[gptalk] Re: Temporarily running without a GC ...how to prepare for it.

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 21 Sep 2006 14:58:54 -0700

Universal group caching is helps out with logons in remote sites that do not
have a GC local.
Your Exchange server does also require a GC and if there is no GC in the AD
site that Exchange is located in-you have will have many issues.
For your users with O2k3 in Cached mode- If they do not have a local GC- the
Exchange server will prompt them for logon and validate that against the DC
exchange is using (check Exchange System manager- server properties-
directory access tab) If the Exchange server does not have a DC in the local
AD site for the particular domain your user's AD account is located in-it
will do a DNS lookup for a DC in the particular domain and pass the
authentication check to that DC.
So in short- as long as the DC's and GC's are functioning in the same AD
site as the E2k3 server the worst thing will happen to your Outlook 2003-
cached users is that they may be prompted for user Id and password. This of
course assumes that DNS resolution and probably DHCP is still functional.
please remember that if there is no local DC- the client will attempt to
connect to a remote DC if the DNS server that this client is using is still
Most o2k3 cached mode operations involve the local machine and the Exchange
server- If for some reason your user wished to browse the address book and
he/she chooses an address book other than the GAL or the Outlook Address
Book Then the request will go to the GC that Exchange server has in its
directory access list.
Now on a separate note- The GP setting that you are referencing  (cached
logon) I think is misleading- unless I have it mixed up. I believe that
setting is used to set the number of different users that are allowed to
logon to that particular machine using cached credentials if there is no
available dc to authenticate them. This has nothing to do with the registry
setting for the universal group caching.
I would be hesitant to add that key if your organization uses any Universal
Security groups (which may be used for resource access to Exchange Public
folders, etc)
hope that is helpful and makes sense.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mills, Mark
Sent: Thursday, September 21, 2006 2:39 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Temporarily running without a GC ...how to prepare for it.

Just curious, I just read the following article:


How to disable the requirement that a global catalog server be available to
validate user logons

http://support.microsoft.com/kb/241789  I've been told this method is called
running with Universal Group caching and works best with sites of less than
100 users.


Does this mean that if for some reason your GC goes down (or maybe just the
link to them) your users can continue to work as normal, providing that
their Outlook is in "Exchange Cached Mode" or do you still need to make sure
that the Group Policy for cached logons is greater than the default "10" in
a pc's local security policy? 

That default "10" cached logon is found at Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> Security Options
->Interactive Logons

So if I had to run without a GC (temporarily) and users were using Universal
Group Caching , and the users had their Outlook set to run in "Exchange
Cache Mode"  would the downed GC have any effect on them? 


I'm always trying to stay abreast of what I would do if the unthinkable
happens.  I have multiple GC's in each site so this should never be a
problem - however if it did happen, I would like to know what to do to keep
the users up and running (without down time) while I would be repairing the
GC's (or link to them) 


Mark Mills 


Other related posts: