Tips and Tricks
Global Catalog Placement
How the GC plays a role in Active Directory.
There’s a lot of confusion about the role of global catalog (GC) servers
in the logon process and where cached credentials come into play. This
month, I’ll try to clear up the confusion and offer tips for improving
logon support in an Active Directory environment.
First of all, the GC does play an important role in the logon process. Keep in mind that a domain controller (DC) can only supply membership information about the groups from its own domain; only a GC is capable of showing which other Universal Security Groups a user belongs to. So, the DC that processes a user’s logon must contact a GC in order to see what Universal Groups from other domains the user belongs to. The GC is actually a shortcut, allowing a single server to provide all Universal Group information, rather than having the authenticating DC contact each domain in the forest independently. The GC’s role is an important factor in network design: If you don’t want DCs to traverse a WAN link in order to log on, make sure their local site includes at least one GC (or two, if you want fault tolerance). Of course, GCs do have their own replication requirements, so that will be a bit of extra traffic on the WAN.
Note that GCs in a single-domain forest do not require a lot of extra traffic because every DC already knows everything there is to know about the forest. In fact, the authenticating DC doesn’t need to contact a GC in a single-domain forest, because every DC in the forest already knows about all the Universal Groups that could possibly exist. DCs in a Windows 2000 mixed-mode domain won’t check with a GC either, because they don’t support Universal Groups. In a multiple-domain forest, GCs also allow users to log on through a DC that isn’t in their own domain: The DC uses the GC to locate the user’s home domain, which handles the logon.
Many GCs Is Enough?
|Reduce across-the-WAN replication traffic
by reducing the number of GC servers on your network.
Clients can still log on using a Windows 2003 DC, thanks
to its ability to cache Universal Group membership lists.
In an Exchange 200x environment, GC servers are also used
for global address list lookups; for the best client performance,
make sure a large body of users has fast connectivity
to a GC server. Finally, in a single-domain forest, you
don’t really need extra GC servers beyond the first
one that AD creates—every DC already knows everything
there is to know about the entire forest.
What if a GC can’t be contacted at logon? That’s where cached credentials
come in. Each time a successful logon occurs, the client saves the credentials
to a local cache. This allows the client to “fake it” when a GC can’t
be contacted; the client simply rebuilds the security token from the last
successful logon. Cached credentials don’t provide updated group policies
or access to a user’s home folder. By default, Win2K and Windows XP will
cache the last 10 users that logged on. You can change that value through
Group Policy, and some folks consider it a good security practice to do
so. Why? Because you could disable someone’s user account, and if the
user knew about it, he or she could simply disconnect the client before
logging on. The user would get cached credentials and might still be able
to access resources that should be denied. To turn off cached credentials,
use a Group Policy Object (GPO) to set the number of cached credentials
to zero. Users can still log on using local user accounts, but in most
environments, it’s unusual for users to have local user accounts on their
clients. You might consider changing the cached credential setting only
for desktop computers, as laptop users may have a legitimate need to log
on when they can’t contact a DC.
With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.