Global Catalog Servers

A Global Catalog server is an AD server that holds a partial replica of the entire tree. This replica holds a limited amount of information about every object within the forest, usually those properties that are necessary for network functionality or those properties that are frequently asked for or searched against. The Global Catalog is referenced when a user "looks" for an object outside of their domain, thus eliminating the call to a domain controller at the destination domain.

The list of properties is different for each class of object. User objects, for instance, need to store certain information for network functions—a great example is their "Group Membership" list. During the logon process, the user's object is checked to retrieve this list. AD then confirms the user's membership with each group using information stored in the Global Catalog. Once membership is confirmed, the Security IDs for each group can be added to the user's security token. The Global Catalog might also contain various properties that are frequently searched upon—telephone numbers, for example. On the other hand, the Global Catalog will probably store less information about Printer objects because fewer of their properties are needed on a regular basis.

For those of you with a curious nature, Table 8.1 lists the properties stored (by default) in the Global Catalog. You can change this list, but remember that any additions to the Global Catalog properties list can have a great impact on your network.

note To be honest, my search for this list was quite confusing. A search of Microsoft's support website returned multiple hits; unfortunately, each page offered a different list of attributes as the default list in the Global Catalog. The list I've included in Table 8.1 seems to be fairly complete, although if you want the nitty gritty, you'll have to search the Microsoft website.

Table 8.1: Default Global Catalog Content

Name

Description

alt-Security-Identities

Alt-Security-Identities

common-Name

Common-Name

display-Name

Display-Name

given-Name

Given-Name

group-Type

Group-Type

keywords

Keywords

l

Locality-Name

lDAP-Display-Name

LDAP-Display-Name

legacy-Exchange-DN

Legacy-Exchange-DN

location

Location

mail

E-mail-Addresses

mSMQ-Digests

MSMQ-Digests

mSMQ-Label

MSMQ-Label

mSMQ-Owner-ID

MSMQ-Owner-ID

mSMQ-Queue-Type

MSMQ-Queue-Type

mS-SQL-Alias

MS-SQL-Alias

mS-SQL-Database

MS-SQL-Database

mS-SQL-Name

MS-SQL-Name

mS-SQL-Version

MS-SQL-Version

name

RDN

netboot-GUID

Netboot-GUID

object-Category

Object-Category

object-Guid

Object-Guid

object-Sid

Object-Sid

organizational-Unit-Name

Organizational-Unit-Name

primary-Group-ID

Primary-Group-ID

Table 8.1: Default Global Catalog Content (continued)

Name

Description

sAM-Account-Name

SAM-Account-Name

sAM-Account-Type

SAM-Account-Type

service-Principal-Name

Service-Principal-Name

sID-History

SID-History

surname

Surname

uNC-Name

UNC-Name

user-Account-Control

User-Account-Control

user-Principal-Name

User-Principal-Name

uSN-Changed

USN-Changed

uSN-Created

USN-Created

The reality is that this list is not that important. I cannot think of a single reason to remove one of the default attributes from the list. If you decide to do so, however, test the change in a lab environment first. Many of these attributes are included to provide specific functionality to the Windows 2000/Windows Server 2003 environment. You might, however, want to add an attribute to the Global Catalog. Remember, the Global Catalog is used to perform searches of the Active Directory database. If a user tries to search on an attribute that is not included in the Global Catalog, then the search must access domain controllers in each domain—adding network traffic, processing overhead to the servers involved, and increasing the time necessary to perform the search. We'll discuss this process a little later in this section.

By default, the first domain controller created in the AD forest is made a Global Catalog server. This is the only Global Catalog server that is created automatically. If you desire more than one Global Catalog (and you probably will), you have to manually configure them. The process is fairly straightforward.

Changing the Attributes Stored in the Global Catalog

As I mentioned earlier, you can control which attributes of object types are stored in the Global Catalog. The partial list of attributes stored by default includes those attributes that are most frequently used in search operations—things like common name, location, or e-mail address. By adding attributes, you can speed up search queries. If your company uses a lot of interdepartmental faxes, for instance, your users will probably spend a lot of time searching for the fax number of other departments. Adding the fax number attribute to the Global Catalog will speed those searches up.

