Home > Articles

This chapter is from the book

Planning a Strategy for Placing Global Catalog Servers

A Global Catalog (GC) contains location information for every object created, whether it was created by default upon installation or manually with the AD. It is also responsible for several other important features, such as the following:

  • Logon validation of universal group membership

  • User principal name logon validation through DC location

  • Search capabilities for every object within an entire forest

NOTE

The GC retains only frequently searched for attributes of an object. There is no need, nor would it be very practical from a replication standpoint, for the GC to retain every single detail of every single object. Then the GC would be, in fact, no different from a regular DC. Instead, the GC is a DC that performs this additional functionality.

Several factors need to be considered with regard to the GC and how it functions to enhance logon validation under a Windows 2000 native mode or Windows Server 2003 functional level situation.

GC and Logon Validation

Universal groups (discussed in Chapter 4) are centrally located within the GC. The universal groups a user belongs to are quite important in the creation of an access token, which is attached to that user and is needed to access any object, to run any application, and to use system resources. The access token is what literally holds the SID and the group IDs, which indicate what groups the user belongs to. Those access tokens are necessary for logon validation as well as resource access, so each token must include a user's universal group membership.

When a user logs on to a Windows 2000 native mode or Windows Server 2003 functional level domain (these are the only ones to include universal groups), the GC updates the DC as to the universal group information for that particular user's access token. But what if a GC is unavailable for some reason? Then the DC will use "cached credentials" to log the user on to the local computer. This cached logon provides the same level of access to network resources as the user had the last time they logged in. Furthermore, those credentials would exist only if the user had logged on prior to this point. What if the user had never logged on and the GC is not available for the first logon? If no GC server could be contacted either locally or at another site, the user would not be able to log on to the domain and could either log on locally to the machine itself or wait for a GC to become available again.

Evaluating Network Traffic Considerations When Placing Global Catalog Servers

Because GC servers are prominent in logon validation and in locating AD resources, it is important to plan for their placement on a complex LAN. Ideally you would have at least one GC server at each AD site, though this isn't always practical, especially for small branch offices. GC traffic increases the burden on WAN links, so there is a tradeoff between having remote sites needing to contact a GC across a WAN link versus the additional replication traffic that a GC server will generate across the WAN link. Microsoft recommends having a GC server at each site, though, if your server hardware will support it.

Evaluating the Need to Enable Universal Group Membership Caching

With the Windows 2000 native mode, a GC server must be available at all times to verify universal group membership. If you have sites separated by slow or unreliable WAN links, the practice is to place a GC server at each local site. The downside to this is that replication traffic is increased. If the domain is operating at the Windows Server 2003 functional level, you can enable the caching of universal group membership so users can log in even if no GC server is available.

Universal Group Membership Caching is most practical for smaller branch offices with lower-end servers, where it might be problematic to add the additional load of hosting a GC, or locations that have slower WAN connections. To enable caching, use the Active Directory Sites and Services utility. Navigate down the left side of the console and click the site at which you want to enable caching. On the right side (the contents pane), you'll see NTDS Site Settings, as shown in Figure 3.6. Right-click this and choose Properties, which brings up the dialog box shown in Figure 3.7.

Figure 3.6Figure 3.6 Configuring Universal Group Membership Caching through NTDS Site Settings in Active Directory Sites and Services.

Figure 3.7Figure 3.7 Check the box to enable Universal Group Membership Caching and select a cache server if desired.

To enable Universal Group Membership Caching, simply check the box on the property sheet. You have the option of choosing a specific server to refresh the cache from or leaving it as default, which will cause Windows Server 2003 to attempt to refresh the cache from the nearest GC server it can contact. By default, Windows Server 2003 will attempt to refresh the cache every 8 hours.

Once caching has been enabled, a user must log in once for his information to be cached. Upon the initial logon, a GC server must be contacted to obtain the group membership information, but after the initial logon the information is cached. As a result, logon times are faster because a GC server doesn't need to be contacted, and network bandwidth utilization is improved without GC replication taking place.

