DC process user logons?

I've been under the impression that if a user logs on to a PC in the domain where it's user account resides, the DC can authenticate the user. After reading MSPress though, it seems that DC always query global catalogs for for user logons? This makes no sense seeing that a standard DC holds a replica of the database for the domain which it resides, why would it need to query a GC?

Find more posts tagged with

Comments

sprkymrk

Just off the top of my head, I belive it is to check for membership in Universal groups. You can alleviate this by using the Universal Group Caching feature.

Another Microsoft guru can correct me or elaborate if I am mistaken. It's Saturday and I don't feel like searching Technet right now.

royal

The user will automatically be authenticated if you are in mixed mode. This is due to the fact Universal security groups aren't used. Once you go to native mode, a DC will contact a Global Catalog to get universal group membership. This can be disabled in the registry so even in native mode, you can set the DC to not bother getting universal group membership information from a global catalog.

How to disable requirement to contact global catalog:
http://support.microsoft.com/kb/241789

royal

sprkymrk wrote:

Just off the top of my head, I belive it is to check for membership in Universal groups. You can alleviate this by using the Universal Group Caching feature.

As Mark stated, you can use UGMC so you don't have to have a local Global Catalog to authenticate requests and waste bandwidth on Global Catalog traffic. UGMC will update its cache every 8 hours (not sure if this can be changed in registry but I'd hope so). It's a pretty nice feature. Fortunately, Microsoft created a flowchart for us to help us determine if we should use a local Global Catalog or UGMC. You can see that flowchart here

cashew

Makes sense. Correct me if I'm wrong, but aren't universal groups enabled in mixed mode for distribution groups? I guess since they are not security objects this means every DC in a domain stores the information on universal distribution groups?

royal

Yes, you can use Universal Distribution Groups in mixed mode. But you don't use distribution groups to grant a user access to an object's ACL. You need to use Universal Security Groups to grant user's access to objects through their ACL. This is the reason why a DC will even contact a GC for universal security group information. So it can build up a user's token so that user has the restrictions in place which will either allow or deny them to access objects in the forest.

cashew

Gotcha. So each time a user is authenticated it receives a new token. This explains why when you add a user to a group that is logged on, its membership is not effected until the next logon. The user queries a DC on port 389, the DC queries a GC on 3268 and gets the membership of the user throughout the forest. By the way, MS flow charts rule!

royal

Precisely!