MCITP 70-640: Global Catalog Server
Articles,  Blog

MCITP 70-640: Global Catalog Server


Welcome to the next free video in this free
Active Directory free course for the 70-640 exam. In this video I will look at the
global catalog server. As we know from the previous videos, each domain in an Active
Directory forest has its own copy of the Active Directory database. This is stored in the
ntds.dit file and changes are replicated to each domain controller in the domain.
This works quiet well when you want to access resources that are only in the one domain,
but what happens when you attempt to access a resource in a different part of the forest.
If the resource you are trying to access is in the same forest Windows will automatically
use your username and password to access the remote resource. Assuming that you have permission
to the resource you will be given access. The problem occurs when you want to access
a resource in the forest and you don’t know where it is. A domain only knows about resources
that are in the domain itself. The domain does not have information about resources
that exist outside that domain. To allow users to find resources in the forest
Windows allows a domain controller to function as a global catalog server. A global catalog
server acts as an index for the forest. Just like an index in a library, a global catalog
server helps users find information. Any domain controller can be made a global catalog server
it is just a matter of ticking a tick box. Objects in Active Directory have a number
of attributes that are assigned to them. The global catalog contains information about
all the objects in the Active Directory forest. This is not a full record of each object but
rather a subset of each objects data. In other words, only certain attributes are replicated
to the global catalog server. The information replicated is enough to find
objects in the forest. Just like an index in the library contains key information like
the title of each book and the authors, the global catalog server contains key information
about every object in the forest. Having Global catalog servers or GC’s means
users in different domains can run queries on the GC’s to find any object in the forest.
Since users in different domains can access resources in different domains in the forest
there are also groups that work across the forest. These groups can contain users from
any domain in the forest. The global catalog server is responsible for keeping information
about these groups that include users from different domains.
Any domain controller can be a global catalog server. In each domain you need to have at
least one global catalog server. If you have a large enough domain you should also have
additional global catalog servers for redundancy reasons. Losing your only global catalog server
in your domain can cause problems. As long as you have one global catalog server you
can always make more domain controllers global catalog servers.
To make things as simple as possible there is nothing stopping you from making all your
domain controllers into global catalog servers. In fact, Windows Server 2008 by default will
make a new domain controller into a global catalog server when it is promoted.
The disadvantage to having more global catalog servers is that they require more disk space
and more bandwidth. Now days with disk space and network bandwidth becoming a lot cheaper
and more available, making all domain controllers into global catalog servers is not such a
big concern as it once was. For these reasons, this is why Microsoft makes all domain controllers
global catalog servers by default. You can always switch this off when you promote the
server or later on if you decide to. I will now change to my windows server to show you
how to change a domain controller to a global catalog server or change it back if it is
no longer required. First of all I will open server manager from
administrative tools under the start menu. From here expand down through roles to Active
Directory domain services. This contains some of the admin tools for Active Directory.
The tool I am interested in is Active Directory users and computers. You could also run this
tool by itself from the start menu. If I now expand down to domain controllers, this will
show all the domain controllers in this domain. To change a domain controller into or remove
the global catalog component open the properties for its computer account. From the properties
tab select the button NTDS settings. In the NTDS settings you have a tick box global
catalog. To remove the global catalog simply un-tick the tick box. To make the domain controller
into a global catalog server simply tick the tick box. Once you tick or un-tick the tick
box Windows will do the rest. Making a domain controller into a global catalog
server or removing the global catalog as you can see is a simple task. The harder questions
arises which domain controllers should be made into global catalog servers. If you have
the bandwidth and hard disk space you can simply make all domain controllers into global
catalog servers. This is the easiest solution. One question you may also want to ask yourself
is where do these domain controllers need to be placed. Domain controllers authenticate
users but they don’t have to be near the users. For example, if you had a small office
of only a few users it would not be worth the money to deploy a domain controller to
that location. If the link between the small office and head
office was unreliable you may deploy a domain controller at the location to ensure users
can always logon to the network. The next decision is would you want to make that domain
controller a global catalog server as well. Let’s have a look at some of the reasons
why you would deploy global catalog servers in certain locations.
Global catalogs are used when a user first logs on. You would think a normal domain controller
