Unlike Microsoft Windows NT Server version 4 and earlier, Windows 2000 Server doesn't allow you to designate a system as a domain controller during the operating system installation. Every Windows 2000 server installs as a stand-alone system or a member of a domain. After the installation is complete, you can promote the server to domain controller status using the Windows 2000 Active Directory Installation Wizard. This tool provides a great deal of additional flexibility to Active Directory administrators because servers can be promoted or demoted at any time, while Windows NT 4 servers are irrevocably designated as domain controllers during the installation process.
Also gone is the distinction between primary and backup domain controllers. Windows 2000 domain controllers are all peers in a multiple-master replication system. This means that administrators can modify the contents of the Active Directory tree on any server functioning as a domain controller, and the system will replicate the changes to all the other controllers on the domain. This is a major advance from the Windows NT 4 single-master replication system, in which an administrator can change only the primary domain controller (PDC), after which the changes are replicated to all the backup domain controllers (BDCs).
Another advantage of Windows 2000 is that you can use the Active Directory Installation Wizard to demote a domain controller back to a stand-alone or member server. In Windows NT 4, once you install a server as a domain controller, you can demote it from a PDC to a BDC, but you can't remove its domain controller status completely, except by reinstalling the operating system.
The basic function of the Active Directory Installation Wizard is to configure a server to function as a domain controller, but depending on the current state of Active Directory on your network, this task can take several forms. If you're installing the first Windows 2000 server on your network, then promoting the system to a domain controller creates an entirely new Active Directory with that computer hosting the first domain in the first tree in the first forest.
Be sure to read Chapter 3 before launching into Active Directory. Unless you have an independent test network where you can make mistakes without serious consequences, it's essential that you know where you're going before you get on the train.
To promote a Windows 2000 server to a domain controller, you first complete the entire operating system installation process. After the final reboot, you then log on to the machine using an administrator account (you can log on either locally or across the network using the Terminal Server Administration mode).
To host Active Directory, the server must have an NTFS 5 partition. NTFS 5 is an updated version of the file system introduced in the first release of Windows NT. When you create new NTFS partitions during a Windows 2000 installation or upgrade existing NTFS partitions created with prior Windows NT versions, the system uses NTFS 5. If you choose to install Windows 2000 on a system with only FAT partitions, you must convert at least one partition to NTFS before you can use the Active Directory Installation Wizard. For the reasons described in the Planning Partitions section of Chapter 5, you should convert all partitions to NTFS when possible. You can do this by using the Convert.exe utility from the command prompt or the Disk Management screen in the Computer Management snap-in for the MMC.
Converting the Windows 2000 boot partition (the partition on which Windows 2000 is installed) requires a reboot of the system. Because the conversion can't actually occur while the Windows 2000 GUI is loaded, a registry flag is used to schedule the conversion to take place the next time the machine restarts. You can then reload the Active Directory Installation Wizard and begin the installation sequence again.
The last requirement for installing Active Directory is that the server must have access to a DNS server. Active Directory uses DNS to store information about the domain controllers on the network. Client systems locate a domain controller for authentication by sending a query to the DNS server identified in their TCP/IP client configurations. The DNS server that Active Directory uses need not be running on the computer being converted to a domain controller, nor does it have to run the Microsoft DNS service. However, the DNS server you use must support the Service Location resource record defined in the RFC 2052 document and the Dynamic Update protocol defined in RFC 2136.
More InfoRFCs (requests for comments) are the TCP/IP specification documents published by the Internet Engineering Task Force (IETF). All the documents are in the public domain and available for viewing at http://www.rfc-editor.org.
A DNS server is essentially a database composed of individual elements called resource records that contain information about the computers on a TCP/IP network. Various types of resource records are defined in the DNS specifications, and Active Directory requires a new type of resource record—the SRV (the DNS resource record for specifying the location of services)—to store information about Active Directory domain controllers. In addition, a DNS server used by Active Directory requires the ability to dynamically update its records, based on the availability of the domain controllers on the network. More information on DNS and dynamic DNS can be found in Chapter 13.
Until recently, network administrators have configured DNS servers by manually creating the resource records that identify the computers on the network. Each time a system was added or taken out of service, the administrator had to add, remove, or modify the resource record associated with it. A Windows 2000 network running Active Directory uses multiple domain controllers to provide fault tolerance and load balancing. If a domain controller should fail or become unavailable to clients for any reason, another domain controller takes over its duties automatically.
