Tuesday, March 6, 2012

The Global Catalog Server in win 2003


An Overview on Global Catalog Servers

The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains, and forests. Because the GC maintains a list of the Active Directory objects in domains and forests, without actually including all information on the objects; and it is used when users search for Active Directory objects or for specific attributes of an object; the GC improves network performance and provides maximum accessibility to Active Directory objects.
The Global Catalog server is the domain controller that stores a full copy of all objects in its host domain. It also stores a partial copy of all objects in all other domains within the forest. The partial copy holds the list of objects most frequently searched for. The first domain controller that is created in the first domain in a forest is by default the Global Catalog server. If a domain only has one domain controller, that particular domain controller and the GC server are the same server. If you add an additional domain controller to the domain, you can configure that domain controller as the GC server. You can also assign additional domain controllers to serve as GC servers for a domain. This is usually done to improve response time for user logon requests and search requests.
In order for Global Catalog servers to store a full copy of all objects in its host domain, and a partial copy of all objects in all other domains within the forest, GC replication has to occur between those domain controllers that are configured as GC servers. GC replication does not occur between domain controllers that are not GC servers.
The functions of the GC server are discussed in the following section. The functions performed by the GC server can be summarized as follows:
  • GC servers are crucial for Active Directory's UPN functionality because they resolve user principal names (UPNs) when the domain controller handling the authentication request is unable to authenticate the user account because the user account actually exists in another domain. The authenticating domain controller would have no knowledge of the particular user account. The GC server in this case assists in locating the user account so that the authenticating domain controller can proceed with the logon request for the user.
  • The GC server deals with all search requests of users searching for information in Active Directory. It can find all Active Directory data irrespective of the domain in which the data is held. The GC server deals with requests for the entire forest.
  • The GC also makes it possible for users to provide Universal Group membership information to the domain controller for network logon requests.
Universal Groups are available when the domain functional level is raised or set to least Windows 2000 Native. Universal Groups can contain members that belong to different domains within the forest, and their Universal Group membership information is only stored in the GC. What this means is that only those domain controllers configured as GC servers would contain Universal Group membership information. The remainder of the domain controllers would not hold Universal Group membership information.
The universal group membership caching feature introduced in Windows Server 2003 Active Directory, enables a site that has no GC server to cache universal group membership information for users who log on to domain controllers within the site. In this manner, a domain controller can serve logon requests for directory information when a GC server is unavailable. The settings of the Active Directory replication schedule determine how often the cache is refreshed.

Planning the Location of Global Catalog servers

If you have a relatively small network that only has one physical location, the first domain controller installed for the domain would become the GC server. As aditional domain controllers are added to the domain, you can move the GC server role to a different domain controller. Placing the GC server in such an Active Directory environment is a fairly straightforward process.
The majority of larger networks however have many physical locations. Having high-speed reliable links that connect branch offices would be the ideal situation. Since most links use limited bandwidth, and some links are also unreliable, the need to create sites and site links to control replication traffic becomes essential.
You should configure at least one domain controller as the GC server in each site. Ensure that the domain controller is robust enough to deal with all Global Catalog queries and GC replication traffic. This is turn ensures the best possible network response time.
When Microsoft Exchange 2000 Server is being used, it is also recommended to configure a GC server for each site that has an Exchange server.
If you have multiple sites, you might want to deploy additional GC servers for a site if the following conditions are true:
  • A slow WAN link or unreliable WAN link is used to connect to the other sites.
  • A frequently used application uses port 3268 for GC queries.
  • The users in the site are members of a Windows 2000 domain or a Windows Server 2003 domain operating in Windows 2000 native mode.

How to create additional GC servers

When you create the first domain controller for a new domain, that particular domain controller is designated as the GC server. Depending on your network, you might need to add an additional GC server(s). The Active Directory Sites and Services console is the tool used to add an additional GC server. You have to be a member of one of the following groups to create additional GC servers: Domain Admins or Enterprise Admins.
To create an additional GC server:
  1. Click Start, Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console tree, expand Sites, and then expand the site that contains the domain controller which you want to configure as a GC server.
  3. Expand the Servers folder, and locate and then click the domain controller that you want to designate as a GC server.
  4. In the details, pane, right-click NTDS Settings and click Properties on the shortcut menu.
  5. The NTDS Settings Properties dialog box opens.
  6. The General tab is where you specify the domain controller as a GC server.
  7. Enable the Global Catalog checkbox.
  8. Click OK.

How to enable the Universal Group Membership caching feature

  1. Click Start, Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console tree, click the particular site that you want to enable universal group membership caching for.
  3. In the details pane, right-click NTDS Settings and click Properties on the shortcut menu.
  4. The NTDS Settings Properties dialog box opens.
  5. Check the Enable Universal Group Membership Caching checkbox.
  6. Click OK.

How to remove the GC server role from a domain controller

  1. Open the Active Directory Sites and Services console.
  2. In the console tree, locate and click the domain controller currently configured as the GC server.
  3. Right-click NTDS Settings and click Properties on the shortcut menu to open the NTDS Settings Properties dialog box.
  4. Clear the Global Catalog checkbox.
  5. Click OK.

How to disable the Universal Group Membership caching feature

  1. Open the Active Directory Sites and Services console.
  2. In the console tree, locate and click the site for which you want to disable the Universal Group Membership caching feature.
  3. Right-click NTDS Settings and click Properties on the shortcut menu to open the NTDS Settings Properties dialog box.
  4. Clear the Enable Universal Group Membership Caching checkbox.
  5. Click OK.

How to include additional attributes in the GC

The number of attributes in the GC affects GC replication. The more attributes your GC servers have to replicate, the more network traffic GC replication creates. Default attributes are included in the GC when Active Directory is first deployed. You can use the Active Directory Schema snap-in to add any additional attribute to the GC. Because the snap-in is by default not included in the Administrative Tools Menu, you first have to add it to the MMC before you can use it to customize the GC.
To add the Active Directory Schema snap-in in the MMC:
  1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter.
  2. Enter the following at the command prompt: regsvr32 schmmgmt.dll.
  3. Click OK to acknowledge that the dll was successfully registered.
  4. Click Start, Run, and enter mmc in the Run dialog box.
  5. When the MMC opens, select Add/Remove Snap-in from the File menu.
  6. In the Add/Remove Snap-in dialog box, click Add, and then add the Active Directory Schema snap-in from the Add Standalone Snap-in dialog box.
  7. Close all open dialog boxes.
To include additional attributes in the GC:
  1. Open the Active Directory Schema snap-in.
  2. In the console tree, expand the Attributes container, right-click an attribute and click Properties from the shortcut menu.
  3. Additional attributes are added on the General tab.
  4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled.
  5. Click OK.
    Troubleshooting GC Servers
A few common problems experienced with GC servers are listed below:
  • Slow query response time: Adding an additional GC server to the location with the slow query response time can improve query response time. Users would be able to use the local GC server instead of using the slow WAN link.
  • Replication latency problems between GC servers: You can add sites to assist with replication traffic.
  • High Load: Where your GC servers are experiencing an excessive load, adding more GC servers to handle the load could assist with the problem. Remember though that adding additional GC servers, increases GC replication traffic.

No comments:

Post a Comment