CAUTION

Pay keen attention to the functionality of a GC. Your knowledge of GCs will enable you to determine whether possible solutions will resolve defined problems.

User Principal Names and Logon Validation

Normally, an individual might log on to a domain with her common name and password. For example, suppose the user's common name is DonnaD and her password is Duncan1968. Now suppose Donna attempts to log on to the system using her principal name—for example, donna@virtual-realm.com. If Donna is attempting to log on from a system that is in the accounting domain, the DC in acct.virtual-realm.com will not know her account. However, the DC will check with the GC, and that will, in turn, lead to the DC for the virtual-realm.com domain. The user will then be validated.

Adding GC Servers

Not all DCs are GC servers. Following are several thoughts to keep in mind:

  • The first DC in a forest is a GC server.

  • Any DC can be a GC server if set up to assume that function by the system administrator.

  • Usually one GC is helpful in each site.

  • You can create additional GCs if necessary.

To add another GC, perform the following tasks from AD Sites and Services:

  1. Within the tree structure in the left pane, expand the DC that will be the new GC.

  2. Right-click NTDS Settings and select Properties.

  3. In the NTDS Settings Properties dialog box, under the General Tab, select the Global Catalog check box, as shown in Figure 3.8.

Figure 3.8Figure 3.8 Adding a Global Catalog server. Exam Prep Questions

Question 1

There are five operations master roles on a Windows Server 2003 network. Where is the data regarding which servers are playing which roles stored?

  1. It is stored in the Registry of the server performing the role.

  2. It is stored within Active Directory.

  3. It is stored in the Registry of the clients.

  4. It is stored in a database separate from Active Directory.

Answer B is correct. This data must be in Active Directory so clients and down-level servers can query the database when an operations master is required. Answers A and C wouldn't be effective because the Registry is used only by a local machine, and if the data is stored locally, other machines on the network won't be able to access it. Answer D is incorrect because Windows Server 2003 uses no other database than Active Directory.

Question 2

Which of the following are names of the operations master roles? [Check all correct answers.]

  1. Schema Master

  2. Infrastructure Master

  3. SID Master

  4. Domain Naming Master

Answers A, B, and D are correct. The operations master roles that are missing are RID Master and PDC Emulator. Answer C is incorrect because there is no such role as the SID Master. The SID is the common domain portion that identifies a client's membership, and with the RID (relative identifier) it uniquely identifies an AD object such as a user account.

Question 3

James Pyles is attempting to create a universal group in a child domain, but the option is unavailable. There are several child domains under a single parent domain that all have the ability to create universal groups, with the exception of this one. What would be a valid reason for James having such a dilemma?

  1. The domain is still residing in Windows 2000 mixed mode.

  2. The domain is not running at the Windows Server 2003 functional level.

  3. The domain is still in Windows 2000 native mode and needs its functional level raised.

  4. James is attempting to create the group on a backup domain controller (BDC).

Answer A is correct. If James is still residing in a Windows 2000 mixed-mode scenario, his groups will be only domain local and global. Universal groups exist only in Windows 2000 native mode and at the Windows Server 2003 functional level. It is perfectly legitimate for one domain in a tree to be at the default Windows 2000 mixed mode while other child domains in the tree have had their functional levels raised. Answer B is incorrect because universal groups are also available at the Windows 2000 native mode functional level. Answer C is incorrect because Windows 2000 native mode supports universal groups, so James would not need to raise the functional level. Answer D is incorrect because domains in Windows Server 2003 do not use BDCs, nor would it matter which DC James tried to implement a security group on if the domain is not in native mode.

Question 4

Ayman Mohareb ("Mo") is a system administrator for a large company. Mo has noticed that he is getting a lot of errors in the system log of Event Viewer. The errors relate to time synchronization on his network. Mo knows that this is related to an operations master role. Which role performs time-synchronization duties?

