Microsoft KB Archive/241789

= How to disable the requirement that a global catalog server be available to validate user logons =

Article ID: 241789

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

-



This article was previously published under Q241789



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
Placement of Global Catalog servers in remote sites is usually desired to improve performance in user logon time, searches and other actions requiring communication with Global Catalog servers, and to reduce wide area network (WAN) traffic. However, to reduce administrative intervention, hardware requirements, and other related overhead, in some situations you may not want to locate a Global Catalog server at a remote site. Essentially, duplicating the functions of the backup domain controller (BDC) in the Microsoft Windows NT 4.0 environment. This is especially relevant in environments that have a large number of sites, which could experience substantially increased hardware costs when the size of the sites may not justify that hardware and administration. The problem as noted earlier in this article, is that logons require the domain controller authenticating the user to contact a Global Catalog server to determine if the user is a member of any universal groups. So if the remote office does not have a Global Catalog server and a Global Catalog server cannot be contacted (for various reasons) the user's logon request may not work (based on the rules stated earlier).

Windows 2003 offers an alternative to the setting below known as universal group caching. When this is enabled for a site, users who log on while a Global Catalog server is online can continue to do so if the Global Catalog server is offline at the next logon.

For more information on universal group caching, read the Global Catalog Processes and Interactions section at the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/440E44AB-EA05-4BD8-A68C-12CF8FB1AF501033.mspx



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To eliminate the need for a Global Catalog server at a site and avoid potential denial of user logon requests, use the following steps to enable logons when a Global Catalog server is not available.

For Windows 2000
 Start Registry Editor (Regedt32.exe). Locate and then click the following key in the registry:

 On the Edit menu, click Add Key, and then add the following registry key:

Key name:

Note Windows 2000 provides this key for diagnostic purposes. There is no specific value to specify for this key. Only the presence or the absence of this key is tested. Quit Registry Editor. Restart the domain controller.

For Windows 2003
 Start Registry Editor (Regedit.exe).</li> Locate and then click the following key in the registry:

</li> On the Edit menu, click New, click DWORD Value, and then add the following registry key:

Key name:

Value: 1

</li> Quit Registry Editor.</li> Restart the domain controller.</li></ol>

This setting needs to be set on the domain controller that performs the initial authentication of the user.

Note This setting causes potential security vulnerabilities if universal groups are also used.

Important If this setting is enabled, universal groups should not be used because if a user is a member of a universal group and the group is denied access to a resource, the key turns off enumeration of universal groups so the universal group SID is not added to the user's token and the user could have access to the resource.

Additional query words: GC native

Keywords: kbinfo KB241789

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.