global catalog vs directoy store

  • Thread starter Thread starter =?ISO-8859-1?Q?Antonio_Ruiz_Mart=EDnez?=
  • Start date Start date
?

=?ISO-8859-1?Q?Antonio_Ruiz_Mart=EDnez?=

Hello!

I'm writing you because I have not clear some aspects about the
directory store and the global catalog.
I have read that the information about the directory is replicated
among the domain controllers. Then I understand the information about
accounts and users is stored among the domain controllers.
However I have read that if the global catalog is unavailable, then
the users can not authenticate in the domain. But the information about
the domain is the rest of the domain controllers, isn't it?
Could you explain me the reason, please?

Thanks in advance,
Regards,
Antonio
 
A Global Catalogue must be contacted during logon only if the domain is in
W2k native mode or higher. The reason for this is that the GC stores
Universal Group membership information and as part of the logon process you
want to check what groups a user is a member of in order to create the
security token. If a GC is not contactable, Universal Group membership
cannot be checked and therefore a complete security token cannot be created.
Mixed mode domains do not have Universal Groups and so a GC is not required
for them.

In Windows 2003, you can use Universal Group Membership Caching to get
around this requirement. It is also possible, though not advisable, to
disable the GC requirement for ordinary users. (The default administrator
account can always log in even if no GC is available)

Additionally, if you log on using a UPN, you will always have to have access
to a GC.
 
Antonio,

A couple of things here:

User account objects are stored within Active Directory, specifically in the
ntds.dit file. In WIN2000 and WIN2003 Active Directory all Domain
Controllers hold a writeable ntds.dit. That is to say, that you could
create a user account object on DC01 today and a user account object on DC02
tomorrow and all Domain Controllers in that Domain ( specifically in that
Domain ) would have that user account. This is due to Active Directory
Replication ( of which there are two types: Intra-Site and Inter-Site ). It
is a rather involved process. To simplify, each Domain Controller has
replication partners. So, if you are sitting at a workstation and are using
the Adminpak to access ADUC and you are connecting to DC01 today and you
create that user account object all of the Domain Controllers would have
that user account object rather quickly. Essentially, DC02 says to DC01 -
hey, do you have anything for me? And DC01 says to DC02 - Yep! But just a
few things right now. In the same breath DC01 is saying to DC02 - hey, do
you have anything for me? And DC02 says to DC01 - nope, not this time. AD
Replication is based on incoming connection objects. If you install the
Support Tools and use repadmin /showconn then you will see what I mean.

Now, what is this Global Catalog Server? To simplify, it holds a
'watered-down' version of all the accounts. A global Catalog Server can
only be on a Domain Controller. So, you can say that all Global Catalog
Servers are Domain Controllers -BUT- not all Domain Controllers are Global
Catalog Servers. You create a Global Catalog Server in the Active Directory
Sites and Services MMC. There is ample documentation on how to do this.

Why do you need a Global Catalog Server to be available to logon? Well, in
a WIN2000 AD environment running in Native Mode you do while in a Mixed Mode
you do not. Huh? You see, in a Native Mode environment Universal Groups
are available. Not the case in a Mixed Mode environment. The GC is
necessary to 'break down the membership' of Universal Groups. If a GC is
not available then you will not get this group membership of each user
account object completely correct so a security token will not be completely
generated ( that is to say, it will not be generated ). There are a couple
of ways around this with some registry entries but we really do not want to
mess with this. I believe - and I think that it was Simon who just recently
answered a similar question - that in WIN2003 there is something called
Universal Group Caching. I have not played with WIN2003 very much at all so
I can not really say for sure. If Simon was indeed the person who made this
statement then I am quite confident that it is accurate.

Does this help?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Hello!
Antonio,

A couple of things here:

User account objects are stored within Active Directory, specifically in the
ntds.dit file. In WIN2000 and WIN2003 Active Directory all Domain
Controllers hold a writeable ntds.dit. That is to say, that you could
create a user account object on DC01 today and a user account object on DC02
tomorrow and all Domain Controllers in that Domain ( specifically in that
Domain ) would have that user account. This is due to Active Directory
Replication ( of which there are two types: Intra-Site and Inter-Site ). It
is a rather involved process. To simplify, each Domain Controller has
replication partners. So, if you are sitting at a workstation and are using
the Adminpak to access ADUC and you are connecting to DC01 today and you
create that user account object all of the Domain Controllers would have
that user account object rather quickly. Essentially, DC02 says to DC01 -
hey, do you have anything for me? And DC01 says to DC02 - Yep! But just a
few things right now. In the same breath DC01 is saying to DC02 - hey, do
you have anything for me? And DC02 says to DC01 - nope, not this time. AD
Replication is based on incoming connection objects. If you install the
Support Tools and use repadmin /showconn then you will see what I mean.

Now, what is this Global Catalog Server? To simplify, it holds a
'watered-down' version of all the accounts. A global Catalog Server can
only be on a Domain Controller. So, you can say that all Global Catalog
Servers are Domain Controllers -BUT- not all Domain Controllers are Global
Catalog Servers. You create a Global Catalog Server in the Active Directory
Sites and Services MMC. There is ample documentation on how to do this.

Why do you need a Global Catalog Server to be available to logon? Well, in
a WIN2000 AD environment running in Native Mode you do while in a Mixed Mode
you do not. Huh? You see, in a Native Mode environment Universal Groups
are available. Not the case in a Mixed Mode environment. The GC is
necessary to 'break down the membership' of Universal Groups. If a GC is
not available then you will not get this group membership of each user
account object completely correct so a security token will not be completely
generated ( that is to say, it will not be generated ). There are a couple
of ways around this with some registry entries but we really do not want to
mess with this. I believe - and I think that it was Simon who just recently
answered a similar question - that in WIN2003 there is something called
Universal Group Caching. I have not played with WIN2003 very much at all so
I can not really say for sure. If Simon was indeed the person who made this
statement then I am quite confident that it is accurate.

Does this help?
Click to expand...
That's really helps me,
Thanks a lot,
Antonio.
 
Back
Top