Planning and deploying Global Catalog (GC) servers can be confusing. Neglecting GC server placement when you make changes to Active Directory (AD), such as after you add a new domain or install Microsoft Exchange 2000 Server (or later), is easy to do. Although the Microsoft Knowledge Base, the Microsoft Windows Server 2003 Resource Kit, and the Microsoft Windows 2000 Server Resource Kit provide valuable information about the GC, that information is usually fragmented. Let's consider some simple guidelines for GC server placement in various scenarios and clarify some of the confusion that might arise as a result of changes to AD.
GCs contain all the objects in the forest but only some of those objects' attributes. The GC holds attributes that are commonly queried and are referred to as the partial attribute set. GCs make information about these objects available through Lightweight Directory Access Protocol (LDAP) and use replication to share this partial replica from each domain with all other GCs. GC queries can offer an advantage over domain controller (DC) queries in that DCs hold information about their own domains only, whereas GCs hold information about all domains in the forest.
Changing the Partial Attribute Set
You can use the procedure that follows to control which attributes the GC includes. You'll need the Microsoft Management Console (MMC) Schema snap-in, and you must register the snap-in before you can use it. To do so, open a command window and type
regsvr32 schmmgmt.dll
at the prompt. A pop-up message will let you know that the registration was successful.
As a further protection, the DC that holds the Flexible Single-Master Operation (FSMO) role requires a new registry value before you can write to the schema. The usual warnings concerning registry changes apply. Create the value Schema Update Allowed (of type REG_DWORD) with a data value of 1 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters registry subkey. The change takes effect immediately without a reboot. When the updates are complete, disable schema updates on the DC by changing the data value to 0.
On your machine, open MMC and select Add/Remove Snap-in from the Console menu options. Open the Schema snap-in. If you're not logged on to the DC that holds the Schema Master FSMO role, right-click Active Directory Schema, choose Change Domain Controller, enter the name of the Schema Master FSMO role holder, and click OK. Then, in the right-hand pane, select the attribute in which you're interested and double-click to bring up the properties. On the General tab, which Figure 1 shows, select or clear the Replicate this attribute to the Global Catalog check box, as desired. This check box will be shaded unless the account you're using is a member of the Schema Administrators group. The default membership of this group is limited to the root domain's Administrator account. To avoid potentially catastrophic mistakes and improve security, keep the membership of the Schema Administrators group empty and populate it only when changes to the schema are required.
Don't change the defaults without good reason. Adding an attribute to the partial attribute set can have a significant replication impact on your network because of what is known as a GC full sync. Each GC reacts to an attribute's addition by using replication to fully refresh the read-only information it holds about other domains in the forest. The more domains you have in your forest, the greater the impact will be. Clearly, you don't want to make any changes to a partial attribute set in a production environment without careful scheduling. If you have a single-domain forest, you don't have to be concerned about the impact of the GC full sync because the GCs don't contain information about other domains and therefore don't replicate any additional information. Don't remove attributes from the GC without good reason; doing so can affect system efficiency.
Microsoft generally recommends that you use scripts to perform schema changes. This tactic avoids poor "mouse work" and lets you thoroughly test the change in a lab environment. Microsoft has modified the replication protocol to improve handling of the partial attribute set in Windows 2003, which no longer performs the GC full sync; Windows 2003 replicates only the added attribute.
Previous
)
Sergio Fonseca March 14, 2004