would have all the information to log a user on but this is not correct. Domain controllers
do not contain forest wide information. The most notably missing information is universal
groups. Groups and universal groups are covered in more detail later in the course so I will
only go into a lot of detail about them in this video.
Universal groups are groups that can include users from different domains in the forest.
For this reason, a regular domain controller simply does not have this information. Even
if you have a single domain and a single forest you could still put a user in a universal
group and thus you always need a global catalog server.
To illustrate this better, consider what happens when you first logon to a domain. When you
first logon to a domain Windows creates a security token for you. This token contains
everything that you have access to. In order to create this token, well Windows needs to
know everything you have access to. The security token is created when you first logon and
only when you first log on. From a computing prospective it is time consuming
to generate this token and this is why it is only done once. This is also why if you
change group member ship for a user this change does not take effect until that user logs
off and logs back on again. The global catalog server is required to determine
which universal groups the user is a member of. Windows can cache credentials so if the
global catalog server can’t be contact the user may be able to still logon using the
cached credentials. It is best to always have a global catalog available on the network
to ensure users don’t have any problems logging in.
The second reason you need global catalog servers is that global catalogs servers are
required when a user logs in using a Universal Principal Name or UPN. A UPN is simply
a username in the form of user name @ domain name.
The UPN is unique across the forest however this does not mean the UPN has to be the
same as the domain name. For example, you could have a domain called ITFreeTraining
and a domain called high cost training. Due to high cost training failure in the market
palace the employees there were moved to TTFreeTraining however their user accounts
stayed in the high costing training domain. This was done because the cooperate change
happened quickly but it will take time for the IT department to move the users from
the High Cost Training domain and move them to the IT Free Training Domain.
These kinds of things can happen often in business. People move for area to area, company
are purchased and sold and businesses restructured. The IT department needs to be able to response
quickly to the business need changes. The quick changes may mean a user’s UPN does
not match the domain they are in. Because of this you need to global catalog server
to work out where the person is users account is located in the forest.
The next reason you need a Global catalog server is that they are used to locate directory
information regardless of where the user is in the forest. If you did not have a global
catalog server you would need to know exactly which domain this information is located in
and forest wide services could not exist. If you want to search for all large format
color printers in the forest for example, you could not do so without a global catalog
server. The next recommendation with global catalog
server placement is that you place a global catalog server at each one of your sites that
is separated by a wide area network. In some cases you many have a high speed link between
the user and the server however it may be blocked by a firewall. If you can’t open these ports between the client and the server you may need to place
a global catalog server local to the client. This can also apply if the link between the
client and the global catalog server is unreliable. If this occurs you should make a domain controller
on the local network a global catalog server or deploy a new domain controller to that
network. The next reason for global catalog server
placement is that some software requires a global catalog in order to run. Microsoft
exchange is an excellent example of this. If you have software like Exchange you need
a global catalog server available for it to run.
On large networks you should consider having more than one global catalog server’s available
on the local network for the user. This gives you redundancy in case one of the servers
is not available but it also spreads the load between the servers. In busy environments
load balancing between global catalog servers will help with keep response times low.
Now that I have looked at all the reasons that you would want to use a global catalog
server, let’s look at why you would not want to use global catalog servers. A global
catalog sever contains a partial replicate of every object in the forest and thus does
put more load on the server answering queries. A global catalog server must answer GC related
queries as well as authenticate users. A global catalog server also requires additional
network traffic and hard disk space for forest wide changes. In a small forest with not that
many users this won’t be that noticeable, but in a large forest with high volume of
users and thus a high amount of changes this can make a difference.
Having said this, carefully planning is important in global catalog placement. If possible I
would personally make all domain controllers global catalog servers as this is the simplest
and easily configuration to support assuming the network can support it.
In the next video I will look at operation master roles. These are unique roles at the
forest and domain level. Like global catalog servers, these operation master roles do take
some planning to place them correctly. Once again, thanks for watching are always free
videos.

88 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *