Plan Global Catalog Servers
Applies To: Windows Server 2008
Read-only domain controllers (RODCs) do not introduce any significant new considerations for determining whether to make a branch domain controller a global catalog server. Global catalog placement generally requires planning unless you have a single-domain forest. In a single-domain forest, you can configure all domain controllers as global catalog servers without causing any additional replication or an increase in disk size or CPU usage.
However, only domain controllers that are designated as global catalog servers can respond to global catalog queries on the global catalog Lightweight Directory Access Protocol (LDAP) port 3268. Designating all domain controllers as global catalog servers eliminates server or network capacity planning concerns about which domain controllers can respond to global catalog queries by applications or other domain controllers.
In a multiple-domain forest, deciding whether a domain controller should be a global catalog server takes extra planning. As a general rule, it is best to make branch-office domain controllers (including branch-office RODCs) be global catalog servers so that authentication—and, generally, any global catalog query—can be performed by using just the RODC. This comes, however, at the price of replicating the partial attribute set for objects from every domain in the forest to the branch office, which may be expensive in terms of network and disk usage if some domains have large amounts of users, computers, or groups with a high rate of updates.
If you determine that you cannot make the branch-office domain controller a global catalog server, you should enable universal group caching in that site. With universal group membership enabled, a domain controller must connect to a global catalog server across a wide area network (WAN) link only for initial logons in the site. Thereafter, universal group membership can be checked from a local cache.
For more information about planning for Global Catalogs, see Planning Global Catalog Server Placement (http://go.microsoft.com/fwlink/?LinkID=142505).
If you are running Microsoft Exchange Server, locate your Exchange servers in hub sites and data centers with writeable domain controllers. Exchange Server does not use RODCs. This means that if an RODC and a computer running Exchange Server are running in the same site, the computer running Exchange Server disregards the RODC and attempts to contact a writeable domain controller.
Enabling universal group membership caching
For locations that have the following characteristics, you can deploy domain controllers running Windows Server 2008 and enable universal group membership caching:
Locations that cannot replicate the global catalog, for example, as a result of limited bandwidth
Locations that include less than 100 users
Locations that do not include a large number of roaming users or applications that require a global catalog server
Ensure that the global catalog servers are not more than one replication hop from the domain controller that is in a site for which universal group membership caching is enabled so that universal group information in the cache can be refreshed.
If you are deploying an RODC in a site, universal group membership caching is not enabled by default. Either add the global catalog server option to the RODC or enable universal group membership caching for that site.
For best results, add the global catalog server option to the RODC because the cache lifetimes and refresh logic for universal group membership caching are not integrated with RODC credential caches, which can lead to some unexpected results. For example, suppose that the password changes for an account whose password is allowed to be cached on the RODC. The password is nulled out when it replicates in to the RODC. (That is, the link between the password attribute value and its memory address is removed; the password itself is unchanged and remains stored in memory.) The user logs on, and the password cache on the RODC is refreshed with the new password. However, the group membership cache for the same account is not refreshed at the same time.
Adding the global catalog partitions to what the RODC replicates from the hub increases the amount of information that has to be replicated over the wide area network (WAN). This requires more bandwidth for replication than universal group membership caching does. But unless bandwidth is restricted, adding the global catalog to the RODC provides a better overall experience for users in the branch office beyond logging on. This is because a global catalog provides all objects from the forest, which in turn can enable wider application compatibility in situations in which WAN availability to another global catalog server does not exist.