September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
3.23. Disabling the Global Catalog Requirement During a Windows 2000 Domain Login
Problem
You want to disable the requirement for a global catalog server to be reachable when a user logs into a Windows 2000 domain.
Solution
Using a graphical user interface
Open the Registry Editor (regedit).
In the left pane, expand HKEY_LOCAL_MACHINE → System → CurrentControlSet → Control.
Right-click on LSA and select New → Key.
Enter IgnoreGCFailures for the key name and hit enter.
Restart the server.
Using a command-line interface
> reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures /ve > shutdown /r
Using VBScript
' This code enables the IgnoreGCFailres registry setting and reboots
strLSA = "HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures\"
Set objWSHShell = WScript.CreateObject("WScript.Shell")
objWSHShell.RegWrite strLSA, ""
WScript.Echo "Successfully created key"
WScript.Echo "Rebooting server . . . "
objWSHShell.Run "rundll32 shell32.dll,SHExitWindowsEx 2"Discussion
With Windows 2000, a global catalog server must be contacted for every login attempt; otherwise, the login will fail (unless there is no network connectivity, which would result in a cached login). This is necessary to process all universal groups a user may be a member of. When a client attempts to authenticate with a domain controller, that domain controller contacts a global catalog server behind the scenes to enumerate the user’s universal groups. See Recipe 7.9 for more details. If you have domain controllers ...