Getting the Most Out of Global Catalog Servers

Previous page
Table of content
Next page

A global catalog server is a domain controller that contains a copy of every Active Directory object in a forest. By default, the first domain controller installed in a forest is a global catalog server. The global catalog contains a full copy of every Active Directory object in its host domain, and a partial copy of every object in other domains in the forest. The partial copies include the most commonly queried attributes of objects. The attribute set that global catalogs will store is defined in the Active Directory schema, which can be modified if needed.

The role of the global catalog server is to perform the following primary tasks :

  • Find objects anywhere in the forest. When users search for people or printers from the Start menu, the queries are sent directly to a global catalog.

  • Authenticate User Principle Names (UPNs). When an authenticating domain controller does not have information about a user that is logging on with a UPN, (for example, user1 @ companyabc .com ), it sends a request to a global catalog to complete the logon request.

  • Contain Universal Group membership. Unlike global group memberships, which are stored in each domain, universal group memberships are only stored in global catalogs.

Windows Server 2003 has new features on how global catalog information is stored that will affect decisions on where to place a global catalog server in a distributed organization. The next section provides best practices for group catalog placement and customization based on the new features in Windows Server 2003.

Global Catalog Placement

Conceivably, every domain controller can contain a copy of the global catalog. Because global catalog information must be replicated to every global catalog server in the forest, making every domain controller a global catalog server can significantly affect network performance. On the other hand, having too few GCs available to users can affect user logons and access tokens.

Uses More Network Resources

Network traffic related to global catalog queries generally uses more network resources than normal directory replication traffic.


For a single site environment, a single global catalog is sufficient. It is a best practice to have at least a second GC in a single site for fault tolerance.

It is also a best practice to place a GC in a remote site connected by an unreliable or slow connection. In this scenario, fault tolerance for user authentication is achieved at the price of a network performance hit.

If users at the remote site are members of a Windows 2000 native mode domain, they get their universal group membership information from a global catalog server. If the GC is not located in the same site, logon requests will have to be routed over the WAN to find a GC. Windows Server 2003 domain controllers can alleviate this problem with Universal Group Caching.

Universal Group Caching

Due to the network performance issues related to locating GCs at remote sites, Microsoft has added a feature in Windows Server 2003 that enables domain controllers to cache and store Universal Group membership without containing (and replicating) a global catalog.

When enabled, the domain controller will query a global catalog for universal group membership when a user logs on once, and then cache that information indefinitely. The next time that user logs on, the domain controller will refer to its local cache instead of querying the global catalog server. The universal group membership information that is cached is periodically refreshed (by default, every eight hours).

The benefits of universal group caching can be summarized as follows :

  • Faster logon times. The domain controller can use its cached copy of universal group memberships instead of querying a global catalog server.

  • Greater bandwidth utilization. Fewer domain controllers will be replicating the entire global catalog of Active Directory objects.

  • Better hardware utilization. Potentially , fewer servers would be required to support Active Directory. At the very least, existing domain controllers could perform additional roles in the organization if they are not tasked with global catalog storage and replication.

Enabling universal group caching on a domain controller is accomplished by using Active Directory Sites and Services. To enable universal group caching, perform the following steps:

  1. Open Active Directory Sites and Services.

  2. In the console tree, click the site in which you want to enable universal group membership caching.

  3. In the details pane, right-click NTDS Site Settings, and then click Properties.

  4. Select the Enable Universal Group Membership Caching check box, as shown in Figure 12.3.

    Figure 12.3. Enabling universal group membership caching.

    graphics/12fig03.gif

  5. In Refresh Cache From, click a site from which this site will refresh its cache, or accept <Default> to refresh the cache from the nearest site that has a global catalog.

Customizing the Global Catalog

As was indicated earlier, the global catalog contains only a partial list of attributes about objects not present in the host domain. Although the attributes that are included represent those items queried for most of the time (for example, a user's first name, last name , and e-mail address), there might be occasions for adding attributes to be replicated and available for users or applications to query against.

Adding attributes to the global catalog can improve query performance. When considering whether to add attributes to the global catalog, keep the following in mind:

  • Added attributes can affect network bandwidth utilization. The more data there is to replicate, the more bandwidth will be used.

  • Consider both the size of the attribute and the frequency with which it is updated. A small attribute will not take that much network traffic to replicate, but if it is an attribute that is updated often, it can potentially create more network traffic than a large attribute that rarely changes.

  • Consider that global catalog information consumes disk space as well as network bandwidth.

  • When a new attribute is added to the global catalog for Windows 2000 domain controllers, a forestwide synchronization occurs that will replicate the entire global catalog to all DCs. If the GC/DCs are Windows Server 2003 servers, only the added attribute is replicated.

To add attributes to the global catalog, you must use the Active Directory Schema snap-in.

To add an attribute to the global catalog, for example to add the primary mobile phone attribute, perform the following steps:

  1. Open the Active Directory Schema snap-in.

  2. In the console tree, click Attributes.

  3. In the Details pane, scroll down the list and right-click on Mobile, and then click Properties.

  4. Select the Replicate This Attribute to the Global Catalog check box shown in Figure 12.4.

    Figure 12.4. Adding an attribute to the global catalog.

    graphics/12fig04.jpg

  5. Click OK to finish.

Modifying the Schema Is an Advanced Operation

The Active Directory Schema snap-in must be installed before it can be used. Only members of the Schema Admins group have the capability to modify the schema. Modifying the schema is an advanced operation best performed by experienced programmers and system administrators.



Previous page
Table of content
Next page
Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325
Authors: Rand Morimoto, Andrew Abbate, Eric Kovach, Ed Roberts
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Lotus Notes and Domino 6 Development (2nd Edition)
Network Security Architectures
The Java Tutorial: A Short Course on the Basics, 4th Edition
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
What is Lean Six Sigma
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy