Skip to main content

The Global Catalog Server


The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains and forests. Because the GC maintains a list of the Active Directory objects in domains and forests without actually including all information on the objects and it is used when users search for Active Directory objects or for specific attributes of an object, the GC improves network performance and provides maximum accessibility to Active Directory objects.
The Global Catalog server is the domain controller that stores a full copy of all objects in its host domain. It also stores a partial copy of all objects in all other domains within the forest. The partial copy holds the list of objects most frequently searched for. The first domain controller that is created in the first domain in a forest is by default the Global Catalog server. If a domain only has one domain controller, that particular domain controller and the GC server are the same server. If an additional domain controller is added to the domain, users can configure that domain controller as the GC server. Users can also assign additional domain controllers to serve as GC servers for a domain. This is usually done to improve response time for user logon requests and search requests.global catalog server The Global Catalog Server
In order for Global Catalog servers to store a full copy of all objects in its host domain and a partial copy of all objects in all other domains within the forest, GC replication has to occur between those domain controllers that are configured as GC servers. GC replication does not occur between domain controllers that are not GC servers.
The GC server functions are discussed in the following section. GC server functions can be summarized as follows:
  • GC servers are crucial for Active Directory’s UPN functionality because they resolve user principal names (UPNs) when the domain controller handling the authentication request is unable to authenticate the user account because the user account actually exists in another domain. The authenticating domain controller would have no knowledge of the particular user account. The GC server in this case assists in locating the user account so that the authenticating domain controller can proceed with the user’s logon request.
  • The GC server deals with all search requests of users searching for information in Active Directory. It can find all Active Directory data irrespective of the domain in which the data is held. The GC server deals with requests for the entire forest.
  • The GC also makes it possible for users to provide Universal Group membership information to the domain controller for network logon requests.
Universal Groups are available when the domain functional level is raised or set to at least Windows 2000 Native. Universal Groups can contain members that belong to different domains within the forest and their Universal Group membership information is only stored in the GC. What this means is that only those domain controllers configured as GC servers would contain Universal Group membership information. The remaining domain controllers would not hold Universal Group membership information.
The universal group membership caching feature introduced in Windows Server 2003 Active Directory enables a site that has no GC server to cache universal group membership information for users who log on to domain controllers within the site. In this manner, a domain controller can serve logon requests for directory information when a GC server is unavailable. The settings of the Active Directory replication schedule determine how often the cache is refreshed.

Planning the Location of Global Catalog Servers

If there is a relatively small network that only has one physical location, the first domain controller installed for the domain would become the GC server. As additional domain controllers are added to the domain, move the GC server role to a different domain controller. Placing the GC server in such an Active Directory environment is a fairly straightforward process.
Most larger networks, however, have many physical locations. Having high-speed reliable links that connect branch offices would be the ideal situation. Since most links use limited bandwidth and some links are also unreliable, creating sites and site links to control replication traffic becomes essential.
Configure at least one domain controller as the GC server in each site. Ensure that the domain controller is robust enough to deal with all Global Catalog queries and GC replication traffic. This in turn ensures the best possible network response time. When Microsoft Exchange 2000 Server is being used, it is recommended to configure a GC server for each site that has an Exchange server.
Someone with multiple sites might want to deploy additional GC servers for a site if the following conditions are true:
  • A slow or unreliable WAN link is used to connect to the other sites.
  • A frequently used application uses port 3268 for GC queries.
  • The users in the site are Windows 2000 domain members or a Windows Server 2003 domain operating in Windows 2000 native mode.

How to Create Additional GC Servers

When someone creates the first domain controller for a new domain, that particular domain controller is designated as the GC server. Depending on the  network, users might need to add an additional GC server(s). The Active Directory Sites and Services console is the tool used to add a GC server. Users have to be a member of one of the following groups to create additional GC servers: Domain Admins or Enterprise Admins.
To create an additional GC server:
  1. Click Start, Administrative Tools, and Active Directory Sites and Services.
  2. In the console tree, expand Sites then expand the site that contains the domain controller that will be configured as a GC server.
  3. Expand the Servers folder and locate and click the domain controller to be designated as a GC server.
  4. In the details pane, right click NTDS Settings and click Properties on the shortcut menu.
  5. The NTDS Settings Properties dialog box opens.
  6. The General tab is where users specify the domain controller as a GC server.
  7. Enable the Global Catalog checkbox.
  8. Click OK.

