The Global Catalog Server
The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains and forests. Because the GC maintains a list of the Active Directory objects in domains and forests without actually including all information on the objects and it is used when users search for Active Directory objects or for specific attributes of an object, the GC improves network performance and provides maximum accessibility to Active Directory objects.
The Global Catalog server is the domain controller that stores a full copy of all objects in its host domain. It also stores a partial copy of all objects in all other domains within the forest. The partial copy holds the list of objects most frequently searched for. The first domain controller that is created in the first domain in a forest is by default the Global Catalog server. If a domain only has one domain controller, that particular domain controller and the GC server are the same server. If an additional domain controller is added to the domain, users can configure that domain controller as the GC server. Users can also assign additional domain controllers to serve as GC servers for a domain. This is usually done to improve response time for user logon requests and search requests.
In order for Global Catalog servers to store a full copy of all objects in its host domain and a partial copy of all objects in all other domains within the forest, GC replication has to occur between those domain controllers that are configured as GC servers. GC replication does not occur between domain controllers that are not GC servers.
The GC server functions are discussed in the following section. GC server functions can be summarized as follows:
- GC servers are crucial for Active Directory’s UPN functionality because they resolve user principal names (UPNs) when the domain controller handling the authentication request is unable to authenticate the user account because the user account actually exists in another domain. The authenticating domain controller would have no knowledge of the particular user account. The GC server in this case assists in locating the user account so that the authenticating domain controller can proceed with the user’s logon request.
- The GC server deals with all search requests of users searching for information in Active Directory. It can find all Active Directory data irrespective of the domain in which the data is held. The GC server deals with requests for the entire forest.
- The GC also makes it possible for users to provide Universal Group membership information to the domain controller for network logon requests.
Universal Groups are available when the domain functional level is raised or set to at least Windows 2000 Native. Universal Groups can contain members that belong to different domains within the forest and their Universal Group membership information is only stored in the GC. What this means is that only those domain controllers configured as GC servers would contain Universal Group membership information. The remaining domain controllers would not hold Universal Group membership information.
The universal group membership caching feature introduced in Windows Server 2003 Active Directory enables a site that has no GC server to cache universal group membership information for users who log on to domain controllers within the site. In this manner, a domain controller can serve logon requests for directory information when a GC server is unavailable. The settings of the Active Directory replication schedule determine how often the cache is refreshed.
Planning the Location of Global Catalog Servers
If there is a relatively small network that only has one physical location, the first domain controller installed for the domain would become the GC server. As additional domain controllers are added to the domain, move the GC server role to a different domain controller. Placing the GC server in such an Active Directory environment is a fairly straightforward process.
Most larger networks, however, have many physical locations. Having high-speed reliable links that connect branch offices would be the ideal situation. Since most links use limited bandwidth and some links are also unreliable, creating sites and site links to control replication traffic becomes essential.
Configure at least one domain controller as the GC server in each site. Ensure that the domain controller is robust enough to deal with all Global Catalog queries and GC replication traffic. This in turn ensures the best possible network response time. When Microsoft Exchange 2000 Server is being used, it is recommended to configure a GC server for each site that has an Exchange server.
Someone with multiple sites might want to deploy additional GC servers for a site if the following conditions are true:
- A slow or unreliable WAN link is used to connect to the other sites.
- A frequently used application uses port 3268 for GC queries.
- The users in the site are Windows 2000 domain members or a Windows Server 2003 domain operating in Windows 2000 native mode.
How to Create Additional GC Servers
When someone creates the first domain controller for a new domain, that particular domain controller is designated as the GC server. Depending on theĀ network, users might need to add an additional GC server(s). The Active Directory Sites and Services console is the tool used to add a GC server. Users have to be a member of one of the following groups to create additional GC servers: Domain Admins or Enterprise Admins.
To create an additional GC server:
- Click Start, Administrative Tools, and Active Directory Sites and Services.
- In the console tree, expand Sites then expand the site that contains the domain controller that will be configured as a GC server.
- Expand the Servers folder and locate and click the domain controller to be designated as a GC server.
- In the details pane, right click NTDS Settings and click Properties on the shortcut menu.
- The NTDS Settings Properties dialog box opens.
- The General tab is where users specify the domain controller as a GC server.
- Enable the Global Catalog checkbox.
- Click OK.
How to Enable the Universal Group Membership Caching Feature
- Click Start, Administrative Tools, and Active Directory Sites and Services.
- In the console tree, click the particular site that universal group membership caching will be enabled for.
- In the details pane, right click NTDS Settings and click Properties on the shortcut menu.
- The NTDS Settings Properties dialog box opens.
- Check the Enable Universal Group Membership Caching checkbox.
- Click OK.
How to Remove the GC Server Role from a Domain Controller
- Open the Active Directory Sites and Services console.
- In the console tree, locate and click the domain controller currently configured as the GC server.
- Right click NTDS Settings and click Properties on the shortcut menu to open the NTDS Settings Properties dialog box.
- Clear the Global Catalog checkbox.
- Click OK.
How to Disable the Universal Group Membership Caching Feature
- Open the Active Directory Sites and Services console.
- In the console tree, locate and click the site that the Universal Group Membership caching feature will be disabled for.
- Right click NTDS Settings and click Properties on the shortcut menu to open the NTDS Settings Properties dialog box.
- Clear the Enable Universal Group Membership Caching checkbox.
- Click OK.
How to Include Additional Attributes in the GC
The number of attributes in the GC affects GC replication. The more attributes the GC servers have to replicate, the more network traffic GC replication creates. Default attributes are included in the GC when Active Directory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute to the GC. Because the snap-in is by default not included in the Administrative Tools Menu, users have to add it to the MMC before it can be used to customize the GC.
To add the Active Directory Schema snap-in in the MMC:
- Click Start, Run, and enter cmd in the Run dialog box. Press Enter.
- Enter the following at the command prompt: regsvr32 schmmgmt.dll.
- Click OK to acknowledge that the dll was successfully registered.
- Click Start, Run, and enter mmc in the Run dialog box.
- When the MMC opens, select Add/Remove Snap-in from the File menu.
- In the Add/Remove Snap-in dialog box, click Add then add the Active Directory Schema snap-in from the Add Standalone Snap-in dialog box.
- Close all open dialog boxes.
To include additional attributes in the GC:
- Open the Active Directory Schema snap-in.
- In the console tree, expand the Attributes container, right-click an attribute, and click Properties from the shortcut menu.
- Additional attributes are added on the General tab.
- Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled.
- Click OK.
Troubleshooting GC Servers
A few common problems that GC server users experience are listed below:
- Slow query response time: Adding a GC server to the location with the slow query response time can improve query response time. Users would be able to use the local GC server instead of using the slow WAN link.
- Replication latency problems between GC servers: Users can add sites to assist with replication traffic.
- High Load: Where GC servers are experiencing an excessive load, adding more GC servers to handle the load could assist with the problem. Remember though that adding more GC servers increases GC replication traffic.
Comments - 2 Responses to “The Global Catalog Server”
Sorry but comments are closed at this time.