- Interact with Azure Cosmos DB with PowerShell - Tue, Sep 14 2021
- Azure health services: Track Microsoft cloud outages and maintenance - Wed, Sep 8 2021
- Powerline: Customize your PowerShell console - Tue, Aug 31 2021
In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.
The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring the Active Directory Domain Services (AD DS) Global Catalog.
Today’s subobjective centers upon the Global Catalog, which is a Windows Server 2008 R2 sub role that facilitates Active Directory name lookups and speeds up inter-domain authentication.
Microsoft Exam 70-640 – Configure the Global Catalog / Domain 2, Subobjective 5
Whenever an AD user runs a search against the directory (to look for a shared printer or folder, perhaps), this involves a Global Catalog query. Some enterprise applications, such as Microsoft Exchange Server, also rely upon the Global Catalog for AD name resolution.
Consider the following scenario: A user named Pat from the domain core.corp.com needs to access resources to which he has permissions in the dev.corp.com domain. Let’s go further and say that Pat attempts to authenticate to the dev.corp.com domain by specifying his/her user principal name (UPN) of email@example.com.
In the absence of a Global Catalog, the domain controllers in dev.corp.com have absolutely no knowledge of who pat is, and thus authentication fails.
The bottom line, friends, is that domain controllers within a single domain contain a full, read/write copy of their own domain directory partition. The domain partition contains all of the “good stuff” in Active Directory such as user names, group names, group memberships, and shared resources.
In a multidomain environment, domain controllers still have a copy of only their own domain directory partition. However, a domain controller that is also a Global Catalog will contain a read/only copy of every other domain’s domain directory partition. Thus, the Global Catalog can resolve Active Directory name references across the entire multi-domain forest—isn’t that great?
To return to the previous scenario, when our user Pat submits his/her firstname.lastname@example.org UPN to a domain controller in dev.corp.com, that request results in a query to the GC in that domain. Because the Global Catalog contains directory information from core.corp.com, the user is identified and the authentication process succeeds.
Before you even think about registering to take the 70-640 exam, please ensure that you are very comfortable with all of technologies and procedures that are referenced in this subobjective:
- Universal Group Membership Caching (UGMC)
- Partial Attribute Sets
- Promotion to Global Catalog
Universal Group Membership Caching (UGMC) ^
As I mentioned, the three primary benefits of the Global Catalog are:
- Directory information lookup
- User principal name authentication
- Intra-forest object validation
The notion of the universal group touches upon all three of these points. First of all, recall that the universal group’s scope is forest-wide and therefore universal groups are relevant only in multi-domain forests.
Second, we should know that the membership of universal groups for users throughout the entire forest is propagated to the Global Catalog. This means that domain logons will fail if a Global Catalog cannot be contacted. After all, we can’t very well authenticate a an Active Directory user without knowing which, if any, universal groups the user belongs to, right?
The potential problem with this Global Catalog presence requirement is that your environment’s Active Directory site topology might be such that a site does not have a local Global Catalog server and that the nearest one is located on the other side of a slow and/or expensive WAN link. What are we going do in this case?
Enter Universal Group Membership Caching (UGMC) as a solution. UGMC does nothing else but force the storage of each user’s universal group membership(s) to a local domain controller during that user’s first logon. After the initial lookup to the remote Global Catalog server, subsequent logons won’t require that communication with the GC except during refresh intervals.
We enable UGMC in a site by modifying the properties of a site’s NTDS Site Settings object in the Active Directory Sites and Services MMC console. Note that we can specify the nearest site as a source of refresh data by making a selection from the Refresh cache from drop-down list box.
Enabling UGMC on an Active Directory site
Partial Attribute Set (PAS) ^
Do you remember when I said earlier in this article that Global Catalog servers are domain controllers that possess not only a full, read/write copy of their own domain’s domain directory partitions, but also a read/only copy of the domain directory partition from all other domains in the forest? Well, a GC would be pretty darned overburdened if it had to track every single schema attribute for every object in every domain.
To solve this issue, a Global Catalog tracks a partial attribute set (PAS) of each domain’s domain directory partition. In other words, while GCs do contain a reference to every single AD object in every domain, they store only selected schema attributes that Microsoft feels are most commonly searched for by users and applications.
The good news is that forest administrators can include additional schema attributes for use in the Global Catalog. For instance, your organization might have a line-of-business (LOB) application that extended the AD schema with new attributes. The forest admin would need to manually add the relevant new schema attributes to the Global Catalog to make the attributes available forest-wide.
One way to add schema attributes to the Global Catalog is to open the Active Directory Schema console and enable the Replicate this attribute to the Global Catalog option for the attribute in question. This is shown in the following figure.
Adding a schema attribute to Global Catalog
- How to Modify Attributes that Replicate to the Global Catalog
- Install the Active Directory Schema Snap-in
- Identifying Attributes That are Members of the Partial Attribute Set in Active Directory
Promotion to Global Catalog ^
So the question arises as to exactly how we specify a Global Catalog. By default, the first domain controller in a forest is designated as a Global Catalog. Thereafter a forest administrator can nominate additional Global Catalogs by using the Active Directory Sites and Services console and modifying the properties of the NTDS Settings object for a particular domain controller. This is shown in the following exhibit.
Designating a Global Catalog
You might be thinking, “Why would I have a need for Global Catalog server if my forest includes only one domain?” This is a good point. Actually, Microsoft recommends that you make EVERY domain controller in a single-domain forest a Global Catalog. The justification for this is that within a domain, every domain controller possesses all knowledge of Active Directory anyway. Therefore, why not grant all DCs the ability to resolve AD name lookups?
- Designate a Domain Controller to Be a Global Catalog Server
- What is the Global Catalog?
- How the Global Catalog Works
I hope that you find this approach to 70-640 exam preparation to be beneficial. Please feel free to leave your questions, comments, and exam experiences (no brain dumps, please) in the comments portion of this post.
In the next post in this series I will provide a sample practice question for the “Configure Active Directory Replication” subobjective.