Saturday, June 7, 2008

Windows Server 2008 Active Directory – Shared Folders and Printers / Contacts / Global Catalog

Shared Folders and Printers

The concept of shared folders and printers within AD DS merely relates to a "pointer" residing within the directory, guiding users to the real location on a physical filesystem of a server for a particular shared directory, or the location of a print share on a print server. This process is known as publishing a share (or publishing a printer).

The point of publishing shares and printers in AD DS is to make them available for searching, either through AD DS Users and Computers for administrators or through Start Search or Start Find for client users. You can search for shared folder or printer names containing target keywords, and their locations will be populated within the results box.


Contacts are simply objects in the directory that represent people and contain attributes with indicators as to how to contact them. Contacts neither represent users of any directory, nor convey any privileges to log on to the network or use any network or domain resources.

The point of the contacts object is to create within AD DS a phonebook of sorts, with names of vital business contacts that reside outside your organization—partners, customers, vendors, and the like. Because AD DS as a directory can be queried by the LDAP protocol, which most groupware applications support, the contents of contacts objects likely can be accessed directly within that application.

Global Catalog

The global catalog, in an AD DS environment, acts as a sort of subset directory that is passed among all domains in a particular forest. Consider that AD DS gives you the ability to connect to any computer in your particular AD DS tree. If you have a small organization, this isn't much of a problem, but in a large organization with many domains, can you imagine the performance lag while AD DS tries to (a) find the correct domain where your account resides, then (b) communicate with it, and finally (c) log you in? You would be waiting for a significant amount of time for all the pieces of the puzzle to come together in a complex AD DS implementation.

For that reason, AD DS constructs a subset of all the domains in a forest and puts it into what's called the global catalog (GC). The GC contains a list of all domains in the forest and a list of all the objects in those domains, but only a subset of the attributes for each object. This is a fairly small bit of information compared to the rest of the directory, and because of its reduced size, it is easy to pass on to given domain controllers in the forest. As a result, when a user connects to a computer in any given domain in a forest, the nearest domain controller checks the username against the GC and instantly finds the correct "home" domain for a user and the authentication process can begin. Think of the GC, therefore, as an index of your directory, much like the index of this book helps you to see which pages cover a topic in which you're interested.

The GC also contains the name of each global group for every domain in the forest, and it contains the name and the complete membership list of every universal group in the forest (recall that universal groups can contain users and other groups from any domain in the forest). So, limit your use of universal groups, lest you decrease the performance of your users' logins.

*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide

No comments: