AD DS: Each site in this forest should contain at least one global catalog server or have universal group membership caching enabled

  • Article

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Warning

Category

Configuration

Issue

This site does not contain a global catalog server and does not have universal group membership caching enabled.

Impact

When a user logs on to a domain, a global catalog server is contacted to determine the universal group memberships of the user. If universal group membership caching in this site is not enabled and if a global catalog server is not available in this site, the domain controller must contact a global catalog server in another site over a potentially slow or unreliable wide area network (WAN), which can result in user authentication failures.

In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest. To avoid authentication failures, we recommend that each site that contains one or more domain controllers in your Active Directory forest contains at least one global catalog server.

If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site. In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow wide area network (WAN) connection can be problematic. A user may potentially be unable to log on to the domain if a global catalog server is not available.

You can enable Universal Group Membership Caching in sites that do not have global catalog servers. In this case, when a user authenticates against a domain controller in that site, the domain controller can avoid communication with a global catalog and instead use cached universal group memberships for the user. However, the first time that the user successfully authenticates against this domain controller—and on a regular basis thereafter—the cache must be populated or refreshed, which does require communication with a global catalog server. We generally recommend deployment of a global catalog server rather than the enabling of universal group membership in your sites.

Resolution

Make sure that this site contains at least one global catalog server, or be sure to enable universal group membership caching in this site.

Use the following procedure to make a domain controller a global catalog server. When you designate a domain controller as a global catalog server, a partial, read-only directory partition for each domain in the forest, other than the full, writable directory partition of the local domain, is replicated to create the global catalog instance on the server. For more information, see Planning Global Catalog Server Placement (https://go.microsoft.com/fwlink/?LinkID=142505).

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To designate a domain controller to be a global catalog server

  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, expand the Sites container, and then expand the site in which you are designating a global catalog server.

  3. Expand the Servers container, and then expand the Server object for the domain controller that you want to designate as a global catalog server.

  4. Right-click the NTDS Settings object for the target server, and then click Properties.

  5. Select the Global Catalog check box, and then click OK.

You can use this procedure to enable Universal Group Membership Caching in a site.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To enable Universal Group Membership Caching in a site

  1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.

  3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.

  4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.

  5. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group Membership Caching must be updated, and then click OK.

Additional references

For more information, see Administering the Global Catalog (https://go.microsoft.com/fwlink/?LinkID=93580).