  1. The Infrastructure Master

  2. The Schema Master

  3. The Domain Naming Master

  4. The PDC Emulator

Answer D is correct. The PDC Emulator performs time-synchronization duties within its domain. It, in turn, synchronizes with the PDC Emulator in the root domain. The PDC Emulator in the root domain should be synchronized with an external source. Answer A is incorrect because the Infrastructure Master is responsible for updating cross-domain references of objects. Answer B is incorrect because the Schema Master role is to operate as the single location where changes to the schema can be made. Answer C is incorrect because the Domain Naming Master is used to add or remove domains from the forest.

Question 5

Robyn Hitchcock is a member of the Domain Admins group in a Windows Server 2003 network. He has been asked to add a new object type to AD. However, whenever he tries to access the schema, he is denied access. A new Windows Server 2003 MCSE named Jaime Rodriguez says this is because of insufficient permissions. However, because Robyn is a member of the Domain Admins group, Robyn doubts this is true. Instead, Robyn thinks it is a network problem. Who is right?

  1. Jaime is right. Domain Admins do not have sufficient permissions to make changes to the Active Directory schema. One must be at least a Schema Admin to do this.

  2. Robyn is right. Domain Admins have all permissions on a Windows Server 2003 network; therefore, he should be able to change the schema.

  3. Neither is correct. Domain Admins can change a schema; therefore, Jaime is incorrect. However, receiving an "access denied message" indicates a server problem, not a network problem.

  4. Jaime is right. Domain Admins do not have sufficient permissions to make changes to the Active Directory schema. One must be at least an Enterprise Admin to do this.

Answer A is correct. Only members of the Schema Admins group can make changes to the schema. Therefore, answers B, C, and D are all incorrect.

Question 6

Pete Umlandt is attempting to log on to a domain called research.corp.com, although his user account is located in corp.com. Pete is using his user principal name, pete@corp.com. What feature of an Active Directory network will most assist him in logging on to the system?

  1. Universal groups

  2. Global Catalog servers

  3. Additional domain controllers

  4. Kerberos authentication

Answer B is correct. Global Catalog servers search for the domain information necessary during logon when an individual uses his user principal name. Answer A is incorrect because although universal groups can ease administration in domains that have had their functional levels raised, they won't help with logging in through a child domain. Answer C is incorrect because although additional domain controllers will add fault tolerance, they are not necessarily GC servers and will not assist in logon validation. Answer D is incorrect because although Kerberos is used to verify authentication to the resources, it doesn't assist in the location of the GC domain controller that will validate a user.

Question 7

The Domain Naming Master server has crashed. The word from the hardware techs onsite is that it will take a week to order the parts to get it back up and running. Matt Thomson is the system administrator, and this could not have happened at a worse time. Matt was due to work all weekend creating two new domains. He knows that not having a functioning Domain Naming Master will prevent him from creating new domains. Therefore, Matt decides to seize the role of Domain Naming Master. Which tool will he use to perform this task?

  1. Matt will use the Ntdsutil command-line utility.

  2. Matt will use Active Directory Domains and Trusts to seize the role, because this is a forestwide operations master.

  3. Matt will use the Active Directory Users and Computers tool. This tool is used to seize all roles except that of the Schema Master.

  4. Matt will deactivate the current Domain Naming Master with Ntdsutil. He will then use Active Directory Domains and Trusts to assign the role to another server.

Answer A is correct. There is no need to use two tools to perform this task. Matt simply needs to use Ntdsutil, a command-line utility with many different options, to seize the role. Answer B is incorrect because Active Directory Domains and Trusts is not used to seize roles. Answer C is incorrect because one cannot use Active Directory Users and Computers to seize forestwide roles. Answer D is incorrect because Active Directory Domains and Trusts is not used to seize roles.

