AD 2K vs. 2k3 Global Catalog Server Requirement for userlogon

pts.
Tags:
Active Directory
Hi I'm Philipp from Germany, I'm an active member of a german Microsoft Support Community www.mcseboard.de and a view weeks ago we had an discussion about the global catalog requirement and imho we couldn't found the right answer. Perhaps someone can help me here. After I had looked at this resources: TechNet Support WebCast: Overview of universal group caching in Microsoft Windows Server 2003 http://support.microsoft.com/?scid=...93435&x=15&y=10 Global Catalog Server Requirement for User and Computer Logon http://support.microsoft.com/defaul...kb;en-us;216970 Windows Server Hacks: Configuring Universal Group Caching http://www.windowsdevcenter.com/pub...ug_caching.html I got this conclusion, please correct me if I wrote nonsens: 1. W2k Mixed Mode: No GC is needed for userlogon 2. W2k Native Mode: GC is needed for userlogon regardless the user belongs to a universal group or a group who is nested in a universal one. This behavior could be changed but that's not recommended. When no GC is online, cached credentials will be used to log on, when credential-caching is disabled logon fails. 3. W2k Native Mode with one or more W2k3 DC`s in the ad: On the 2k3 DC universal group caching could be enabled but that's not recommended, else as number two. 4. W2k3 Native Mode: Universal group caching could be activated. When it is... no global catalog is needed for Users who are in the cache. (By default universal group caching is not activated so logon will fail when no GC is there and cached-credentials are deactivated) BTW: I'm wondering why I don`t find any good resources or KB-Article who gets more in detail or list the global catalog requirement for 2k and 2k3. Best Regards Philipp K.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Global Catalog may be the least appreciated and most important part of Active Directory. Universal groups and ‘caching’ of credentials are work arounds. In a perfect world you would validate against the domain controller at every login. This is not a perfect world and networks are about as far from perfect as you can get. Preferred practice is to deprecate ‘caching’. But even Microsoft has ‘gotchas’. Turning on the ‘firewall after installing SP1 on a 2k3 server can break ‘Global Catalog’ if you didn’t open the port. By this time next year there will be MANY KB articles.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Cptrelentless
    If you run the Security Configuration Wizard rather than just turning on the firewall then you don't have issues with GC ports being blocked etc. You may have issues with 3rd party software but this is the best way of ensuring Microsoft services all work correctly.
    0 pointsBadges:
    report
  • Astronomer
    This is slightly tangential to your discussion but the global catalog is needed for more than just logins. When I was hired we had a win2k mixed mode environment with just two win2k domain controllers and lots of NT 4.0 domain controllers. After installing exchange 2003 we discovered that if the global catalog server went down, people couldn't attach the the exchange server. My workaround for this was to set up another DC with a global catalog on an old workstation. This should hold us until we finish replacing the NT 4.0 boxes with modern servers. rt
    15 pointsBadges:
    report
  • PhilippK
    Thank you for your answers, but I'm sorry I have no problem with the Firewall...and in my theory there are no Exchange Servers in the domain...I know that Exchanges need a GC. Regards Kohn
    0 pointsBadges:
    report
  • Ramheka
    Hi there GC improves searches within your AD as it stores 64 of the most used attributes of each object and Universal groups do belong in the GC so a know how of sites replication is important.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following