Learn AD in 15 Minutes a Week: Windows 2000 Global Catalog Server Page 2
Digg
DZone
Reddit
Slashdot
StumbleUpon
del.icio.us
Facebook
FriendFeed
Furl
Main Functions of the Global Catalog Server The Windows 2000 global catalog
maintains all of the Universal Group memberships for the
forest and it also allows enables forest-wide directory
searches.
The Windows 2000 global catalog
provides universal group membership information for the
account to the domain controller processing the user logon
information. If the global catalog server is not available
when a user tries to logon to the network (either because a
local server is not available and a remote one cannot be
reached), the user is only able to log on to the local
computer using cached credentials. If the user has never
logged on to that system before or there is a GPO that
prohibits the caching of credentials, the user cannot logon.
[NOTES FROM THE FIELD] - If the user is logged on
with cached credentials, all necessary network resource
access will need to validated on an individual basis. In a
Kerberos scenario, the Kerberos Key Distribution Center will
need to be contacted to get a ticket for access. If NTLM is
used, pass-through authentication will be performed.
Also, if the user trying to log on is an Administrator
and they cannot access a global catalog server, a "normal"
logon is allowed even though the global catalog server
couldn't be reached. For more information on this you can check the
Global Catalog Server Requirement for User and Computer
Logon (Q216970) article on the Microsoft web site. There
is also another good one called
How to Disable Requirement that a Global Catalog Server Be
Available to Validate User Logons (Q241789) which allows
you to configure user logons to all "functions" as the
administrator accounts do, by
Configure a New Global Catalog Server
As mentioned earlier, the Windows 2000 global catalog is created on the forest root domain controller when DCPROMO is run for the first time, and this server is known as the Global Catalog Server.
You can set up any server to be a Global Catalog Server by going to the Active Directory Sites and Services MMC and in the console tree, right-clicking the NTDS Settings of the server you want to make into a Global Catalog Server and selecting PROPERTIES.
On the GENERAL tab of the PROPERTIES page for that server, check the GLOBAL CATALOG checkbox and select OK.
The Active Directory Sites and Services snap-in is not installed on Windows 2000 Professional systems; however, the Windows 2000 Administration Tools allows for the installation of certain MMC snap-ins (including the Active Directory Sites and Services) on Windows 2000 Professional systems to allow for remote administration.
Partition Replication
The Windows 2000 Active Directory is partitioned in three distinct parts.
- Schema Partition. The information in the Schema
Partition defines all objects and their allowed attributes
and is common to all domains in the forest. This partition
is replicated to all domain controllers in the forest.
- Configuration Partition. The Configuration
Partition outlines your domain structure and replication
topology. This information is common to all domains in the
forest. This partition is replicated to all domain
controllers in the forest.
- Domain Partition. The Domain Partition references data objects of a given domain. This information is commonly relevant to only the single domain, it is not shared, and this partition is replicated to all domain controllers in the domain only. It is a subset of this data from all objects in all domains (partial replica) that is stored in the global catalog.
All of the objects in every domain, and a subset of the properties (partial replica) of all objects in a forest, are replicated to the global catalog.
Domain controllers have the responsibility of replicating:
- The schema and configuration partitions for the forest.
- The domain partition for the local domain, within the local domain and a subset of the properties (partial replica) of all objects of the local domain to the global catalog.
Global Catalog servers have the responsibility of replicating:
- The schema information for a forest
- The configuration information for all domains in a forest
- A subset of the properties (partial replica) for all directory objects in the forest (replicated between global catalog servers only)
- All directory objects and all their properties for the local domain.
