains (like DNS App NCs).
joe
