Learn AD in 15 Minutes a Week: Windows 2000 Global Catalog Server

Wednesday Jun 12th 2002 by ServerWatch Staff
Share:

Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week discusses the Windows 2000 Global Catalog Server and how it is used within Windows 2000 and Active Directory.

by Jason Zandri
www.2000trainers.com

Welcome to the seventh installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This installment is going to discuss the Windows 2000 Global Catalog Server and how it is used within Windows 2000 and Active Directory.

 

Overview

The Windows 2000 global catalog is the single database where information on all of the Active Directory objects in a tree or forest is kept. The Windows 2000 global catalog is created on the forest root domain controller when DCPROMO is run for the first time. This server is known as, among other things, the Global Catalog Server.

Windows 2000 Global Catalog Servers store all of the Active Directory object attributes for all of the Active Directory objects from their own domain. This is referred to as a full replica. They also contain some of the Active Directory object attributes from all of the remaining Active Directory objects from all of the other domains in the forest. This is referred to as a partial replica. This subset of data from throughout the forest allows for user and service queries for finding directory information and directory objects from any domain in the forest regardless of which domain that data and/or object exists. In a nutshell this means, for example, a user from one domain can search for a printer that is published in the Active Directory and locate it in any domain, even an external one, by using only the printer's name or some other known (to the Active Directory database) attribute. This could be a building number or floor or some other naming convention used within the given organization.

[NOTES FROM THE FIELD] - I use this analogy often as it helps me to comprehend the whole full replica / partial replica thing.

Think of the Active Directory replica of your local domain (the full replica) as the yellow pages of your local phone book (your local calling area). In it, you can often find in the listings and ads, (objects) telephone numbers, street addresses, hours of operation and other pertinent information (attributes for those objects) for the listings you are looking up.

While your local yellow pages does not have listings for outside of your calling area, you can still look up the phone number (attribute) of a business (object) outside of your area by calling 411 / directory assistance where they can look up the number for you (in their database). This would have only some of the information you might be looking for (partial replica), as you usually can only get the phone number from directory assistance. However, by calling the telephone number you're given (performing an Active Directory query), you can find out their address and their hours of operation.

Think of the directory assistance database as the partial replica from all other domains in the forest. It will have some information on all of the objects, but not all of it.

Object attributes in the Windows 2000 Global Catalog that are replicated throughout the Active Directory forest maintain their permissions in the catalog from their source domains for security purposes.


Main Functions of the Global Catalog Server

The Windows 2000 global catalog maintains all of the Universal Group memberships for the forest and it also allows enables forest-wide directory searches.

The Windows 2000 global catalog provides universal group membership information for the account to the domain controller processing the user logon information. If the global catalog server is not available when a user tries to logon to the network (either because a local server is not available and a remote one cannot be reached), the user is only able to log on to the local computer using cached credentials. If the user has never logged on to that system before or there is a GPO that prohibits the caching of credentials, the user cannot logon.

[NOTES FROM THE FIELD] - If the user is logged on with cached credentials, all necessary network resource access will need to validated on an individual basis. In a Kerberos scenario, the Kerberos Key Distribution Center will need to be contacted to get a ticket for access. If NTLM is used, pass-through authentication will be performed.

Also, if the user trying to log on is an Administrator and they cannot access a global catalog server, a "normal" logon is allowed even though the global catalog server couldn't be reached.

For more information on this you can check the Global Catalog Server Requirement for User and Computer Logon (Q216970) article on the Microsoft web site. There is also another good one called How to Disable Requirement that a Global Catalog Server Be Available to Validate User Logons (Q241789) which allows you to configure user logons to all "functions" as the administrator accounts do, by eliminating the need to access the Global Catalog server.

 

Configure a New Global Catalog Server

As mentioned earlier, the Windows 2000 global catalog is created on the forest root domain controller when DCPROMO is run for the first time, and this server is known as the Global Catalog Server.

You can set up any server to be a Global Catalog Server by going to the Active Directory Sites and Services MMC and in the console tree, right-clicking the NTDS Settings of the server you want to make into a Global Catalog Server and selecting PROPERTIES.



On the GENERAL tab of the PROPERTIES page for that server, check the GLOBAL CATALOG checkbox and select OK.





The Active Directory Sites and Services snap-in is not installed on Windows 2000 Professional systems; however, the Windows 2000 Administration Tools allows for the installation of certain MMC snap-ins (including the Active Directory Sites and Services) on Windows 2000 Professional systems to allow for remote administration.

 

Partition Replication

The Windows 2000 Active Directory is partitioned in three distinct parts.

  • Schema Partition. The information in the Schema Partition defines all objects and their allowed attributes and is common to all domains in the forest. This partition is replicated to all domain controllers in the forest.

  • Configuration Partition. The Configuration Partition outlines your domain structure and replication topology. This information is common to all domains in the forest. This partition is replicated to all domain controllers in the forest.

  • Domain Partition. The Domain Partition references data objects of a given domain. This information is commonly relevant to only the single domain, it is not shared, and this partition is replicated to all domain controllers in the domain only. It is a subset of this data from all objects in all domains (partial replica) that is stored in the global catalog.

All of the objects in every domain, and a subset of the properties (partial replica) of all objects in a forest, are replicated to the global catalog.

Domain controllers have the responsibility of replicating:

  • The schema and configuration partitions for the forest.
  • The domain partition for the local domain, within the local domain and a subset of the properties (partial replica) of all objects of the local domain to the global catalog.

Global Catalog servers have the responsibility of replicating:

  • The schema information for a forest
  • The configuration information for all domains in a forest
  • A subset of the properties (partial replica) for all directory objects in the forest (replicated between global catalog servers only)
  • All directory objects and all their properties for the local domain.


INTRA-Site Replication Overview

Active Directory generates a default replication topology among domain controllers in the same domain within a single site. This default replication topology defines the path for the Active Directory updates so that all domain controllers in the same domain receive the updates within that site.

This default replication topology is fault tolerant between the domain controllers. If there is a break in the default replication topology between unreachable domain controllers within a site, replication still continues to all other domain controllers through the redundant paths.

Active Directory periodically verifies the status of the current replication topology within a site to ensure that it is operational. Active Directory reconfigures the replication topology to reflect any changes in the environment, such as the addition or permanent removal of a domain controller.

 

INTER-Site Replication Overview

Active Directory uses network connection information to generate default connection objects (bridgehead servers) to replicate Active Directory data between sites. These bridgehead servers are the only connection points between the sites for the purposes of replication.

You can provide additional information about the protocol to be used for replication, cost of the site links (specifically, if there are redundant paths between sites and certain ones are favored over others), link availability schedules, etc. to further optimize your network utilization and to minimize replication traffic by scheduling what you can during the slow periods of the day to make replication as efficient as possible and to impact your network a little as possible.

 

 

Well, that wraps up this section of Learn Active Directory Design and Administration in 15 Minutes a Week - Windows 2000 Global Catalog Server. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until then, best of luck in your studies.


Jason Zandri
Jason@Zandri.net

www.2000trainers.com

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved