Active Directory uses the Lightweight Directory Access Protocol (LDAP) model to query and manage directory information. Objects in the directory can be located using an LDAP query.
Every object has a name relative to its location in the directory and a distinguished name that points to its exact location in relation to the root of the directory tree. The relative distinguished name (RDN) is the actual name of the object. The distinguished name (DN) is the complete object name as seen by Active Directory.
When you work your way down the tree, you add a naming component for each successive level. In Figure 33-2, the relative names of several objects are shown on the left and the distinguished names of those objects are shown on the right.
cohovineyards.com The cohovineyards.com domain object is near the top of the tree. In Active Directory, its relative distinguished name is DC=cohovineyards and its distinguished name is DC=cohovineyards,DC=com.
mf.Cohovineyards.com The mf.cohovineyards.com domain object is at the next level of the tree. In Active Directory, its relative name is DC=mf and its distinguished name includes the path to the previous level as well as its relative name. This means that the DN is DC=mf,DC=cohovineyards,DC=com.
Bottling.Mf.Cohovineyards.com The bottling.mf.cohovineyards.com domain object is below the mf.cohovineyards.com domain in the directory tree. In Active Directory, its relative distinguished name is DC=bottling and its distinguished name includes the path to all the previous levels as well as its relative name. This means the DN is DC=bottling,DC=mf,DC=cohovineyards,DC=com.
Being able to find objects in the directory efficiently regardless of their location in the directory tree is extremely important. If objects can't be easily located, users won't be able to find resources that are available and administrators won't be able to manage the available resources either. To make it easier to find resources, Active Directory uses specialpurpose domain controllers that function as global catalog servers.
A domain controller designated as a global catalog server contains an additional data store called the global catalog, as shown in Figure 33-3. The global catalog contains a partial, readonly replica of all the domains in the Active Directory forest. Although the catalog is a partial replica, it does contain a copy of every object in the directory, but only the base attributes of those objects. Queries to global catalog servers are made over TCP port 3268 for standard communications and TCP port 3269 for secure communications.
Global catalog data is replicated to global catalog servers using the normal Active Directory replication process. In an Active Directory forest with domains A, B, and C, this means that any domain controller designated as a global catalog server has a partial replica of all three domains. If a user in domain C searches for a resource located in domain A, the global catalog server in domain C can respond to the query using an attribute that has been replicated to the global catalog without needing to refer to another domain controller. Without a global catalog server, a domain controller in domain C would need to forward the query to a domain controller in another domain.
The first domain controller installed in a domain is automatically designated as a global catalog server. You can designate additional domain controllers to be global catalog servers as well. To do this, you use the Active Directory Sites And Services tool to set the Global Catalog Server option for the domain controller you want to be a global catalog server.
Start Active Directory Sites And Services by clicking Start, Programs or All Programs, Administrative Tools, and Active Directory Sites And Services. Expand the site you want to work with, such as Default-First-Site-Name, expand the related servers node, and then select the server you want to designate as a global catalog, as shown in the following screen:
In the right pane, right-click NTDS Settings, and then select Properties. This displays the NTDS Settings Properties dialog box, as shown in the following screen:
If you want the selected server to be a global catalog, select the Global Catalog option. If you want the selected server to stop being a global catalog, clear the Global Catalog option. When you designate a new global catalog server, the server will request a copy of the global catalog from an existing global catalog server in the domain. The amount of time it takes to replicate the global catalog depends on the size of the catalog and the network configuration.
The contents of the global catalog are determined by the attributes that are replicated for each object class. Common object classes you'll work with include the following:
Computer Represents a computer account in the domain or forest
Contact Represents a contact in the domain or forest
Domain Represents a domain
Group Represents a group account in the domain or forest
InetOrgPerson Represents a special type of user account, which typically has been migrated from another directory service
PrintQueue Represents a logical printer (print queue) in the domain or forest
Server Represents a server account in the domain or forest
Site Represents an Active Directory site
Subnet Represents an Active Directory subnet
User Represents a user account in the domain or forest
Schema administrators can configure additional attributes to be replicated by global catalog servers. The primary reason for replicating additional attributes is to add attributes for which users routinely search. You shouldn't add attributes for which users search infrequently. You should rarely, if ever, remove attributes that are being replicated.
If you are a member of the Schema Admins groups, you can manage the attributes that are replicated through the global catalog by using the Active Directory Schema snap-in for the Microsoft Management Console (MMC). When you start this snap-in, it makes a direct connection to the schema master for the forest.
The Active Directory Schema snap-in is not available by default. You must install the Administration Tools (Adminpak.msi) from the Microsoft Windows Server 2003 CD-ROM, or, if you are working with a server, you can simply double-click Adminpak.msi in the %SystemRoot%System32 folder.
Once you install the Administrative Tools, you can add the Active Directory Schema snap-in to a custom console by following these steps:
Open a blank MMC in Author mode. Click Start, select Run, type mmc in the Open field, and then click OK.
Choose Add/Remove Snap-In from the File menu in the main window. Choose Add, which displays the Add Standalone Snap-in dialog box shown in the screen on the following page.
Click Active Directory Schema, and then choose Add. The Active Directory Schema snap-in is added to the list of snap-ins in the Add/Remove Snap-In dialog box. Click Close, and then click OK.
After you add the snap-in to a custom console, you can edit the schema for the object whose attribute you want to replicate in the global catalog. In Active Directory Schema, expand the Active Directory Schema node, and then select the Attributes node. A list of the attributes for all objects in the directory appears in the right pane as shown in the following screen:
Double-click the attribute you want to replicate to the global catalog. In the attribute's Properties dialog box, mark the attribute to be replicated by selecting the Replicate This Attribute To The Global Catalog option as shown in the following screen. If you want the attribute to be indexed in the database for faster search and retrieval, select Index This Attribute In The Active Directory. Although indexing an attribute allows it to be found more quickly, each index you create slightly increases the size of the Active Directory database.
Troubleshooting: You cannot change an attribute even though you are a member of the Administrators group
As a member of the Administrators group, you can view Active Directory schema. To change schema, you must be a member of the Schema Admins group. The Active Directory Schema snap-in doesn't check to ensure that you are a member of the Schema Admins group until you try to change attribute settings. If you aren't a member of the group, it states that you have insufficient permissions.