Question 8

Marty Bouillon has just been added to the Schema Admins group, so he can make some additions to the schema of Active Directory. Marty knows that this task is very important and that he must be careful when editing the schema. Fortunately, his development background has prepared him for the task. Marty knows that he must create a custom MMC in order to edit the schema using the Schema MMC snap-in. However, when he tries to add the snap-in, it is not available on his system. He calls his help desk and asks to be added to all the necessary groups to enable this function, but the help desk tells him that it is not a permissions issue. What must Marty do to fix this problem?

  1. Marty must contact the help desk manager because the help desk is incorrect; this is a permissions issue. One must be both a member of Schema Admins and Enterprise Admins to edit the schema.

  2. Marty is obviously using a Windows 98 computer. The MMC does not work on a Windows 98 box. Marty must upgrade his system to Windows 2000 or XP.

  3. Marty must first register schmmgmt with the regsvr32 command. He will not be able to use the Schema MMC snap-in until this is done.

  4. Marty should call the help desk and ask its staff to seize the role of Schema Master. The snap-in not showing on the system is indicative of the server being unavailable.

Answers C is correct. Marty cannot use the Schema MMC snap-in until he registers schmmgmt with the regsvr32 command. Answer A is incorrect because the help desk was correct; this is not a permissions issue. Answer B is incorrect because the MMC does work on a Windows 98 box. Answer D is incorrect because Marty would not know that the Schema Master is not available until he tried to make a change to the schema. Because he cannot even find the snap-in, this is not the case.

Question 9

Miriam Haber is performing a review of the installation plan for her new Windows Server 2003 network. Her staff has detailed the placement of all DCs and operations masters. The administrators are in a small building on a single subnet. There are 10 administrators. The network design team proposes that two DCs be placed in its site. Because there are only 10 people, one server would be fairly slow. A more powerful server would be a Global Catalog server and the Infrastructure Master. Miriam rejects this plan and asks the network design team to reconsider. What was it about this design that she did not like?

  1. Although two DCs are reasonable in other circumstances, the role of the administrators is too important not to have at least three.

  2. The Infrastructure Master will not operate on a server that is functioning as a Global Catalog server. Either one of these tasks should be moved to the second DC.

  3. The Infrastructure Master role does not need to be close to the administrators. Because this role is used only for schema updates, it would be better to move this elsewhere and to replace the role with something more pertinent to the administrators' jobs.

  4. Miriam wants the help desk team to be moved to another site. Having it in a separate site will cause performance issues.

Answer B is correct. Although some of the other answers sound good, only answer B has it right. Two DCs should give enough redundancy, but three would not be going overboard either. However, answer A is incorrect because not having three would not cause the plan to be rejected. Answer C is incorrect because there are other roles that could be close to the administrators, too, but depending on what type of tasks are performed most commonly, it might make sense to make the Infrastructure Master closest. Answer D is incorrect because although the administrators are in a different site, that does not necessarily mean they have a slow connection to the rest of the network. Sites are also sometimes used to manage replication. Regardless of any of this, the Infrastructure Master will not operate correctly on a server that is also a Global Catalog server.

Question 10

Sandy Garrity is the design analyst who determines the AD structure for W&W, Inc. The structure takes into account the physical distribution of the company, with its headquarters in Lewisville, TX and three branch offices located in Omaha, Seoul, and Barcelona. She determines a need to create a headquarters domain root called w-w.com with three child domains beneath. By default, how many Global Catalog servers will there be for this widely dispersed solution?

  1. One

  2. Three

  3. Four

  4. Zero

Answer A is correct. The first DC for the entire forest will contain the role of Global Catalog. By default, this is the only GC in the entire forest. It is recommended that the administrator manually create additional GCs in remote locations and do so at a time when it will be the most convenient for network traffic between the GCs. GCs hold a copy of every object in the entire forest and a subset of attributes for each of those objects. Answers B and C are incorrect because they provide for too many. Answer D is also incorrect because there is always at least one GC for the forest.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020