A global catalog server is a domain controller that contains a copy of every Active Directory object in a forest. By default, the first domain controller installed in a forest is a global catalog server. The global catalog contains a full copy of every Active Directory object in its host domain, and a partial copy of every object in other domains in the forest. The partial copies include the most commonly queried attributes of objects. The attribute set that global catalogs will store is defined in the Active Directory schema, which can be modified if needed. The role of the global catalog server is to perform the following primary tasks :
Windows Server 2003 has new features on how global catalog information is stored that will affect decisions on where to place a global catalog server in a distributed organization. The next section provides best practices for group catalog placement and customization based on the new features in Windows Server 2003. Global Catalog PlacementConceivably, every domain controller can contain a copy of the global catalog. Because global catalog information must be replicated to every global catalog server in the forest, making every domain controller a global catalog server can significantly affect network performance. On the other hand, having too few GCs available to users can affect user logons and access tokens. Uses More Network Resources Network traffic related to global catalog queries generally uses more network resources than normal directory replication traffic. For a single site environment, a single global catalog is sufficient. It is a best practice to have at least a second GC in a single site for fault tolerance. It is also a best practice to place a GC in a remote site connected by an unreliable or slow connection. In this scenario, fault tolerance for user authentication is achieved at the price of a network performance hit. If users at the remote site are members of a Windows 2000 native mode domain, they get their universal group membership information from a global catalog server. If the GC is not located in the same site, logon requests will have to be routed over the WAN to find a GC. Windows Server 2003 domain controllers can alleviate this problem with Universal Group Caching. Universal Group CachingDue to the network performance issues related to locating GCs at remote sites, Microsoft has added a feature in Windows Server 2003 that enables domain controllers to cache and store Universal Group membership without containing (and replicating) a global catalog. When enabled, the domain controller will query a global catalog for universal group membership when a user logs on once, and then cache that information indefinitely. The next time that user logs on, the domain controller will refer to its local cache instead of querying the global catalog server. The universal group membership information that is cached is periodically refreshed (by default, every eight hours). The benefits of universal group caching can be summarized as follows :
Enabling universal group caching on a domain controller is accomplished by using Active Directory Sites and Services. To enable universal group caching, perform the following steps:
Customizing the Global CatalogAs was indicated earlier, the global catalog contains only a partial list of attributes about objects not present in the host domain. Although the attributes that are included represent those items queried for most of the time (for example, a user's first name, last name , and e-mail address), there might be occasions for adding attributes to be replicated and available for users or applications to query against. Adding attributes to the global catalog can improve query performance. When considering whether to add attributes to the global catalog, keep the following in mind:
To add attributes to the global catalog, you must use the Active Directory Schema snap-in. To add an attribute to the global catalog, for example to add the primary mobile phone attribute, perform the following steps:
Modifying the Schema Is an Advanced Operation The Active Directory Schema snap-in must be installed before it can be used. Only members of the Schema Admins group have the capability to modify the schema. Modifying the schema is an advanced operation best performed by experienced programmers and system administrators. |