Unfortunately, traditional DNS servers have no such automatic self-configuration capabilities. A network administrator has to manually modify the appropriate SRV resource record every time a domain controller goes offline and another takes its place. The Dynamic Update protocol defined in RFC 2136, on the other hand, enables DNS servers to receive messages from domain controllers containing their availability status. The server modifies its own resource records based on the contents of these messages, thus ensuring that all the domain controllers identified in the resource records are available and that all the available domain controllers are listed in the DNS server.
The Microsoft DNS Server version included with the Windows 2000 Server products supports both new specifications, as does the UNIX-based DNS Server BIND version 8.1.2. If you already have a DNS server supporting these features on your network, you should specify its IP address in the new server's TCP/IP configuration before you begin the Active Directory installation process. You need not install a DNS server on your new domain controller in this case because the Active Directory Installation Wizard will locate the specified server and create the appropriate SRV resource records in it.
However, if a DNS server supporting the new features isn't available on the network, the wizard offers to install and configure Microsoft DNS Server on the system automatically. You can refuse the offer and install a DNS server on another system, but your new server must be able to access that DNS server to install Active Directory and promote the system to a domain controller.
The Case for On-Site DNS Servers
If your network currently uses off-site DNS servers for name resolution, such as those provided by your Internet service provider (ISP), you should install at least one new DNS server on your local network to support Active Directory. Although your ISP's DNS servers might support the Service Location resource record and the Dynamic Update protocol, it's unlikely that your Windows 2000 servers will be authorized to dynamically update the ISP's DNS server records. Even if that were permitted, it is neither practical nor secure for your client systems to traverse a WAN link just to request information about local resources.
Assuming you've already designed the Active Directory hierarchy that you're going to use on your network (as discussed in Chapter 3), the process of actually installing Active Directory and promoting a server to a domain controller is quite simple. The following sections examine the process of installing Active Directory on the first server of a Windows 2000 network. In the Choosing Installation Options section later in this chapter, we'll cover the various Active Directory installation options you can use when installing subsequent servers.
Following the standard wizard pattern, installing Active Directory on a server is a matter of responding to prompts in a sequence of screens. Windows 2000 incorporates links to the wizard onto the Active Directory page of the Windows 2000 Configure Your Server home page. This page is displayed automatically after the OS installation, as shown in Figure 11-1. This screen is designed to walk you through all the processes needed to configure a new server by asking questions in wizard fashion and linking to the appropriate tools for each task.
Figure 11-1. The Windows 2000 Configure Your Server tool.
For users new to Windows 2000, this page functions as a combination mini-tutorial and checklist of server configuration procedures. More advanced users can bypass the configuration page and launch the wizard directly by running the executable file Dcpromo.exe from the Run dialog box. Or users can run the file from the command prompt after logging on using an administrator account. Dcpromo.exe is located in the \%SystemRoot%\System32 folder, making it possible to execute it from any folder without specifying a path.
When you upgrade a Windows NT 4 primary domain controller to Windows 2000 Server, the system launches the Active Directory Installation Wizard automatically after the operating system installation finishes.
After a welcome screen, the Installation Wizard prompts you for the action you want to perform, based on the system's current Active Directory status. If the server is already a domain controller, the wizard provides the option to only demote the system back to a stand-alone or member server. (Domain controllers are covered in Chapter 7.) On a computer that isn't yet a domain controller, the wizard displays the Domain Controller Type screen shown in Figure 11-2, which prompts you to select one of the following options:
Figure 11-2. The Domain Controller Type screen of the Active Directory Installation Wizard.
When you install the first Active Directory server on your network, you select the Domain Controller For A New Domain option in the Domain Controller Type screen. This instructs the wizard to install the Active Directory support files, create the new domain, and register it in the DNS. The new domain is further configured in one of two ways, as shown in the Create Tree Or Child Domain screen (Figure 11-3).
Figure 11-3. The Create Tree Or Child Domain screen of the Active Directory Installation Wizard.
Because this is to be the first Active Directory server on the network, you should select Create A New Domain Tree. The wizard then displays the Create Or Join Forest screen, shown in Figure 11-4, which enables you to specify one of the following options:
Figure 11-4. The Create Or Join Forest screen of the Active Directory Installation Wizard.
