3.23. Disabling the Global Catalog Requirement During a Windows 2000 Domain Login

Problem

You want to disable the requirement for a global catalog server to be reachable when a user logs into a Windows 2000 domain.

Solution

Using a graphical user interface

  1. Open the Registry Editor (regedit).

  2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control.

  3. Right-click on LSA and select New Key.

  4. Enter IgnoreGCFailures for the key name and hit enter.

  5. Restart the server.

Using a command-line interface

> reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures /ve
> shutdown /r

Using VBScript

' This code enables the IgnoreGCFailres registry setting and reboots
strLSA = "HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures\"
Set objWSHShell = WScript.CreateObject("WScript.Shell")
objWSHShell.RegWrite strLSA, ""
WScript.Echo "Successfully created key"
WScript.Echo "Rebooting server . . . "
objWSHShell.Run "rundll32 shell32.dll,SHExitWindowsEx 2"

Discussion

With Windows 2000, a global catalog server must be contacted for every login attempt; otherwise, the login will fail (unless there is no network connectivity, which would result in a cached login). This is necessary to process all universal groups a user may be a member of. When a client attempts to authenticate with a domain controller, that domain controller contacts a global catalog server behind the scenes to enumerate the user’s universal groups. See Recipe 7.9 for more details. If you have domain controllers ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.