It is important for you to note, however, that in Windows 2000 adding a new attribute to the Global Catalog causes a full synchronization of all object attributes—not just the information that changed. Since the Global Catalog holds information about every object in the forest (not just a single domain), this one-time synchronization process can generate a significant amount of network traffic! This has been changed in the Windows Server 2003 operating system: Windows Server 2003 replicates only the new information. Of course, for backward compatibility, if the Windows Server 2003 communicates with a Windows 2000 Global Catalog, a full replication will occur.

If you are going to customize the content of the Global Catalog, remember that static data causes less synchronization traffic in the long run than data that changes on a regular basis. The fax number attribute is a perfect example; fax numbers for departments usually do not change very often. Once the data has been synchronized to all of the Global Catalog servers, very little additional replication traffic relating to this attribute will be generated. The only time synchronization traffic will be generated is when a fax number changes.

The content of the Global Catalog is managed through the Active Directory Schema snap-in to the MMC. If this snap-in is not available, you must install the Windows 2000/Windows Server 2003 Administration Tools from the Windows 2000/Windows Server 2003 CD-ROM. Since it is copied during a default installation, you can just run Adminpak.msi from the %systemroot%\System32 folder.

To modify the AD schema, you need to be a member of the Schema Admins group. First open the MMC and add the Active Directory Schema snap-in, as shown in Figure 8.13.

Figure 8.13

Adding the Active Directory Schema snap-in to the MMC

Add Standalone Snap-in

Available Standalone Snap-ins:

-Description— View and edit the Active Directory Schema

Jj*l

Add Standalone Snap-in

Available Standalone Snap-ins:

] Snap-in

Vendor

-

Active Directory Domains and Trusts

Microsoft Corporation Microsoft Corporation

Active Directory Schema

^Active Directory Sites and Services

Microsoft Corporation

Active Directory Users and Computers

Microsoft Corporation

¿ActiveX Control

[IP Certificates

Microsoft Corporation

§3 Certification Authority

Microsoft Corporation

^Component Services

Microsoft Corporation

J-Sj Computer Management

Microsoft Corporation

j|| Device Manager

Microsoft Corporation

m

-Description— View and edit the Active Directory Schema

Expand the Active Directory Schema folder and click on the Attributes folder. You will see a list of all the attributes available within the AD schema, as shown in Figure 8.14.

Figure 8.14

Attributes within the AD schema

Consola SHndow dsfc" I ' ä:tfc"i ¡flew Ivettes- | <3= "*■ |

Tree ] Favorites |

im g l'syrfaw

) Connie fiant

■g Active E*rectcn

) Connie fiant

■g Active E*rectcn

♦ ecmintExprcs

Lage Integer

Acccunt Enemies

♦ ecccuntNämaHlstory

lh attesting

AccantNa-ne-Hstay

♦ cCSAgjraoateTctarfiat.,

Lage Intega

ACS

- Aç^egate-Tckcn-Ra...

* öCSAJkxitiePSiPBarid,,

Lage Integer

ACS

-Alocabb-RSYP-Baid...

* oCSCaJieTirreojt

Irfceget

AC5

-Cíóie-Tlmeaijt

♦ aCSHrecflon

Integer

ACE

-Drectton

♦ ¿C5DS3hCü.=cnimi

Bieget

ACS

-DSBf^-DtadTifiie

♦ ¿C5ClS3hPrurfcy

Irte) er

ACS-OSET-Friu'ity

Integer

ACS

-DSfifí-Refresíi

❖ aCSEnefaleACSSarvice

Bncteen

ACS

-Enable-AC5-5ervcc

♦ aCSEnebieRWPAcecixi:...

Bad: an

ACS-Enable-PSUP-Accoun...

♦ aCSEnaHeRSVÍ-Messeg...

Ondean

ACS- Ervsh le-RStl P-Me ssag...

♦ aC3Everti.c^.eve:

Integer

ACS

-Event-Log-Level

♦ flCildsnttyfJarre

Uncacie String

ACS

-[denöty-Nsrrie

^ /¡C «ixAg n r nyi H . .

Large frtegcr

fiCH

- Ma A <y}?ij s r r- Pen k..

♦ .KSr^HajrntcnPwHo'v

Integer

ACS

-MDX-DLiöttnri-Fcr-lMciw

♦ aCSPMomumSDUSEc

Lage Integer

ACS

■MDltt^un-SCUSIrc

♦ sCH'a^toOfAccojrtHes

Inteja

ACS

-Max-No-Qf-Account-,..

