Section 11.2. Planning and Implementing a Strategy for Placing Global Catalog Servers

11.2. Planning and Implementing a Strategy for Placing Global Catalog Servers

Domain controllers designated as global catalogs contain additional data stores called global catalogs. A global catalog contains a full copy of all objects in the directory for its host domain and a partial, read-only replica of objects in all other domains in the Active Directory forest. This configuration enables the global catalog to be used for efficient searching and faster logon.

11.2.1. Placing Global Catalog Servers

The global catalog:

• Enables a user to log on to a network by providing universal group membership information to a requesting domain controller during logon.

• Enables finding directory information throughout the forest.

• Helps to resolve User Principal Names for domains outside a domain controller's current domain.

If a global catalog isn't available when a user in a universal security group logs on to a domain, the logon computer may be able to use cached credentials if the user has logged on previously and the logon domain controller is running Windows Server 2003. If the user has not logged on to the domain previously, the user can log on only to the local computer.

By default, the first domain controller installed in a domain is automatically designated as a global catalog server. You can move the global catalog to another domain controller and designate additional domain controllers to be global catalog servers as well. To designate a domain controller as a global catalog, follow these steps:

1. Start Active Directory Sites And Services from the Administrative Tools menu.

2. Expand the site you want to work with, such as Default-First-Site-Name.

3. Expand the Servers node, and then select the server you want to designate as a global catalog.

4. In the right-pane, right-click NTDS Settings and then select Properties.

5. To designate the domain controller to be a global catalog, select the Global Catalog option as shown in Figure 11-6.

   Figure 11-6. Designating global catalog servers.

   

6. To remove the global catalog from a domain controller, clear the Global Catalog option.

7. Click OK.

Queries to global catalog servers are done over TCP port 3268 for standard communications and TCP port 3269 for secure communications. When considering where to place global catalog servers, you should examine the network's site topology. Each site should have at least one global catalog to ensure availability and optimal response time. When each site has at least one global catalog, user logon requests and queries can be resolved locally without having to go across WAN connections. To determine which domain controllers to designate as global catalogs, consider the server's ability to handle replication and query traffic. The global catalog requires more network resources than normal directory replication traffic.

Having one global catalog in each site is especially important when:

• Slow or unreliable WAN connections are used to connect to other sites.

• Users in the site belong to a domain running in Windows 2000 native mode.

• Other applications in the site use port 3268 or 3269 to resolve global catalog queries.

11.2.2. Designating Replication Attributes

Each object class, such as User, Group, or Computer, has a set of attributes that are designated for replication. Global catalog servers use the replication details to create the partial replica of objects from other domains.

Schema administrators can designate additional attributes to be replicated. If users routinely search for an attribute that isn't replicated, you might want to add attributes to the list of replicated attributes. You shouldn't stop replication attributes that are replicated by default, however.

Members of the Schema Admins group can manage the attributes that are replicated using the Active Directory Schema snap-in. This snap-in is not available by default. You must install the Administration Tools (ADMINPAK.MSI). Then you must register the snap-in for use on your computer by typing the following at a command prompt:

 regsvr32 schmmgmt.dll 

Once you install the Administrative Tools, you can add the Active Directory Schema snap-in to a custom console by completing these steps:

1. Type mmc at a command prompt.

2. Click File Add/Remove Snap-in.

3. Click Close, and then click OK.

You can edit the schema for an object whose attribute you want to replicate using the following steps:

1. In Active Directory Schema, expand the Active Directory Schema node, and then select the Attributes node.

2. A list of the attributes for all objects in the directory is then displayed in the right pane (see Figure 11-7).

   Figure 11-7. Displaying available schema attributes.

   

3. Double-click the attribute to replicate to the global catalog.

4. In the attribute's properties dialog box, select the Replicate This Attribute To The Global Catalog checkbox (see Figure 11-8).

   Figure 11-8. Replicate and index attributes as necessary.

   

5. If you want the attribute to be indexed in Active Directory for faster search and retrieval, select Index This Attribute In The Active Directory. This increases the size of the Active Directory database.

6. Click OK.

11.2.3. Evaluating the Need to Enable Universal Group Caching

On a domain with domain controllers running Windows Server 2003, universal group membership caching can be enabled. Once caching is enabled, domain controllers store universal group membership information in a cache and use the cache for the next time the user logs on to the domain. The cache is maintained indefinitely and updated every eight hours by default to ensure its consistency. Up to 500 universal group memberships can be updated at once.

Universal group caching has the following benefits:

• Faster logon because domain controllers no longer need to access global catalogs to obtain universal group membership details.

• Reduced bandwidth usage because you can deploy fewer global catalogs and in this way reduce replication traffic.

• Reduced resource usage and possibly the requirement to update server hardware to handle the additional load of maintaining a global catalog.

Universal group caching may change the way you deploy global catalogs within your organization. With universal group caching enabled, remote sites running Windows Server 2003 domain controllers don't have to have global catalogs configured as well. While this gives you additional configuration options, you should still consider whether sites are connected over slow or unreliable WAN connections, whether users in the site belong to a domain running in Windows 2000 native mode, and whether other applications in the site use port 3268 or 3269 to resolve global catalog queries.

On a domain with controllers running Windows Server 2003, you enable universal group membership caching on a-per site basis. To enable caching, follow these steps:

1. Start Active Directory Sites And Services from the Administrative Tools menu.

2. Expand the site you want to work with, such as Default-First-Site-Name.

3. In the right-pane, right-click NTDS Site Settings and then select Properties.

4. As shown in Figure 11-9, select Enable Universal Group Membership Caching.

5. Click OK.

   Figure 11-9. Enabling universal group membership caching for a site.