Friday, 14 March 2014

Global Catalog and Functional Levels



Global Catalog and Functional Levels
Topics Covered
Introduction to Global Catalog
Functions of Global Catalog
Where to place Global catalog
Identifying Global Catalog
Domain and Forest functional level
How to raise Domain and Forest functional level

Global catalog
A global catalog is a domain controller that stores a copy or replica of all Active Directory
objects in a forest. The global catalog stores a full copy of all objects of a domain in which it
resides and a partial copy of all objects for all other domains in the forest. The Global Catalog
can be called as a head office for an entire organization. The partial copy stores the most
commonly used attributes of all domain objects. The global catalog provides users to searches
objects easily and quickly within forest without affecting network performance. User uses 3268
port to query global catalog.
When you install the first domain controller in forest a global catalog is created automatically on
domain controller in the forest. However when you have multiple domain controller you can
change or move the Global catalog to other domain controller using Active Directory Sites and
Services snap-in.
Note : To view the GC role from command prompt use the command “dsquery server –isgc”

Functions or roles of Global Catalog
• Finding objects within a forest : A global catalog helps user searches for directory
information throughout all domains in a forest, regardless of where the data is stored.
Searches within a forest are performed with maximum speed and minimum network
traffic. We mostly uses LDAP protocol to query or access global catalog.
• UPN based authentication : Global catalog helps for inter-domain logon process. A
global catalog resolves user principal names (UPNs) when the authenticating domain
controller does not have knowledge of the account. For example, if a user’s account is
located in west.vision.com and the user decides to log on with a user principal name of
testuser@west.vision.com from a computer located in east.vision.com, the domain
controller in west.vision.com will be not be able to find the user’s account in its local
domain so it will passes the query to global catalog the complete the authentication
process.
• Universal group membership information in a multiple domain environment: Global
group memberships is stored in each domain only, whereas universal group memberships
are only stored in a global catalog. Universal group memebership information is stored in
global catalog to helps logon to other domains. For example, when a user who belongs to
a universal group logs on to a domain that is set to the Windows 2000 native domain
functional level or higher, the global catalog provides universal group membership
information for the user’s account at the time the user logs on to the domain. If a global
catalog is not available or offline when a user logs on to a domain set to the functional
level of Windows 2000 native or higher, the computer will use cached credentials to log
on the user if the user has logged on to the domain previously. If the user has not logged
on to the domain previously, the user can only log on to the local computer. This rule is
not applicable to domain admin group.
• Verifies object references within a forest : A global catalog is used by domain
controllers to validate or verify references to objects of other domains in the forest. When
a domain controller holds a directory object with an attribute containing a reference to an
object in another domain, this reference is validated using a global catalog.
• Global Catalog and Infrastructure Master : GC helps infrastructure master to updates its
active directory database of reference objects.
• Address Book Lookups : In Windows Server 2008 environments, Exchange 2000, 2003
and 2007 use the global catalog to store mail recipient data that enables clients in a forest
to send and receive e-mail messages.
Where to place Global Catalog
• To increase network performance you must place a global catalog according to your active
directory topology.
• Always place a global catalog near to user so that user can query global catalog easily and

quickly
• You must place at least one global catalog per site.
• If you have two locations connected via slow WAN links, we must place a global catalog in
each location so that it can reduce load on WAN links.
• Place the global catalog near to any application which uses its services like Exchange Server,
etc.
• If you have a single site domain one global catalog is sufficient to resolve queries.
• If you have multiple sites placement of global catalog should be made with care.
How to Identify Global Catalog server
Method - I
1) Active directory sites and services snap-in
Method - II
1) Open Comand Prompt and type : dsquery server –isgc
Or
2) Dsquery server –forest -isgc
Domain and Forest Functionality
Windows 2008 includes a feature to provide support or compatibility to all Windows Server
based operating system using Domain and forest functionality. Different levels of domain
functionality and forest functionality are available depending on your environment. In each
functionality levels we get various features enabled or disabled.
The table below lists the domain functional levels and their corresponding supported domain
controllers.

Domain functional level Domain controllers supported
Windows 2000 Native
Windows 2000
Windows Server 2003
Windows 2008 Server
Windows 2003
Windows Server 2003
Windows 2008 Server
Windows Server 2008 Windows 2008 Server
Note : Once the domain functional level has been raised, domain controllers running earlier
operating systems cannot be introduced into the domain. For example, if you raise the domain
functional level to Windows Server 2003, domain controllers running Windows 2000 Server
cannot be added to that domain.
Features supported by each domain functional levels
Windows 2000 Native Mode
This is the default function level for new Windows Server 2008 Active Directory domains.
Supported Domain controllers – Windows 2000, Windows Server 2003, Windows Server
2008.
Features and benefits:
• Group nesting – Unlike Windows NT 4.0, allows placing of a group of one scope as a
member of another group of the same scope.
• Universal security groups – Allows usage of Universal security type groups.
• SidHistory – Enables usage of SidHistory when migrating objects between domains.
• Converting groups between security groups and distribution groups – Unlike Windows
NT 4.0, allows converting of a group type into another group type (with some
limitations).
Windows Server 2003 Mode
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003. Read my "Raise Domain Function Level in Windows
Server 2003 Domains" article for more info about that.

