Windows Server 2003 – Global Catalog
Mastering Global Catalog will not only give your users a better network experience, but also teach you about Windows Server 2003’s Active Directory. Global Catalogs are deceptive. The bigger your Active Directory forest the more important it is to configure Global Catalogs. If you have Exchange 2003, then there are extra reasons to position Global Catalogs close to the users.
Topics for Windows Server 2003 Global Catalog
- Global Catalog – From a Users Perspective
- Global Catalog – Key Concepts
- Configuring Global Catalog
- No worries if you only have only one Domain
- Global Catalog Servers Summary
‡
Global Catalog – From a Users Perspective
Your average user want answers to questions such as, ‘Where are you Domain Controller?’ or ‘Find this email address in the GAL’. Naturally people don’t normally vocalise these requests, however they logon to the domain, and they attempt to send email with outlook. The role of the Global Catalog Server is to answer requests for network resources, for example, LDAP queries to find a Domain Controller, or an Exchange 2003 Server.
Global Catalog – Key Concepts
Now we come to the key Global Catalog concepts. Surprisingly, not every domain controller is a global catalog server. The reason is that by default there is only global catalog server. Microsoft’s thinking is that you may not want the extra overhead of being a global catalog server, and the more global catalog servers the more replication traffic on your network.
Every Domain Controller knows about its own domain, after all, managing directory services is what a Domain Controller does. However, Domain Controllers that are also Global Catalog Servers know about other domains (key point). Microsoft’s paranoia is that there may be restrictions on a Universal Group in another domain, therefore, before a user logs on the Domain Controller must be able to enumerate Universal Group membership, just in case a Universal Group and hence a user, has been denied access. Incidentally, you may have seen Universal Group Caching which neatly solves this latency. Universal Group Caching is one of the new features of Windows Server 2003.
Configuring Global Catalog
Configuring a Domain Controller as a Global Catalogs is a knack. Once you have drilled down, and checked the Global Catalog box you always remember that tortuous path.
Let us begin at the Active Directory Sites and Services snap-in. Expand Sites, Default-First-Site-Name, Servers. Select your server and seek the NTDS Settings, right-click and choose Properties. All that remains is to tick the Global Catalog box. (See Diagrams Opposite)
With a Windows Server 2000 Server you have to reboot, eccentrically the interface does not tell you to reboot. All this nonsense is cured in Windows Server 2003, you do not have to reboot when you enable or disable Global Catalog.
The only variation on these instructions is that your servers may be in different sites and not in the strangely named, Default-First-Site-Name.
If you have firewall restrictions, LDAP uses port 389 for read and write operations and port 3268 for global catalog search operations.
No worries if you only have only one Domain.
To be honest, if you have only one domain then nothing bad will happen if you don’t have a local Global Catalog server. However, if you have a forest then delays can be a problem – unless you place Global Catalog servers judiciously. The root of the problem is enumerating Universal Group membership. In a single domain it’s pointless using Universal Groups, and even if you did, they will only be users in your domain. There are no other domains to check.
Guy Recommends 3 Free Active Directory Tools
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
- Seeking and zapping unwanted user accounts.
- Finding inactive computers.
- Bulk-importing new users. Give this AD utility a try, it’s free!
Download your FREE Active Directory administration tools.
Global Catalog Servers Summary
The key point with Active Directory is that Domain Controllers, which are not also Global Catalog Servers, cannot deduce Universal Groups in other domains. For security, until they contact a Global Catalog server Domain Controller cannot proceed with the logon request. As a result of this knowledge you can plan extra Global Catalog servers. However, if you only have one domain, there is no need for any more Global Catalog servers.
▫
Related Topics
• Global Catalog and Exchange • FSMO Roles • Schema • Install Active Directory
