Active Directory 2008: Global Catalog and UGMC Facts…

Global Catalog and UGMC Facts

In a multiple-domain and multiple-site design, user logon and forest-wide searches require that multiple domains be contacted to identify user accounts and to identify membership in universal groups. To improve performance in these situations, use the following features:

Feature Description
Global Catalog The Global Catalog (GC) is a   database that contains a partial replica of every object from every domain   within a forest. A server that holds a copy of the Global Catalog is a global   catalog server.

  • By default, all domain        controllers are global catalog servers.
  • The Global Catalog        facilitates faster searches because different domain controllers do not        have to be referenced.
  • The Global Catalog is        distributed through multimaster replication.

To designate a server as a global   catalog server, use one of the following:

  • In Active Directory Users and        Computers, edit the domain controller computer account. On the General        tab, click the NTDS Settings… button.
  • In Active Directory Sites and        Services, edit the NTDS Settings properties beneath the server object.

Promoting a domain controller to   be a global catalog server commonly takes a significant amount of time. Make   sure that there is sufficient time for the account and the schema information   to replicate to the new global catalog server.

To add and store an attribute to the Global Catalog in a   forest, use the Active Directory Schema snap-in to:

  1. Extend the Active Directory        Schema.
  2. Edit the attribute’s        properties and select the Replicate this attribute to the Global        Catalog.
Universal Group Membership Caching (UGMC) As its name implies, the Universal   Group Membership Caching feature caches the group membership of universal   groups. During logon, universal group membership is checked for the user. By   caching the group membership on a local domain controller:

  • The authenticating domain        controller does not need to contact other domain controllers for the        group membership information.
  • Logon will still be allowed        in the event of a WAN failure that separates a remote site from the remainder        of the network.

Edit the NTDS Site Settings of the   site to enable UGMC. All domain controllers in a site must be running Windows   Server 2003 or higher for universal group membership caching to work.

Within a site, you will typically use a global catalog server or Universal Group Membership Caching (but not both). Place a global catalog server in the site if any of the following are true (use UGMC if all of the following are not true):

  • The      site has more than 100 users.
  • The      WAN link connecting the site to the rest of the network is reliable and      fast.
  • The      location has roaming users.
  • The      location runs an application that requires a global catalog server.

Lightweight Directory Access Protocol (LDAP) is the primary global catalog protocol that specifies directory communications. Be aware of the following LDAP details:

  • LDAP      runs directly over TCP/IP, and it can also run over User Datagram Protocol      (UDP) connectionless transports.
  • Clients      use LDAP to query, create, update, and delete information that is stored      in a directory service over a TCP connection through the TCP default      port 389. When a search request is sent to port 389, the search      is conducted on a single domain directory partition.
  • If      the object is not found in that domain or the schema or configuration      directory partitions, the domain controller refers the request to a domain      controller in the domain that is indicated in the distinguished name of      the object.
  • Global      catalog clients can use LDAP to query Active Directory over a TCP      connection through the TCP port 3268.
    • When a search request is sent to port 3268, the       search includes all directory partitions in the forest (i.e. the search       is processed by a global catalog server).
    • Only global catalog servers receive LDAP requests       through port 3268.
  • Active      Directory supports LDAP v2 and LDAP v3. LDAP v3 is an      industry standard that can be used with any directory service that      implements the LDAP protocol. LDAP v3 is backward compatible with      LDAP v2.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s