How to disable the requirement that a global catalog server be available to validate user logons

Article translations Article translations
Article ID: 241789 - View products that this article applies to.
This article was previously published under Q241789
Expand all | Collapse all

On This Page

SUMMARY

Placement of Global Catalog servers in remote sites is usually desired to improve performance in user logon time, searches and other actions requiring communication with Global Catalog servers, and to reduce wide area network (WAN) traffic. However, to reduce administrative intervention, hardware requirements, and other related overhead, in some situations you may not want to locate a Global Catalog server at a remote site. Essentially, duplicating the functions of the backup domain controller (BDC) in the Microsoft Windows NT 4.0 environment. This is especially relevant in environments that have a large number of sites, which could experience substantially increased hardware costs when the size of the sites may not justify that hardware and administration. The problem as noted earlier in this article, is that logons require the domain controller authenticating the user to contact a Global Catalog server to determine if the user is a member of any universal groups. So if the remote office does not have a Global Catalog server and a Global Catalog server cannot be contacted (for various reasons) the user's logon request may not work (based on the rules stated earlier).

Windows 2003 offers an alternative to the setting below known as universal group caching. When this is enabled for a site, users who log on while a Global Catalog server is online can continue to do so if the Global Catalog server is offline at the next logon.

For more information on universal group caching, read the Global Catalog Processes and Interactions section at the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/440E44AB-EA05-4BD8-A68C-12CF8FB1AF501033.mspx

MORE INFORMATION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


To eliminate the need for a Global Catalog server at a site and avoid potential denial of user logon requests, use the following steps to enable logons when a Global Catalog server is not available.

For Windows 2000

  1. Start Registry Editor (Regedt32.exe).
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. On the Edit menu, click Add Key, and then add the following registry key:
    Key name:
    IgnoreGCFailures
    Note Windows 2000 provides this key for diagnostic purposes. There is no specific value to specify for this key. Only the presence or the absence of this key is tested.
  4. Quit Registry Editor.
  5. Restart the domain controller.

For Windows 2003

  1. Start Registry Editor (Regedit.exe).
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. On the Edit menu, click New, click DWORD Value, and then add the following registry key:
    Key name:
    IgnoreGCFailures

    Value: 1
  4. Quit Registry Editor.
  5. Restart the domain controller.
This setting needs to be set on the domain controller that performs the initial authentication of the user.

Note This setting causes potential security vulnerabilities if universal groups are also used.

Important If this setting is enabled, universal groups should not be used because if a user is a member of a universal group and the group is denied access to a resource, the key turns off enumeration of universal groups so the universal group SID is not added to the user's token and the user could have access to the resource.

Properties

Article ID: 241789 - Last Review: March 1, 2007 - Revision: 5.4
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Keywords: 
kbinfo KB241789

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com