Supported Domain controllers – Windows Server 2003, Windows Server 2008.
Features and benefits include all default Active Directory features, all features from the
Windows 2000 native domain functional level, plus:
• Universal group caching – Windows Server 2003 functional level supports Universal
group caching which eliminate the need for local global catalog server.
• Domain Controller rename – By using the NETDOM command.
• Logon time stamp update – The lastLogonTimestamp attribute will be updated with the
last logon time of the user or computer. This attribute is replicated within the domain.
• Multivalued attribute replication improvements – Allows incremental membership
changes, which in turn enables having more than 5000 members in a group and better
replication capabilities.
• Lingering objects (zombies) detection – Windows Server 2003 has the ability to detect
zombies, or lingering objects.
• AD-integrated DNS zones in application partitions – This allows storing of DNS data
in AD application partition for more efficient replication.
• Users and Computers containers can be redirected – This allows the redirection of the
default location of new users and computers (by using the REDIRUSR and REDIRCMP
commands).
• Support for selective authentication – Makes it possible to specify the users and groups
from a trusted forest who are allowed to authenticate to resource servers in a trusting
forest.
Windows Server 2008 Mode
Supported Domain controllers – Windows Server 2008.
Features and benefits include all default Active Directory features, all features from the
Windows Server 2003 domain functional level, plus:
• Fine-grained password policies – Allows multiple password polices to be applied to
different users in the same domain.
• Read-Only Domain Controllers – Allows implementation of domain controllers that
only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Granular auditing – Allows history of object changes in Active Directory.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using
DFSR instead of older File Replication Service (FRS). It provides more robust and
detailed replication of SYSVOL contents.
• Last Interactive Logon Information – Displays the time of the last successful
interactive logon for a user, from what workstation, and the number of failed logon
attempts since the last logon.

Steps for changing domain functional levels
1. Go to Start – Programs – Administrative Tools – Active directory domains and trust
snap-in.
2. In Active directory domains and trust snap-in, right-click on the domain name and then
select Raise domain functional level.
3. Here you can change the domain level as per your requirement.
Forest functionality
Forest functionality enables features across all the domains within your forest. Three forest
functional levels are available: By default, forests operate at the Windows 2000 functional level.
You can raise the forest functional level to Windows Server 2008.
The following table lists the forest functional levels and their corresponding supported domain
controllers:
Forest functional level Domain controllers supported
Windows 2000 (default)
Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2003
Windows Server 2003
Windows Server 2008
Windows Server 2008 Windows Server 2008 only
Note : Once the forest functional level has been raised, domain controllers running earlier

operating systems cannot be introduced into the forest. For example, if you raise the forest
functional level to Windows Server 2008, domain controllers running Windows 2000 Server
cannot be added to the forest.
Features supported by Forest functional levels
Forest functionality activates features across all the domains in your forest. To activate a new
forest function level, all the domain in the forest must be running the right operating system and
be set to the right domain function level. After this requirement is met, the administrator can
raise the forest functional level. Here's a list of the available forest function levels available in
Windows Server 2008:
Windows 2000 forest function level
This is the default setting for new Windows Server 2008 Active Directory forests.
Supported Domain controllers in all domains in the forest – Windows 2000, Windows Server
2003, Windows Server 2008.
Windows Server 2003 forest function level
To activate new forest-wide features, all domain controllers in the forest must be running
Windows Server 2003. Read my "Raise Forest Function Level in Windows Server 2003 Active
Directory" article for more info about that.
Supported Domain controllers in all domains in the forest – Windows Server 2003, Windows
Server 2008.
Features and benefits include all default Active Directory features, plus the following features:
• Forest trust.
• Domain rename.
• Linked-value replication – Changes in group membership to store and replicate values for
individual members instead of replicating the entire membership as a single unit.
• Deployment of an RODC.
• Intersite topology generator (ISTG) improvements – Supports a more efficient ISTG
algorithm allows support for extremely large numbers of sites.
• The ability to create instances of the dynamicObject dynamic auxiliary class.
• The ability to convert an inetOrgPerson object instance into a User object instance, and
the reverse.
• The ability to create instances of the new group types, called application basic groups and
Lightweight Directory Access Protocol (LDAP) query groups, to support role-based
authorization.
• Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2008 forest function level
To activate new forest-wide features, all domain controllers in the forest must be running
Windows Server 2008. Read my "Raising Windows Server 2008 Active Directory Domain and
Forest Functional Levels" article for more info about that.
Supported Domain controllers in all domains in the forest – Windows Server 2008.
Features and benefits include all of the features that are available at the Windows Server 2003
forest functional level, but no additional features. All domains that are subsequently added to the
forest will operate at the Windows Server 2008 domain functional level by default.
Steps for changing Forest functional levels
1. Go to Start – Programs – Administrative Tools – Active directory domains and trust
snap-in.
2. In Active directory domains and trust snap-in, right-click on the active directory domains
and trust and then select Raise Forest functional level.
3. Here you can change the forest functional level as per your requirement.

No comments:

Post a Comment