Select Create A New Forest Of Domain Trees in this instance, because the first Windows 2000 domain controller on your network will always be a new domain, in a new tree, in a new forest. As you install additional domain controllers, you can use these same options to create other new forests or to populate the existing forest with additional trees and domains.
To identify the domain controller on the network, you must specify a valid DNS name in the New Domain Name screen (Figure 11-5) for the domain you're creating.
Figure 11-5. The New Domain Name screen of the Active Directory Installation Wizard.
This name doesn't have to be the same as the domain your organization uses for its Internet presence (although it can be). Nor does the name have to be one registered with a registrar such as Network Solutions—one of the organizations responsible for maintaining the registry of DNS names in the com, net, org, and edu top-level domains. However, using a registered domain name is a good idea if your network users will be accessing Internet resources at the same time as local network resources, or if users outside the organization will be accessing your local network resources using the Internet.
When users access Internet resources at the same time as Windows 2000 network resources, the possibility exists for your unregistered domain name to conflict with a registered Internet domain using the same name. When Internet users are permitted to access resources on your network using standard application-layer protocols like HTTP and FTP, confusion can arise if internal and external users must use different domain names.
After you enter a DNS name for the domain, the system prompts you for a NetBIOS equivalent to the domain name for use by clients that don't support Active Directory. Windows 2000 systems still use the NetBIOS namespace for their computer names, but Active Directory uses DNS naming for domains. Windows NT 4 and Microsoft Windows 95/98 systems use NetBIOS names for all network resources, including domains.
If you have any downlevel clients on your network (that is, Windows NT 4, Windows 95/98, Microsoft Windows for Workgroups, or Microsoft Network Client for MS-DOS systems), they'll only be able to see the new domain using the NetBIOS name. The NetBIOS Domain Name screen (Figure 11-6) will contain a suggested name that you can use, based on the DNS name you specified, or you can replace it with a name of your own selection that is 15 characters or fewer.
Figure 11-6. The NetBIOS Domain Name screen of the Active Directory Installation Wizard.
After you specify domain names, the wizard prompts you for the locations of the Active Directory database, log files, and the system volume. The Active Directory database will contain the actual Active Directory objects and their properties, and the log files track the activities of the directory service. You specify the directories for these files in the Database And Log Locations screen, shown in Figure 117. The default location for both the database and the logs is the %SystemRoot%\Ntds folder on the system volume, but you can modify these locations as needed—in fact, you probably should, so as not to have all your directory eggs in one basket.
Figure 11-7. The Database And Log Locations screen of the Active Directory Installation Wizard.
The Shared System Volume screen enables you to specify the location of what will become the Sysvol share on the domain controller. The system volume is a share containing domain information that is replicated to all the other domain controllers on the network. By default, the system creates this share in the %SystemRoot%\Sysvol folder on the system drive.
The Active Directory database, logs, and system volume must all be located on volumes using the NTFS 5 file system. If the wizard detects that any of the volumes you've chosen don't use NTFS 5, you must either convert them or select other volumes before you can complete the Active Directory installation process.
Storing the Active Directory Database and Logs
Because Active Directory often writes to the database and the logs at the same time, Microsoft recommends not storing them on the same hard disk. This isn't a major issue on a single domain controller or other small network, but on an enterprise network with frequent directory service updates and many domain controllers replicating their databases, the data storage burden can be significant, so using separate disks or disk arrays (RAID) is strongly recommended.
The recommendation for the placement of the database and log files calls for the use of separate hard disks, not separate volumes on the same disk drive. This is because the physical constraints of the disk's head traveling mechanism can be responsible for a reduction in disk performance. The heads on a single disk drive can't be in two positions at the same time, so the device must perform writes to the database and the logs consecutively. When the files are stored on separate disks, the writes can occur simultaneously. It is also preferable to use SCSI drives for this purpose rather than EIDE because SCSI is better suited to executing simultaneous commands on multiple devices.
At this point, the Active Directory Installation Wizard has all the configuration information it needs to install Active Directory and promote the server to a domain controller. The system checks to see that the domain names you supplied are not already in use by your DNS server or any other computers on your network. If, for example, the NetBIOS name you selected is already being used by a Windows NT 4 domain on the network, the wizard prompts you to select another name.
