|
Home > Archive > 70-217 > May 2002 > GC clarification
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| emtek 2002-05-20, 10:00 pm |
| hey y'all...got a question about global catalogs that i need some insight on. ran across a question dealing with GC's. one point the answer explanation made was that "A global catalog server is required for user authentication with only two exceptions..."
the exceptions where for admin logins so they could repair the GC server if it went down. the other one was if a domain user had previously logged into the domain, they would then be using cached credentials.
after i read this, i went through all the study material i had and could not find anywhere that stated the GC is used for authentication, let alone required. i thought the GC held a partial copy of all objects in AD for the forrest and that was all it did. can anyone shed some light on this?
thanks | |
| secondskin 2002-05-21, 12:34 am |
| Where do you think information regarding Universal groups are stored ? | |
| Slinky 2002-05-21, 6:41 pm |
| quote:
Originally posted by secondskin
Where do you think information regarding Universal groups are stored ?
He didn't know. Thats why he asked the question. You made it sound like "Duh! Where do you think all this is stored dummy?" Anyways, in native mode you have whats called universal groups. These kinds of groups can contain user accounts, computer accounts, global groups, and universal groups from any domain in the forest. A global catalog server is a central repository for all universal group membership. This way membership is not stored on every domain controller. If there is only one domain controller in a domain then it is also a global catalog server. If the global catalog is not available when a user initiates a logon, the user can only log on to the local computer. However, if the user is a member of the Domain Admins group, then he or she is able to log on to the domain without the global catalog being availabe.
You are correct in the statement that it does hold a partial replica of every object in the forest. Hope this helps you out more. | |
|
| thanks for the info...and you're right, i didn't know...
but to throw another question/scenario out. ok, so a GC holds membership lists for universal groups. from what i know of GC's though, it doesn't contain membership lists for either global or local domain groups. it only holds infomation on the group itself such as name/location/ect. i can see where this would be required for authentication, especially when the access token is created. however, is this still the case in a single domain, mixed-mode domain? mixed-mode domains do not support universal groups (minus distro lists). so, it would seem that that specific function of a GC would be nulified.
furthermore, again, if my understanding is correct. a GC is contacted by a user when information is needed in a multiple-domain or forrest configuration. this information could be what shares are available on xyz.com domain or which groups does my account belong to. however, if you only run one domain, could you not remove the GC and have the domain controller authenticating the user check through AD for group membership or any other info needed for the access token?
i'm figuring that the answer is still no, but wanted to throw it out and see what you all have to say on it (those that do reply atleast  ) also, thx for standing up for me slinky, but secondskin's response actually got me going on the right track. | |
| Slinky 2002-05-21, 9:32 pm |
| A little clarification though. For Windows 2000 in native mode a Global Catalog IS required for the logon process. Like you stated before, when a user authenticates, the requesting client consults the Global Catalog for universal group membership and adds them to the access token. Once again this is only in native mode. As far as what would happen if you took away the Global Catalog in a single domain environment, I can't answer that intellegently. I've looked and looked and can't seem to find it. | |
| secondskin 2002-05-22, 1:26 am |
| Hmmm,
I wasnt trying to make out that he was as thick as 2 short planks, I was merely trying to point out that universal groups might be the key to his search.
As for users not being able to logon on without GC, that is partially true, if the user has already logged on previously then it will use cached logons to gain access.
If it hasnt logged on before then you can only log on locally
In a single domain network , a global catalog
server is not needed for the login process because every domain controller contains info that is needed to authenticate the user.
That bit above was taken straight out of one of the MOCS. | |
| zebra1057 2002-05-22, 7:34 am |
| The way I understand it, global catalog is a directory of resources for the forrest, nothing more. If you want to enter a domain, you have to authenticate via a domain controller.
Thus, global catalog has nothing to do with authentication.
Kindly correct me if I'm wrong.
roland | |
| Slinky 2002-05-22, 8:45 am |
| quote:
Originally posted by zebra1057
Thus, global catalog has nothing to do with authentication.
Kindly correct me if I'm wrong.
roland
Read my above posts. |
|
|
|
|