Best Practice Ezine #63 Global Catalog Server

Custom Search

Guy recommends:
Free SolarWinds
VM Console

 A free desktop tool that monitors, or restarts, your VMware virtual machines.  Download your free VM Console

---

Best Practice Ezine #63 Global Catalog Server

In this issue I would like to feature the Global Catalog as it’s probably the most neglected Windows 2003’s services.  As we will see, small organizations don’t need much configuration, whereas large forests running Exchange can improve their performance by judicious placement of Global Catalog Servers.

I have three goals for Global Catalog Server

My goals are to explain why Exchange 2003 needs Global Catalog Server.  To find the checkbox, which enables / disables this services.  To explain why configuring Global Catalog Servers is a good idea.

There are many reasons for investigating Windows Server 2003’s Global Catalog Server.  For example, the Exchange 2003 GAL relies absolutely on the Global Catalog Service.  In addition, correctly placing Global Catalog Servers improves Outlook’s performance.  The purpose of this page is to explain why Exchange 2003 needs Global Catalog Servers.  I will show you where to configure the settings and advise you on how many Windows Domain Controllers to double up as Global Catalog Servers.

Why does Exchange 2003 need Global Catalog Servers?

The specific reason why Exchange clients place such a heavy load on the Global Catalog Servers is that they need to make LDAP queries to resolve email addresses.  For example, a user opens Microsoft’s Outlook and types the name of a recipient.  To find the corresponding SMTP address, the GAL issues an LDAP query to a Global Catalog Server.

Before we go any further, here are four concepts to help us get started.

1) By default, only the first Domain Controller in any Domain is a Global Catalog Server.  Good news, all subsequent Domain Controllers have the capability of being a Global Catalog server.

2) Global Catalog Server is a property, a tick in a box on a Domain Controller.  You cannot configure a member server or even an Exchange Member server as a Global Catalog Server.

3) Ordinary non-outlook users need a Global Catalog Server to find network resources such as Universal Group Membership.  Therefore, all the configuration you make with Catalog Servers for the sake of Exchange’s GAL will also benefit everyone. 

4) It’s essential to configure extra Global Catalog Servers in multi-domain, multi-site organizations.  I admit, if you are a one domain, one site, 50 user outfit, they you need very little extra Global Catalog configuration.

Why Global Catalog placement is important in large organizations

The problem of contacting a Global Catalog Server arises when a Windows 2003 Domain Controller, which are not, repeat, not, also a Global Catalog Servers, receives a logon request.  Without a reply from the Global Catalog server it cannot deduce Universal Group membership from other domains.  For security, that logon server must be able to enumerate Universal Group Membership.  Specifically, the Domain Controller must be sure that people in Universal Groups have not been denied access.  A problem only arises if there is no Global Catalog on the subnet, or site and the links to other sites are flaky.

You could solve all Global Catalog problems with Guy’s rule of thumb approach – deploy two Global Catalog Servers at each Active Directory Site.  Alternatively you could take the thinking man’s approach and have one Global Catalog Server for every four Exchange 2003 Servers.  People who deploy this approach say go for a 1:4 ratio of processors rather than servers.  If you are a rich company then you could even get testing software, feed in zillions of relevant info and bingo – out comes the number and placement of your Global Catalog Servers.  (The answer is always 2 in each site!)

Guy Recommends 3 Free Active Directory Tools

SolarWinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

1. Seeking and zapping unwanted user accounts.
2. Finding inactive computers.
3. Bulk-importing new users.  Give this AD utility a try, it’s free!

Download your FREE Active Directory administration tools.

The crucial Global Catalog / Domain Controller fact

Each Domain Controller knows all about the all the object and all their properties – but only for its own domain.  Crucially, only Domain Controllers that are also Global Catalog servers know about objects in other domains.  You could take the ruthless solution and make every domain controller a Global Catalog Server. However, that may be counter-productive owing to increased replication traffic, and placing an undue overhead on those servers.  Tell the truth, only testing would show if this traffic and processor load would be as big a problem as it sounds.

Configuring a Domain Controller as a Global Catalog Server

Only the first Domain Controller in any Domain is a Global Catalog Server.  Good news, all subsequent Domain Controllers have the Global Catalog capability.  Configuring a Domain Controller as a Global Catalogs is a knack.  Once you have drilled down, and checked the Global Catalog box you always remember that tortuous path.  (It goes without saying that this is a job for Windows Server 2003 and not Exchange 2003.)

Let us begin at the Active Directory Sites and Services snap-in  (Not the ADUC).  Expand Sites, Default-First-Site-Name, Servers.  Select your server and seek the NTDS Settings, right-click and choose Properties.  All that remains is to tick the Global Catalog box. (See Diagrams Opposite.)

With a Windows Server 2000 Server you have to reboot, eccentrically the interface does not tell you to reboot.  Microsoft cured all this nonsense in Windows Server 2003, you do not have to reboot when you enable or disable Global Catalog.

One variation of these instructions would be if your servers are in a different site and not in the strangely named, Default-First-Site-Name.

If you have firewall restrictions, LDAP uses port 389 for read and write operations and port 3268 for global catalog search operations.

Summary of Global Catalog Servers and Exchange 2003

Exchange 2003 makes heavy use of Global Catalog Servers.  In particular Exchange’s GAL makes LDAP queries to resolve email addresses.  Windows 2003 Domain Controllers, which are not also Global Catalog Servers, cannot deduce Universal Groups in other domains.  For security, until they contact a Global Catalog server Domain Controller cannot proceed with the logon request.  As a result of this knowledge you can plan extra Global Catalog servers.  The suggested ratio is 1 Global Catalog for every 4 Exchange 2003 servers.  However, if you only have one domain, there is no need for any more Global Catalog servers.

See more interesting permissions and Active Directory articles

• E 63 Catalog  • E 60 ADModify  • E 59 ADSIEdit  • E 58 FSMO  •Free CSV Import Utility

• E 52 Wins  • E 46 Logs   •E 45 LDAP Tips  •E 26 MMC  • E 21 Users Template  • E 17 CACLS  • Ezines

•E 12 SQL  • E 8 Security Permissions  •Review of Solarwinds Permissions Monitor for AD