Posts Tagged domain controller

Active Directory 2008 Notes 2

Posted by Harv in Server 2008 on December 30, 2009

Preparing Active Directory for Server 2008 DC’s


Note:  These steps should be completed before promoting or upgrading an existing domain controller.

  • Run adprep /forestprep on the schema master of the forest.  This extends the schema to receive new 2008 features.  The changes must replicate through the forest before proceeding.
    You must be a member of the Enterprise Admins, Schema Admins, and Domain Admins in the forest root domain.
    Any Windows 2000 DC’s must be upgraded to SP2 or later, or SP1 with hotfix QFE265089.
  • Run adprep /domainprep on the infrastructure master of each domain that will be accepting Server 2008 DC’s.
    It adjusts ACL’s on AD objects, and the SYSVOL shared folder.
    You must be a member of Domain Admins, and the domain’s functional level must be Windows 2000 server native or higher.
    adprep /domainprep /prep can also be run to enable resultant set of policy planning mode functionality.

Originally posted 2009-06-29 00:32:06.

, , , , , , , , , , , , , , ,

No Comments

Active Directory 2008 Notes 3: The Global Catalog

Posted by Harv in Server 2008 on December 30, 2009

Global Catalog Servers

  • Validates group membership.
  • Enables forest-wide search for resources or AD objects.
  • Validates UPN’s across entire forest, allowing logon to other domains.

Promoting a domain controller to a global catalog server

  • The first domain controller in each domain is automatically set up to be a GC server.  Every DC that gets added to an already-existing domain has the option of also serving as a GC.  This may be desirable, for example, if one domain is divided into two sites or physical locations.
  1. On the DC, open Active Directory Sites and Services.
  2. Expand Sites, Servers, and the entry for the domain controller which will be designated a global catalog.
  3. Right-click NTDS settings, choose properties.
  4. In the General tab, check the global catalog option.  Press OK or apply.
  5. That’s it!  Apply the steps in reverse order to demote a DC from GC duty.


UGMC (Universal group membership caching)

  • If UGMC is enabled, users’ universal group information is cached when the user logs on to the domain for the first time.  This allows future requests to be serviced quickly, without the need to contact the GC.
  • This also allows a lower-spec RODC or DC to be on-site with a high end DC GC server elsewhere.

Enabling it

  1. Open up AD Sites and Services.
  2. Select the site which needs UGMC caching.
  3. Right click NTDS Site Settings, choose properties.
  4. Select Universal Group Memership Caching.
  5. Specific sites can be used for replication.  Use the drop-down selector if necessary.
  6. Click ok.

When it’s necessary – or How do I decide between additional GC’s and UGMC?

  • In a single domain forest, GC servers nor UGMC provide any benefit.
  • If users complain that logons are slow but resource access is not, go with UGMC.
  • If users complain that logons are slow and resource access across a link (WAN) is slow, go with GC.
  • Having additional GC servers and UGMC is not beneficial at the same site.

Originally posted 2009-06-30 09:00:48.

, , , , , , , , , , ,

No Comments

Bad Behavior has blocked 208 access attempts in the last 7 days.

© 2008-2010 Learn With Harv: Blog All Rights Reserved -- Copyright notice by Blog Copyright

Learn With Harv: Blog is Digg proof thanks to caching by WP Super Cache