How to Enable the Universal Group Membership Caching Feature

  1. Click Start, Administrative Tools, and Active Directory Sites and Services.
  2. In the console tree, click the particular site that universal group membership caching will be enabled for.
  3. In the details pane, right click NTDS Settings and click Properties on the shortcut menu.
  4. The NTDS Settings Properties dialog box opens.
  5. Check the Enable Universal Group Membership Caching checkbox.
  6. Click OK.

How to Remove the GC Server Role from a Domain Controller

  1. Open the Active Directory Sites and Services console.
  2. In the console tree, locate and click the domain controller currently configured as the GC server.
  3. Right click NTDS Settings and click Properties on the shortcut menu to open the NTDS Settings Properties dialog box.
  4. Clear the Global Catalog checkbox.
  5. Click OK.

How to Disable the Universal Group Membership Caching Feature

  1. Open the Active Directory Sites and Services console.
  2. In the console tree, locate and click the site that the Universal Group Membership caching feature will be disabled for.
  3. Right click NTDS Settings and click Properties on the shortcut menu to open the NTDS Settings Properties dialog box.
  4. Clear the Enable Universal Group Membership Caching checkbox.
  5. Click OK.

How to Include Additional Attributes in the GC

The number of attributes in the GC affects GC replication. The more attributes the GC servers have to replicate, the more network traffic GC replication creates. Default attributes are included in the GC when Active Directory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute to the GC. Because the snap-in is by default not included in the Administrative Tools Menu, users have to add it to the MMC before it can be used to customize the GC.
To add the Active Directory Schema snap-in in the MMC:
  1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter.
  2. Enter the following at the command prompt: regsvr32 schmmgmt.dll.
  3. Click OK to acknowledge that the dll was successfully registered.
  4. Click Start, Run, and enter mmc in the Run dialog box.
  5. When the MMC opens, select Add/Remove Snap-in from the File menu.
  6. In the Add/Remove Snap-in dialog box, click Add then add the Active Directory Schema snap-in from the Add Standalone Snap-in dialog box.
  7. Close all open dialog boxes.
To include additional attributes in the GC:
  1. Open the Active Directory Schema snap-in.
  2. In the console tree, expand the Attributes container, right-click an attribute, and click Properties from the shortcut menu.
  3. Additional attributes are added on the General tab.
  4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled.
  5. Click OK.
    Troubleshooting GC Servers
A few common problems that GC server users experience are listed below:
  • Slow query response time: Adding a GC server to the location with the slow query response time can improve query response time. Users would be able to use the local GC server instead of using the slow WAN link.
  • Replication latency problems between GC servers: Users can add sites to assist with replication traffic.
  • High Load: Where GC servers are experiencing an excessive load, adding more GC servers to handle the load could assist with the problem. Remember though that adding more GC servers increases GC replication traffic.

Popular posts from this blog

HOW TO EDIT THE BCD REGISTRY FILE

The BCD registry file controls which operating system installation starts and how long the boot manager waits before starting Windows. Basically, it’s like the Boot.ini file in earlier versions of Windows. If you need to edit it, the easiest way is to use the Startup And Recovery tool from within Vista. Just follow these steps: 1. Click Start. Right-click Computer, and then click Properties. 2. Click Advanced System Settings. 3. On the Advanced tab, under Startup and Recovery, click Settings. 4. Click the Default Operating System list, and edit other startup settings. Then, click OK. Same as Windows XP, right? But you’re probably not here because you couldn’t find that dialog box. You’re probably here because Windows Vista won’t start. In that case, you shouldn’t even worry about editing the BCD. Just run Startup Repair, and let the tool do what it’s supposed to. If you’re an advanced user, like an IT guy, you might want to edit the BCD file yourself. You can do this

DNS Scavenging.

                        DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.  Despite many clever methods of ensuring that clients and DHCP servers that perform dynamic updates clean up after themselves sometimes DNS can get messy.  Remember that old test server that you built two years ago that caught fire before it could be used?  Probably not.  DNS still remembers it though.  There are two big issues with DNS scavenging that seem to come up a lot: "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening.  Why?" or "I woke up this morning, my DNS zones are nearly empty and Active Directory is sitting in a corner rocking back and forth crying.  What happened?" This post should help us figure out when the first issue will happen and completely avoid the second.  We'll go through how scavenging is setup then I'll give you my best practices.  Scavenging s

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance: 1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard. The Setup Wizard appears. 2. Click Next . The Setup Options dialog box appears. For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future. 3. Select A unique instance . 4. Click Next and the Instance Name dialog box appears. The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in. 5. Enter a unique instance name, for example IDG. 6. Click Next to display the Ports configuration dialog box. 7. Leave ports at their default values unless you have conflicts with the default values. 8. Click N