In the development of Active Directory, Microsoft had some pretty lofty goals that envisioned organizations combining their resource and user domains, as well as grouping all of the various domains together into one big, happy domain with a fully-qualified DNS domain name. However, real life has shown most organizations were not prepared for that kind of major paradigm shift, and have chosen not to take the plunge into Active Directory's centralized management and delegation of control to organizational units.
Of those who have made the upgrade to Active Directory, many have continued to use a multidomain structure. Consequently, some of the tools used to communicate and authenticate between domains may react unexpectedly to mixed domain structures. One of the main pieces of Active Directory that needs to be handled carefully in this type of setup is the Global Catalog Server.
It is a given that the Global Catalog Server must work if you have more than one domain in a forest. The Global Catalog Server’s main function is to hold just enough information about other domains so that you can find resources in them. Also, the Global Catalog Server must be available in most cases for a user to log on to a domain.
If users are accustomed to logging on with their UPN (e.g., firstname.lastname@example.org), then the Global Catalog Server’s job is to break that UPN into its parts so that it is recognized in Active Directory language, which is the Lightweight Data Access Protocol (LDAP). The other issue to consider when you are configuring your domain functional level is the use of universal groups. The Global Catalog is the information store for the naming context of universal groups.
In order to understand potential problems that can arise with the Global Catalog Server, you have to get a better understanding of the different types of domains in Active Directory, especially the new domain functional levels and forest functional levels in Windows Server 2003.
Domain functional levels
The term “functional level” replaces the term “mode” as it was used in Windows 2000 to refer to the type of domain controllers in a domain. There are four domain functional levels in Windows 2003 Active Directory:
- Windows 2000 Mixed
- Windows 2000 Native
- Windows Server 2003 Interim
- Windows Server 2003
Windows 2000 Mixed is how your domain will be configured by default, and allows support for Windows NT 4.0 backup domain controllers. This level is similar to what was called “Mixed Mode” in Windows 2000. In Windows 2003, your Global Catalog Server is affected by the choice you make in any domain. This was not the case in Windows 2000. In that version, you could have each domain in a different mode, and the Global Catalog Server wasn’t affected. Universal groups and group nesting will not be available if you have a domain functional level of Windows 2000 Mixed.
In Windows 2000 Native domain functional level, there can be no NT4 backup domain controllers (isn’t it time for these guys to retire, anyway?). NT4 BDCs need a PDC with which to replicate. Otherwise, they continually try to promote themselves to PDC, and can cause your domain to malfunction. However, in Windows 2000 Native domain functional level, the PDC Emulator takes on greater importance than just keeping a BDC in its place. The PDC Emulator is the clearinghouse for all account changes, which require urgent notification to other domain controllers. This is obviously a very critical role. Once you change to Windows 2000 Native domain functional level, there is no turning back, so make sure you understand all of the implications of your decision.
To change domain functional level, open Active Directory Users And Computers or Domains And Trusts, right-click on the top domain, and choose to Raise Domain Functional Level.
For those moving directly from NT4 to Windows Server 2003, the Windows Server 2003 domain functional level allows only NT4 and Windows Server 2003 domain controllers. Windows 2000 domain controllers can't play here.
If all of your domain controllers are Windows 2003 Servers, then you can change to the Windows Server 2003 domain functional level. You will then be able to rename domain controllers (which is another decision to consider carefully), and enjoy the functionality associated with universal groups and group nesting. Remember that universal groups will only function properly if the Global Catalog Server is functioning properly, because their membership information is stored in the Global Catalog Server. So if you don’t use global groups at all, and create only universal groups, then your Global Catalog Server availability becomes even more important.
Forest functional level
In addition to domain functional levels, Windows Server 2003 has three forest functional levels:
- Windows Server 2003
- Windows Server 2003 Interim
- Windows 2000
They have the same attributes as the domain functional levels explained above. The forest functional level is where the Global Catalog Server is most affected. Once you decide on a forest functional level, it must be the same for all domains in the forest. If there is one domain left that you forgot to change to the same domain functional level as the forest functional level, your Global Catalog Server will break. It will stop referring users to other domains, and universal group members may not be able to log on to the domain. Remote procedure call (RPC) errors will abound. The key is to change all of the domains first, ensure that the Global Catalog Server is still working, and then change the forest functional level.
Raising your forest functional level makes it much easier for administrators to grant permissions on resources in other forests on the network. Although trusts are still intransitive in Windows 2003, when you establish a trust between forests, you extend that trust to every domain in each forest.
To change forest functional level, open Active Directory Domains And Trusts, right-click on the Active Directory node at the top of the left pane, and choose Raise Forest Functional Level.
Also, keep in mind that once you change your domain or forest functional level, it is not reversible.
Global Catalog Server diagnostics
How do you know if your Global Catalog Server is functioning? If users cannot log on to the domain, then ask them to try to log on with their UPN. If that fails, there is a good chance the Global Catalog Server is not functioning. There should be at least one Global Catalog in each domain—and more if you have a large number of universal groups.
The Event Viewer can also give some good indications of what is happening. But, the real tried-and-true way to make sure the Global Catalog Server is functioning, is to check out the DNS records and make sure there is a SRV (service) record pointing to the Global Catalog Server. You can find this record in the DNS management console, or in Active Directory Users And Computers (only if you are using AD-integrated DNS). You must choose the Advanced View, and by doing so you now have additional folders to view in the left pane. One of those is called System. Inside the System folder is a Microsoft DNS folder (Figure A), which, if you are using AD-integrated DNS, will hold the records for various services running in the domain.
In the DNS console, you will find a gc folder within the _msdcs folder under your domain. Figure B shows what the folder looks like in the DNS console.
You should also install a support tool called ReplMon (on the installation CD in the Support folder) because it will give you some really good information about how your domain controllers are getting and sharing information.
Once you find out whether your Global Catalog Server is working properly, the rest is up to you. The easiest fix is to make sure you have all of your domains at the same functional level as your forest. If that isn’t the problem, then it could be DNS. Check out my article "When troubleshooting Windows 2000, start with DNS" for what to do when DNS loses the Global Catalog Server service record.