Figure

Currently in Mixed mode, can shift to Native mode

If you click the button to change your domain to Native mode, it'll ask you if you're sure. Once you do and then close domain.msc, you'll be alerted that this change doesn't happen immediately.

Once all of the DCs in the domain have gotten the message that they should switch over, and after you reboot all of those DCs, your domain will be in Native mode.

TIP If you're sure that you're never going to incorporate any NT 4 domain controllers, install the first Windows 2000 domain controller in your new Windows 2000 domain and shift it over to Native mode immediately. That way, you don't have to run around rebooting domain controllers, and any DCs installed after you've shifted to Native mode will automatically be in Native mode.

The Global Catalog and Universal Groups

One reason that you sometimes wouldn't use universal groups is because of their effect on something called the global catalog. But what's a global catalog?

As I've hinted so far and as you'll read a bit later, Windows 2000 helps you build big multidomain networks by allowing you to create a multidomain structure called a tree or a larger structure called a forest. Without stealing the later tree-and-forest section's thunder, let me motivate the global catalog discussion by saying that one of the benefits of having a tree/forest of domains is that anyone from any domain can log in to any workstation from any other domain in the tree/forest. This is great in theory but in practice constitutes a major performance hassle. Suppose we had a forest with 50 domains: every time you wanted to log in to a workstation, that workstation would have no idea which of the 50 domains to query to authenticate your logon. So it would have to search one domain after the other ("Hey, do you know a guy named Ralph023?"), and the result could be extremely slow logons.

The global catalog (GC) solves that problem. It's an abbreviated version of every domain in the forest. Clearly this could get to be pretty big, but the GC remains manageable in size because it only contains a small subset of information from the Active Directory: what users each domain includes and what domain they're from is one of those pieces of information. (There's another value here as well, but I'll cover it later when I discuss forests and trees.)

Another piece of information stored in the GC is the name of each global group in each domain in the forest. That wouldn't constitute too much space and wouldn't make the GC grow too much. But universal groups are a completely different story: the GC not only knows all of their names, it also knows what users are members of each universal group! As a result, heavy use of universal groups could considerably slow down network logons—so it's a good idea to use universals sparingly.

In case you're wondering, there is not, as far as I know, any tool that lets you directly browse or examine the global catalog—although some search operations use it.

Was this article helpful?

0 0

Post a comment