♦ eCSí*a>ítoCfl.csFfe5

Intega

ACS

-Max-No-af-Leg-Rles

^ eCsr'a^e^Baid^dth

Lage In Eager

ACS

-Max-Peak-B®Ktoi±h

♦ ECSMaccPeakEand^dth.,,

Lage integer

ACS

-Hax-Peak-Ban Avidth..,

♦ ¿C5WEK5IZB0FR5VPACC..,

Irtejer

ACS

♦ aC5MaK56eO(RSMPLctftfa Iffcejsr

AC5-M3fc-5i2e-0f-RS VW

❖ ^CST^^.TLI^I ßJlkEtPa.

L«rue Inleww

ACS

-Max-Token-feitket-P..

Lífqe Integer

ACS

-MáJt-Token-RaÍB-Per.. ■

^ í£5^nimLniDeIsy'/s'¡etion L«fqe Integer

ACS

-MniUTrCdey-V-ani. .

♦ oCSKinniijmLabency

Lafge Integer

AC&Mrinún-Latency

♦ iiiaVhiinumFdEïdjiïe

Large Integer

ACS

-M rrnurn-Plcfced-S se

Right-click the attribute you want to add to the Global Catalog and click Properties. On the resulting window, ensure that the Replicate This Attribute to the Global Catalog option is selected, as shown in Figure 8.15.

Figure 8.15

Adding an attribute to the Global Catalog mrnmnmim^mmsmm, r Show objects of this class while browsing.

D captivate this attribute, F Index this attribute in the Active Directory. I- Ambiguous Name Resolution (ANR). iv* Replicate this attribute to the Global Catalog.

I- Attribute js copied when duplicating a. user.

Jjx]

0

f acsimileT elephoneN umbei

Description:

■ iFacsimile-T elephone-N umbii^^^^^^^^^Hl

Common Name:

J Facsimile-T elephone-N umbei

X.500 0ID:

12.5.4.23

- Syntax and Range

Syntax:

| Unicode Stiinq

Minimum:

I1

Maximum:

Iba

This attribute is single-valued.

That's all there is to it! You'll also want to take note of another option in Figure 8.15: Index This Attribute in Active Directory. As with most databases, AD has the ability to index certain "fields," which increases the efficiency of queries. If you are adding an attribute to the Global Catalog, the odds are that the attribute you are selecting will be searched upon quite often. You can increase the efficiency of the process by selecting this option. AD will, however, create an index file for the attribute—increasing the size of the AD database files marginally. (This is usually not a problem, and since you are going to search on the attribute, you accept the slightly larger file size in exchange for lower processing requirements on the server.)

The Big Difference between Windows 2000 and Windows Server 2003 Global Catalog

While there really aren't a lot of AD-related differences between Windows 2000 Server and the Windows Server 2003 product line, one of the most important differences impacts the use of Global Catalog servers during the logon process.

In a Windows 2000 environment, a Global Catalog is critical to the logon process. When a user logs on to the network, a security token is created for them. This token includes information about the groups of which they are a member. If a Global Catalog server is not available during the logon process, the user will not be able to log on to the network—instead they will be limited to logging on to the local computer.

note Members of the Domain Admins group can log on to the network without accessing the Global Catalog. If this wasn't the case, a malfunctioning Global Catalog server could conceivably prevent an administrator from logging on to fix the problem.

In Windows Server 2003 the requirement of contacting a Global Catalog has been eliminated. The domain controller closest to the user caches the user's complete group memberships. The cache populates at the first logon, and subsequent logons use this cached information. The cached information is refreshed periodically from a Global Catalog.

This is a major change to the way logons are processed! It might actually justify the cost of moving to Windows Server 2003. Many Windows 2000 environments experience extreme performance issues during periods of heavy logon (like Monday morning when everyone logs on at the same time). Most of this slowdown is caused by the dual access involved—first a domain controller is accessed, and then the domain controller accesses a Global Catalog.

In a Windows 2000 environment, it is recommended that each physical location have at least one Global Catalog server, otherwise the logon process will include accessing the Global Catalog over whatever WAN links are in place—not a pretty picture!

Was this article helpful?

0 0

Post a comment