MCITP 70-640: Global Catalog Server

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Welcome to the next free video in this free Active Directory free course for the 70-640 exam. In this video I will look at the global catalog server. As we know from the previous videos, each domain in an Active Directory forest has its own copy of the Active Directory database. This is stored in the ntds.dit file and changes are replicated to each domain controller in the domain. This works quiet well when you want to access resources that are only in the one domain, but what happens when you attempt to access a resource in a different part of the forest. If the resource you are trying to access is in the same forest Windows will automatically use your username and password to access the remote resource. Assuming that you have permission to the resource you will be given access. The problem occurs when you want to access a resource in the forest and you don’t know where it is. A domain only knows about resources that are in the domain itself. The domain does not have information about resources that exist outside that domain. To allow users to find resources in the forest Windows allows a domain controller to function as a global catalog server. A global catalog server acts as an index for the forest. Just like an index in a library, a global catalog server helps users find information. Any domain controller can be made a global catalog server it is just a matter of ticking a tick box. Objects in Active Directory have a number of attributes that are assigned to them. The global catalog contains information about all the objects in the Active Directory forest. This is not a full record of each object but rather a subset of each objects data. In other words, only certain attributes are replicated to the global catalog server. The information replicated is enough to find objects in the forest. Just like an index in the library contains key information like the title of each book and the authors, the global catalog server contains key information about every object in the forest. Having Global catalog servers or GC’s means users in different domains can run queries on the GC’s to find any object in the forest. Since users in different domains can access resources in different domains in the forest there are also groups that work across the forest. These groups can contain users from any domain in the forest. The global catalog server is responsible for keeping information about these groups that include users from different domains. Any domain controller can be a global catalog server. In each domain you need to have at least one global catalog server. If you have a large enough domain you should also have additional global catalog servers for redundancy reasons. Losing your only global catalog server in your domain can cause problems. As long as you have one global catalog server you can always make more domain controllers global catalog servers. To make things as simple as possible there is nothing stopping you from making all your domain controllers into global catalog servers. In fact, Windows Server 2008 by default will make a new domain controller into a global catalog server when it is promoted. The disadvantage to having more global catalog servers is that they require more disk space and more bandwidth. Now days with disk space and network bandwidth becoming a lot cheaper and more available, making all domain controllers into global catalog servers is not such a big concern as it once was. For these reasons, this is why Microsoft makes all domain controllers global catalog servers by default. You can always switch this off when you promote the server or later on if you decide to. I will now change to my windows server to show you how to change a domain controller to a global catalog server or change it back if it is no longer required. First of all I will open server manager from administrative tools under the start menu. From here expand down through roles to Active Directory domain services. This contains some of the admin tools for Active Directory. The tool I am interested in is Active Directory users and computers. You could also run this tool by itself from the start menu. If I now expand down to domain controllers, this will show all the domain controllers in this domain. To change a domain controller into or remove the global catalog component open the properties for its computer account. From the properties tab select the button NTDS settings. In the NTDS settings you have a tick box global catalog. To remove the global catalog simply un-tick the tick box. To make the domain controller into a global catalog server simply tick the tick box. Once you tick or un-tick the tick box Windows will do the rest. Making a domain controller into a global catalog server or removing the global catalog as you can see is a simple task. The harder questions arises which domain controllers should be made into global catalog servers. If you have the bandwidth and hard disk space you can simply make all domain controllers into global catalog servers. This is the easiest solution. One question you may also want to ask yourself is where do these domain controllers need to be placed. Domain controllers authenticate users but they don’t have to be near the users. For example, if you had a small office of only a few users it would not be worth the money to deploy a domain controller to that location. If the link between the small office and head office was unreliable you may deploy a domain controller at the location to ensure users can always logon to the network. The next decision is would you want to make that domain controller a global catalog server as well. Let’s have a look at some of the reasons why you would deploy global catalog servers in certain locations. Global catalogs are used when a user first logs on. You would think a normal domain controller would have all the information to log a user on but this is not correct. Domain controllers do not contain forest wide information. The most notably missing