Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Antonio,
A couple of things here:
User account objects are stored within Active Directory, specifically in the
ntds.dit file. In WIN2000 and WIN2003 Active Directory all Domain
Controllers hold a writeable ntds.dit. That is to say, that you could
create a user account object on DC01 today and a user account object on DC02
tomorrow and all Domain Controllers in that Domain ( specifically in that
Domain ) would have that user account. This is due to Active Directory
Replication ( of which there are two types: Intra-Site and Inter-Site ). It
is a rather involved process. To simplify, each Domain Controller has
replication partners. So, if you are sitting at a workstation and are using
the Adminpak to access ADUC and you are connecting to DC01 today and you
create that user account object all of the Domain Controllers would have
that user account object rather quickly. Essentially, DC02 says to DC01 -
hey, do you have anything for me? And DC01 says to DC02 - Yep! But just a
few things right now. In the same breath DC01 is saying to DC02 - hey, do
you have anything for me? And DC02 says to DC01 - nope, not this time. AD
Replication is based on incoming connection objects. If you install the
Support Tools and use repadmin /showconn then you will see what I mean.
Now, what is this Global Catalog Server? To simplify, it holds a
'watered-down' version of all the accounts. A global Catalog Server can
only be on a Domain Controller. So, you can say that all Global Catalog
Servers are Domain Controllers -BUT- not all Domain Controllers are Global
Catalog Servers. You create a Global Catalog Server in the Active Directory
Sites and Services MMC. There is ample documentation on how to do this.
Why do you need a Global Catalog Server to be available to logon? Well, in
a WIN2000 AD environment running in Native Mode you do while in a Mixed Mode
you do not. Huh? You see, in a Native Mode environment Universal Groups
are available. Not the case in a Mixed Mode environment. The GC is
necessary to 'break down the membership' of Universal Groups. If a GC is
not available then you will not get this group membership of each user
account object completely correct so a security token will not be completely
generated ( that is to say, it will not be generated ). There are a couple
of ways around this with some registry entries but we really do not want to
mess with this. I believe - and I think that it was Simon who just recently
answered a similar question - that in WIN2003 there is something called
Universal Group Caching. I have not played with WIN2003 very much at all so
I can not really say for sure. If Simon was indeed the person who made this
statement then I am quite confident that it is accurate.
Does this help?
--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Jerold Schulman" <Jerry@jsiinc.com> wrote in message
news:bat381d8ni3gthad3g6t1q0v7ve6itklfs@4ax.com...
> Additionally, you can make each DC a GC. See tip 3294 in the 'Tips &
> Tricks' at
http://www.jsifaq.com
>
>
> On Tue, 10 May 2005 23:34:59 +0200, Antonio Ruiz Martínez <arm@dif.um.es>
> wrote:
>
>>Hello!
>>
>> I'm writing you because I have not clear some aspects about the
>>directory store and the global catalog.
>> I have read that the information about the directory is replicated
>>among the domain controllers. Then I understand the information about
>>accounts and users is stored among the domain controllers.
>> However I have read that if the global catalog is unavailable, then
>>the users can not authenticate in the domain. But the information about
>>the domain is the rest of the domain controllers, isn't it?
>> Could you explain me the reason, please?
>>
>> Thanks in advance,
>> Regards,
>> Antonio
>
Facebook
Twitter
Instagram