The wizard also checks to determine whether the DNS server hosting your domain supports the Dynamic Update protocol. If the system can't contact the DNS server specified in the computer's TCP/IP client configuration, or if the specified DNS server is incapable of supporting a Windows 2000 domain, the wizard offers to install Microsoft DNS Server and configure it to function as the authoritative server for the domain. The Configure DNS screen enables you to specify whether you want to install the DNS server or configure one yourself. If you elect to use another machine for the DNS server, you must install and configure it before you can complete Active Directory installation.
After the wizard contacts the DNS server that will provide the locator service for the new domain (or you tell it to install DNS on the server), you are asked whether you want to set up user and group permissions that are compatible with pre-Windows 2000 servers (specifically Windows NT 4 RAS servers). You don't. As mentioned in Chapter 5, you should eliminate these servers before upgrading your network to Windows 2000, and choosing permissions that are compatible with pre-Windows 2000 application servers opens up your network to anonymous users, which is a major security risk. We recommend that you follow Bob Dole's advice: Just don't do it.
Instead, choose the Permissions Compatible Only With Windows 2000 Servers option, and click Next to move on.
After specifying the permission compatibility level you want, enter the passwords you want to use for the server's local Administrator account. Because you can't log on locally to a domain controller, the only time you'll have occasion to use this password is when booting in the directory services restore mode or using the Recovery Console, so it's important that you remember this password or keep it somewhere safe. The usual password recommendations apply here—at least a seven-character password that consists of uppercase and lowercase letters, numbers, and other characters. Acronyms for phrases that are meaningful only to you are good choices.
Click Next after entering the password, review the summary screen, and then click Next to allow the installation and configuration of Active Directory to proceed without further user input. The wizard logs all the activities that occur during the installation process in two files called Dcpromo.log and Dcpromoui.log, located in the %SystemRoot%\Debug folder. Installation can take several minutes, after which you must reboot the system for the changes to take effect.
The procedure for installing additional domain controllers on your network is similar to that for the installation of the first domain controller. The following sections examine the other options provided by the Active Directory Installation Wizard and how you use them to build a Windows 2000 network with Active Directory.
Planning an effective directory service strategy is an essential element of an Active Directory deployment. As stated earlier, before running the Installation Wizard on any Windows 2000 Server, you should have a directory structure in mind that outlines which domains, trees, or forests you intend to create in Active Directory and how they should be configured. As you create additional domain controllers on the network, you can use the Installation Wizard to specify any of the Active Directory installation options.
Replicas provide fault tolerance for an Active Directory domain, and they can reduce internetwork traffic by enabling network clients to authenticate using a domain controller on the local segment. When a domain controller malfunctions or is unavailable for any reason, its replicas automatically assume their functions. Even a small domain needs at least two domain controllers to maintain this fault tolerance.
To create a replica of an existing domain, you run the Active Directory Installation Wizard on a newly installed Windows 2000 server after joining the domain you intend to replicate. For the computer to join the domain, you can either join the domain for the first time and supply the administrative credentials that enable the system to create a computer object in the domain, or create the computer object manually using Active Directory Users and Computers. After joining the domain, log on to the system using the local administrator account and launch the wizard from the Configure Server page or by running Dcpromo.exe from the Run dialog box.
When the Domain Controller Type screen appears in the wizard, select Additional Domain Controller For An Existing Domain and specify the DNS name of the domain to be replicated. You must then supply the user name, password, and domain name of an account with administrative privileges in the domain.
The rest of the process is exactly like the creation of the first domain, as outlined in the section Promoting Your First Server to a Domain Controller, earlier in this chapter. The wizard installs Active Directory on the server; creates the database, logs, and the system volume in the locations you specify; registers the domain controller with your DNS server; and replicates the data from an existing domain controller for that domain.
Once the replica of the domain controller is up and running, it is indistinguishable from the existing domain controller, as far as client functionality is concerned. The replicas function as peers, unlike Windows NT servers, which are designated as primary and backup domain controllers. Administrators can modify Active Directory contents (either objects or schema) from any domain controller, and the changes are replicated to all of the other controllers for that domain.
When creating a replica, the Active Directory Installation Wizard automatically configures the replication process between the domain controllers. You can customize the replication process using Active Directory Sites and Services, included with Windows 2000 Server. (See "Using Active Directory Sites and Services" in Chapter 12.)
When you create the first Windows 2000 domain on your network, you're also creating the first tree in a forest. You can populate the tree as you create additional domains by making them children of existing domains. A child domain is one that uses the same namespace as a parent domain. This namespace is established by the DNS name of the parent domain, to which the child adds a preceding name for the new domain.