information is universal groups. Groups and universal groups are covered in more detail later in the course so I will only go into a lot of detail about them in this video. Universal groups are groups that can include users from different domains in the forest. For this reason, a regular domain controller simply does not have this information. Even if you have a single domain and a single forest you could still put a user in a universal group and thus you always need a global catalog server. To illustrate this better, consider what happens when you first logon to a domain. When you first logon to a domain Windows creates a security token for you. This token contains everything that you have access to. In order to create this token, well Windows needs to know everything you have access to. The security token is created when you first logon and only when you first log on. From a computing prospective it is time consuming to generate this token and this is why it is only done once. This is also why if you change group member ship for a user this change does not take effect until that user logs off and logs back on again. The global catalog server is required to determine which universal groups the user is a member of. Windows can cache credentials so if the global catalog server can’t be contact the user may be able to still logon using the cached credentials. It is best to always have a global catalog available on the network to ensure users don’t have any problems logging in. The second reason you need global catalog servers is that global catalogs servers are required when a user logs in using a Universal Principal Name or UPN. A UPN is simply a username in the form of user name @ domain name. The UPN is unique across the forest however this does not mean the UPN has to be the same as the domain name. For example, you could have a domain called ITFreeTraining and a domain called high cost training. Due to high cost training failure in the market palace the employees there were moved to TTFreeTraining however their user accounts stayed in the high costing training domain. This was done because the cooperate change happened quickly but it will take time for the IT department to move the users from the High Cost Training domain and move them to the IT Free Training Domain. These kinds of things can happen often in business. People move for area to area, company are purchased and sold and businesses restructured. The IT department needs to be able to response quickly to the business need changes. The quick changes may mean a user’s UPN does not match the domain they are in. Because of this you need to global catalog server to work out where the person is users account is located in the forest. The next reason you need a Global catalog server is that they are used to locate directory information regardless of where the user is in the forest. If you did not have a global catalog server you would need to know exactly which domain this information is located in and forest wide services could not exist. If you want to search for all large format color printers in the forest for example, you could not do so without a global catalog server. The next recommendation with global catalog server placement is that you place a global catalog server at each one of your sites that is separated by a wide area network. In some cases you many have a high speed link between the user and the server however it may be blocked by a firewall. If you can’t open these ports between the client and the server you may need to place a global catalog server local to the client. This can also apply if the link between the client and the global catalog server is unreliable. If this occurs you should make a domain controller on the local network a global catalog server or deploy a new domain controller to that network. The next reason for global catalog server placement is that some software requires a global catalog in order to run. Microsoft exchange is an excellent example of this. If you have software like Exchange you need a global catalog server available for it to run. On large networks you should consider having more than one global catalog server’s available on the local network for the user. This gives you redundancy in case one of the servers is not available but it also spreads the load between the servers. In busy environments load balancing between global catalog servers will help with keep response times low. Now that I have looked at all the reasons that you would want to use a global catalog server, let’s look at why you would not want to use global catalog servers. A global catalog sever contains a partial replicate of every object in the forest and thus does put more load on the server answering queries. A global catalog server must answer GC related queries as well as authenticate users. A global catalog server also requires additional network traffic and hard disk space for forest wide changes. In a small forest with not that many users this won’t be that noticeable, but in a large forest with high volume of users and thus a high amount of changes this can make a difference. Having said this, carefully planning is important in global catalog placement. If possible I would personally make all domain controllers global catalog servers as this is the simplest and easily configuration to support assuming the network can support it. In the next video I will look at operation master roles. These are unique roles at the forest and domain level. Like global catalog servers, these operation master roles do take some planning to place them correctly. Once again, thanks for watching are always free videos.
Info
Channel: itfreetraining
Views: 208,136
Rating: undefined out of 5
Keywords: Global Catalog, GC, 70-640, MCITP, MCTS, Windows Server 2008, Windows Server 2008 R2, ITFreeTraining, Active Directory (Software), Microsoft Certified Professional, Software (Industry)
Id: v0G2u_XUrwk
Channel Id: undefined
Length: 13min 39sec (819 seconds)
Published: Tue Oct 18 2011
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.