Global catalogs and sites

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Global catalogs and sites

To optimize network performance in a multiple site environment, consider adding global catalogs for select sites. In a single site environment, a single global catalog is usually sufficient to cover common Active Directory queries. The following table will help you determine whether your multiple site environment will benefit using additional global catalogs.

Use a global catalog when

Advantage

Disadvantage

A commonly used application in the site utilizes port 3268 to resolve global catalog queries.

Performance improvement

Additional network traffic due to replication

A slow or unreliable WAN connection is used to connect to other sites. Use the same failure and load distribution rules that you used for individual domain controllers to determine whether additional global catalog servers are necessary in each site.

Fault tolerance

Additional network traffic due to replication

Users in the site belong to a Windows 2000 domain running in native mode. In this case, all users must obtain universal group membership information from a global catalog server. If a global catalog is not located within the same site all logon requests must be routed over your WAN connection to a global catalog located in another site.

If a domain controller running Windows Server 2003 in the site has universal group membership caching enabled, then all users will obtain a current cached listing of their universal group memberships.

Fast user logons

Additional network traffic due to replication

Note

  • Network traffic related to global catalog queries generally use more network resources than normal directory replication traffic.

Universal group membership caching

Due to available network bandwidth and server hardware limitations, it may not be practical to have a global catalog in smaller branch office locations. For these sites, you can deploy domain controllers running Windows Server 2003, which can store universal group membership information locally.

Information is stored locally once this option is enabled and a user attempts to log on for the first time. The domain controller obtains the universal group membership for that user from a global catalog. Once the universal group membership information is obtained, it is cached on the domain controller for that site indefinitely and is periodically refreshed. The next time that user attempts to log on, the authenticating domain controller running Windows Server 2003 will obtain the universal group membership information from its local cache without the need to contact a global catalog.

By default, the universal group membership information contained in the cache of each domain controller will be refreshed every 8 hours. To refresh the cache, domain controllers running Windows Server 2003 will send a universal group membership confirmation request to a designated global catalog. Up to 500 universal group memberships can be updated at once. Universal group membership caching can be enabled using Active Directory Sites and Services. Universal group membership caching is site specific and requires that all domain controllers running Windows Server 2003 be located in that site to participate. For more information about how to enable this option, see Cache universal group memberships.

The following list summarizes potential benefits for caching universal group memberships in branch office locations:

  • Faster logon times since authenticating domain controllers no longer need to access a global catalog to obtain universal group membership information.

  • No need to upgrade hardware of existing domain controllers to handle the extra system requirements necessary for hosting a global catalog.

  • Minimized network bandwidth usage since a domain controller will not have to handle replication for all of the objects located in the forest.

Note

  • You might want to continue using a global catalog in branch office locations if an application in a site is sending global catalog queries to port 3268. Universal group membership caching does not intercept calls made to port 3268.