For example, if you create a domain called mycorp.com, a child of that domain would be called something like research.mycorp.com. Typically, child domains reflect the geographical, departmental, or political divisions of an organization, but you can use any tree design principle you want, although it's usually desirable to create domains based on administrative boundaries when possible. A parent domain can have any number of children, and the tree structure can extend through any number of generations, which enables you to use a single namespace to create a domain tree that reflects the structure of your entire organization.
To install Active Directory and create a child domain, you must first join your Windows 2000 Server to the parent domain by joining that domain and supplying administrative credentials or by manually creating a computer object in the domain using Active Directory Users and Computers. Then log on to the system using the local administrator account and launch the Active Directory Installation Wizard from the Configure Server page or by running Dcpromo.exe from the Run dialog box.
A child domain is not a replica; it is a completely separate domain located in the same tree. Therefore, when the wizard displays the Domain Controller Type screen, you must select Domain Controller For A New Domain. In the Create Tree Or Child Domain dialog box, you select Create A New Child Domain In An Existing Domain Tree. The wizard then prompts you for the DNS name of the domain that is to be the parent of the child. After supplying this, you specify the short name for the child domain. The short name is the name that will be added to the parent domain's DNS name to form the full name of the child domain. For example, to create a child domain called research.mycorp.com, you specify mycorp.com as the parent domain name and Research as the short name of the child.
As with the creation of the first domain in the tree, you must supply a NetBIOS name for the new domain of no more than 15 characters (Figure 11-6). In the preceding example, the domain would be called RESEARCH. You must also supply credentials for an account that has administrative privileges in the parent domain. The wizard then completes the Active Directory installation and prompts you for a system reboot.
In addition to creating child domains in an Active Directory tree, you can also create entirely new trees, thus forming a forest. Each tree in a forest has its own separate namespace, but the trees all share the same schema and configuration. If, for example, you modify the schema to add customized attributes to a particular object in one tree, those attributes will be present in the same object type in all of the other trees in the forest.
Before you create a new tree in an existing forest, your new Windows 2000 Server must join the root domain of that forest. The root domain is the first domain created in the forest, and you join the system to that domain by logging on to it and specifying credentials for an administrative account in the domain or manually creating a computer object in the domain using Active Directory Users and Computers.
Once the computer has an account in the forest's root domain, you can launch the Active Directory Installation Wizard from the Configure Server page or run Dcpromo.exe from the Run dialog box. When the Domain Controller Type dialog box appears, select Domain Controller For A New Domain. Then select Create A New Domain Tree in the Create Tree Or Child Domain dialog box, and select Place This New Domain Tree In An Existing Forest in the Create Or Join Forest dialog box.
To create the new tree, you must first specify the DNS name of the root domain in the forest and then the DNS name that you want to assign to the first domain in the new tree. This second DNS name must not be a part of any existing namespace in the forest. That is, if a tree already uses mycorp.com as the DNS name of its root domain, you can't use the name research.mycorp.com for the root domain in your new tree, even if that exact domain name doesn't exist in the mycorp.com tree.
After supplying the DNS names, you furnish a NetBIOS equivalent in the usual manner, and you provide credentials for an administrative account in the forest's root domain. The wizard then completes the installation process and prompts you to reboot the system.
The fundamental difference between creating a new tree and creating a new forest is that forests each have their own individual schema and configuration, whereas trees do not. The most obvious scenario in which a network would have multiple forests is when two organizations with existing Active Directory installations merge, and sufficient schema and configuration differences exist between the two to make joining them into one forest impractical.
The procedure for creating a new forest is the same as that for creating the first domain on the network, as described in the section entitled Promoting Your First Server to a Domain Controller, earlier in this chapter. Once you complete this or any of the other Active Directory installation processes described in the preceding sections, you can log on to the domain and proceed to perform the activities outlined in the rest of this chapter and in the next chapter.
Windows 2000 simplifies the process of converting the domains from a Windows NT 4 network to Windows 2000 Active Directory domains by enabling you to upgrade the servers gradually. Windows NT domain controllers can coexist on the same network as Windows 2000 domain controllers and can even function in the same domain. The only special rule for the upgrade process is that you must upgrade the PDC of a Windows NT 4 network before any of the BDCs.
