Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week discusses the Windows 2000 Global Catalog Server and how it is used within Windows 2000 and Active Directory.
by Jason Zandri
Welcome to the seventh installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed
at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This
installment is going to discuss the Windows 2000 Global
Catalog Server and how it is used within Windows 2000 and Active
The Windows 2000 global catalog is the
single database where information on all of the Active
Directory objects in a tree or forest is kept. The Windows
2000 global catalog is created on the forest root domain
controller when DCPROMO is run for the first time. This
server is known as, among other things, the Global Catalog Server.
Windows 2000 Global Catalog Servers
store all of the Active Directory object attributes for all
of the Active Directory objects from their own domain. This
is referred to as a full replica. They also contain some of
the Active Directory object attributes from all of the
remaining Active Directory objects from all of the other
domains in the forest. This is referred to as a partial
replica. This subset of data from throughout the forest
allows for user and service queries for finding directory
information and directory objects from any domain in the
forest regardless of which domain that data and/or object
exists. In a nutshell this means, for example, a user from
one domain can search for a printer that is published in the
Active Directory and locate it in any domain, even an
external one, by using only the printer's name or some other
known (to the Active Directory database) attribute. This
could be a building number or floor or some other naming
convention used within the given organization.
[NOTES FROM THE FIELD] - I use this analogy
often as it helps me to comprehend the whole full replica /
partial replica thing.
Think of the Active Directory replica of your local
domain (the full replica) as the yellow pages of your local
phone book (your local calling area). In it, you can often
find in the listings and ads, (objects) telephone numbers,
street addresses, hours of operation and other pertinent
information (attributes for those objects) for the listings
you are looking up.
While your local yellow pages does not have listings for
outside of your calling area, you can still look up the
phone number (attribute) of a business (object) outside of
your area by calling 411 / directory assistance where they
can look up the number for you (in their database). This
would have only some of the information you might be looking
for (partial replica), as you usually can only get the phone
number from directory assistance. However, by calling the
telephone number you're given (performing an Active
Directory query), you can find out their address and their
hours of operation.
Think of the directory assistance database as the
partial replica from all other domains in the forest. It
will have some information on all of the objects, but not
all of it.
Object attributes in the Windows 2000 Global Catalog that
are replicated throughout the Active Directory forest
maintain their permissions in the catalog from their source
domains for security purposes.
Main Functions of the Global Catalog Server
The Windows 2000 global catalog
maintains all of the Universal Group memberships for the
forest and it also allows enables forest-wide directory
The Windows 2000 global catalog
provides universal group membership information for the
account to the domain controller processing the user logon
information. If the global catalog server is not available
when a user tries to logon to the network (either because a
local server is not available and a remote one cannot be
reached), the user is only able to log on to the local
computer using cached credentials. If the user has never
logged on to that system before or there is a GPO that
prohibits the caching of credentials, the user cannot logon.
[NOTES FROM THE FIELD] - If the user is logged on
with cached credentials, all necessary network resource
access will need to validated on an individual basis. In a
Kerberos scenario, the Kerberos Key Distribution Center will
need to be contacted to get a ticket for access. If NTLM is
used, pass-through authentication will be performed.
Also, if the user trying to log on is an Administrator
and they cannot access a global catalog server, a "normal"
logon is allowed even though the global catalog server
couldn't be reached.
For more information on this you can check the
Global Catalog Server Requirement for User and Computer
Logon (Q216970) article on the Microsoft web site. There
is also another good one called
How to Disable Requirement that a Global Catalog Server Be
Available to Validate User Logons (Q241789) which allows
you to configure user logons to all "functions" as the
administrator accounts do, by
eliminating the need to access the Global Catalog server.
Configure a New Global Catalog Server
As mentioned earlier, the Windows 2000 global catalog is created on the forest
root domain controller when DCPROMO is run for the first
time, and this server is known as the Global Catalog Server.
You can set up
any server to be a
Global Catalog Server
by going to the Active Directory Sites and Services MMC and
in the console tree, right-clicking the NTDS Settings of the
server you want to make into a
Global Catalog Server and selecting PROPERTIES.
On the GENERAL tab of the PROPERTIES page for that
server, check the GLOBAL CATALOG checkbox and select OK.
The Active Directory Sites and Services snap-in is not
installed on Windows 2000 Professional systems; however, the
Windows 2000 Administration Tools allows for the
installation of certain MMC snap-ins (including the Active
Directory Sites and Services) on Windows 2000 Professional
systems to allow for remote administration.
The Windows 2000 Active Directory is
partitioned in three distinct parts.
- Schema Partition. The information in the Schema
Partition defines all objects and their allowed attributes
and is common to all domains in the forest. This partition
is replicated to all domain controllers in the forest.
- Configuration Partition. The Configuration
Partition outlines your domain structure and replication
topology. This information is common to all domains in the
forest. This partition is replicated to all domain
controllers in the forest.
- Domain Partition. The Domain Partition
references data objects of a given domain. This
information is commonly relevant to only the single domain,
it is not shared, and this partition is replicated to
all domain controllers in the domain only. It is a subset
of this data from all objects in all domains (partial
replica) that is stored in the global catalog.
All of the objects in every domain, and a subset of the
properties (partial replica) of all objects in a forest, are
replicated to the global catalog.
Domain controllers have the responsibility of
- The schema and configuration partitions for the
- The domain partition for the local domain, within the
local domain and a subset of the properties (partial
replica) of all objects of the local domain to the global
Global Catalog servers have the responsibility of
- The schema information for a forest
- The configuration information for all domains in a
- A subset of the properties (partial replica) for all
directory objects in the forest (replicated between global
catalog servers only)
- All directory objects and all their properties for the
INTRA-Site Replication Overview
Active Directory generates a default replication topology
among domain controllers in the same domain within a single
site. This default replication topology defines the path for
the Active Directory updates so that all domain controllers
in the same domain receive the updates within that site.
This default replication topology is fault tolerant
between the domain controllers. If there is a break in the
default replication topology between unreachable domain
controllers within a site, replication still continues to
all other domain controllers through the redundant paths.
Active Directory periodically verifies the status of the
current replication topology within a site to ensure that it
is operational. Active Directory reconfigures the
replication topology to reflect any changes in the
environment, such as the addition or permanent removal of a
INTER-Site Replication Overview
Active Directory uses network
connection information to generate default connection
objects (bridgehead servers) to replicate Active Directory
data between sites. These bridgehead servers are the only
connection points between the sites for the purposes of
You can provide additional information
about the protocol to be used for replication, cost of the
site links (specifically, if there are redundant paths
between sites and certain ones are favored over others),
link availability schedules, etc. to further optimize your
network utilization and to minimize replication traffic by
scheduling what you can during the slow periods of the day
to make replication as efficient as possible and to impact
your network a little as possible.
Well, that wraps up this section
of Learn Active Directory Design and Administration in 15
Minutes a Week - Windows 2000 Global Catalog Server. I hope
you found it informative and will return for the next
If you have any questions, comments or
even constructive criticism, please feel free to drop me a
I want to write good, solid technical
articles that appeal to a large range of readers and skill
levels and I can only be sure of that through your feedback.
Until then, best of luck in your