When you install the Windows 2000 operating system on the PDC, the Active Directory Installation Wizard launches automatically after the final reboot and begins the promotion process. After the server is promoted to a domain controller, the system can host your existing domain, using the NT 4 BDCs as replicas. You can then upgrade the BDCs at your own pace.
When all the domain controllers are running Windows 2000, you can then use the Active Directory Domains and Trusts snap-in to convert the domain from mixed mode to native mode, enabling you to take full advantage of Active Directory's grouping capabilities. See the section entitled Changing the Domain Mode, later in this chapter, for more information on switching the domain operational mode.
A major difference between Windows 2000 domain controllers and Windows NT domain controllers is that you can demote a Windows 2000 domain controller to a stand-alone or member server. When you launch the Active Directory Installation Wizard, the program ascertains that the system is already functioning as a domain controller and only provides the option to demote the server, as shown in Figure 11-8.
Figure 11-8. The Remove Active Directory screen of the Active Directory Installation Wizard.
The Configure Your Server screen also detects the status of the system and provides only a single option (Figure 11-9).
Figure 11-9. The Windows 2000 Configure Your Server screen.
Demoting a domain controller erases the Active Directory database from the machine, removes all references to it from the DNS server, and returns the system's security accounts to a state identical to that of a newly installed Windows 2000 server. If the domain to which the system belongs has replica domain controllers on the network, the server remains a member of that domain after the demotion.
If the server is the sole domain controller for a particular domain, the demotion causes that domain to be erased completely from Active Directory, and the system becomes a stand-alone server until you join it to another domain. If the server is the only controller of a forest's root domain, you must destroy all the other domains in the forest before you can proceed with the demotion of the root domain controller. To demote the controller, follow these steps:
Figure 11-10. A warning message when demoting a Global Catalog server.
Figure 11-11. The Summary screen of the Active Directory Installation Wizard.
The Configuring Active Directory screen opens and provides a running description of the processes being performed (Figure 11-12). This takes at least a few minutes, and sometimes considerably longer, depending on the machine. When the configuration is complete, the server is no longer a domain controller and you'll be prompted to click Finish and then Restart Now.
Figure 11-12. The Configuring Active Directory screen.
Changing a domain controller's network identity requires demoting the server from its status as a domain controller, changing the identity, and then promoting the machine again.
When changing a domain controller's name, exercise caution, especially in a mixed environment with downlevel clients. References to your server's old domain name can be perpetuated by WINS servers, causing browsing problems as well as preventing the reuse of the computer name, and clearing out WINS databases to correct the problem can be tricky.
First open Run from the Start menu, type dcpromo, and click OK. Follow the steps in the previous section, Demoting a Domain Controller. Once the domain controller is demoted, follow these steps to change the computer's network identity:
Figure 11-13. The Identification Changes dialog box.
Try to use a computer name that is both DNS- and NetBIOS-compatible so that all types of clients see the same name for your computer. To do this, keep the name shorter than 15 characters in length and don't use asterisks or periods. It's also preferable to avoid using spaces, underscores, and hyphens for the best application compatibility.
Once you've made the change to the computer's network identity, you can promote it once more to a domain controller by following these steps:
Figure 11-14. The Network Credentials screen of the Active Directory Installation Wizard.
Figure 11-15. The Configuring Active Directory screen.
At the end of the process, the Active Directory Installation Wizard informs you that Active Directory is installed and to which domain and site. A reboot is required before the installation of Active Directory is complete.
The first Windows 2000 domain controller in a forest is automatically a Global Catalog server. The Global Catalog (GC) contains a full replica of all directory objects in its host domain plus a partial replica of all directory objects in every domain in the forest. The point of a GC is to provide authentication for logons. In addition, because a GC contains information about all objects in all the domains in the forest, finding information in the directory doesn't require unnecessary queries across domains. A single query to the GC produces the information about where you can find the object.
As long as your enterprise has any Windows NT domain controllers, each domain must have at least one Global Catalog server.
By default, there will be one GC, but any domain controller can be configured as a Global Catalog server. If you need additional logon and search services, you can have multiple Global Catalog servers in the domain.
To make a domain controller into a Global Catalog server, follow these steps:
As long as your enterprise is operating in mixed mode (that is, you have domain controllers other than Windows 2000 domain controllers), you must have at least one Global Catalog server per domain. Once you've upgraded every domain controller to Windows 2000, you can switch the domain to native mode, as described in the section entitled Changing the Domain Mode, later in this chapter.