Recipe 10.14 Adding or Removing an Attribute in the Global Catalog

10.14.1 Problem

You want to add or remove an attribute in the global catalog.

10.14.2 Solution

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See Recipe 10.2 for more information.

10.14.2.1 Using a graphical user interface
  1. Open the Active Directory Schema snap-in.

  2. In the left pane, click on the Attributes folder.

  3. In the right pane, double-click the attribute you want to edit.

  4. Check the box beside Replicate this attribute to the Global Catalog to add to the global catalog, or uncheck to remove the global catalog.

  5. Click OK.

10.14.2.2 Using a command-line interface

You can add an attribute to the global catalog by using the ldifde utility and an LDIF file that contains the following:

dn: cn=<AttrCommonName>,cn=schema,cn=configuration,<ForestRootDN>
changetype: modify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-

If the LDIF file were named add_gc_attr.ldf, you would run the following command:

> ldifde -v -i -f add_gc_attr.ldf
10.14.2.3 Using VBScript
' This code adds an attribute to the global catalog
' ------ SCRIPT CONFIGURATION ------
' Set to the common name (not LDAP display dame) of the attribute.
strAttrName = "<AttrCommonName>"   ' e.g. surname
' Set to TRUE to add to GC, set to FALSE to remove from GC
boolAddtoGC = TRUE  
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://RootDSE")
set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _
                        objRootDSE.Get("schemaNamingContext"))
objAttr.Put "isMemberOfPartialAttributeSet", boolAddtoGC
objAttr.SetInfo
WScript.Echo "Added attribute to GC: " & strAttrName

10.14.3 Discussion

Each domain controller in a forest replicates a copy of the Domain naming context for its own domain as well as copies of the forest-wide Configuration and Schema partitions. However, domain controllers do not replicate Domain naming contexts for other domains in the forest. When enabled as a global catalog server, a domain controller will replicate partial, read-only replicas of all the objects in other domains in the forest.

Searching against the global catalog is useful when you need to perform a single search across several naming contexts at once. The global catalog stores only a subset of each object's attributes, which is why it is considered a partial replica. Attributes stored in the global catalog are considered part of the partial attribute list (PAS). The attributes that are part of the PAS should be either ones you'd want to use as part of searches against the global catalog, or ones you would want returned after searching the global catalog.

You can add attributes that are stored in the global catalog by setting the isMemberOfPartitalAttributeSet attribute of an attributeSchema object to TRUE. Likewise, to remove an attribute from the partial attribute set, you need to set isMemberOfPartitalAttributeSet to FALSE for the target attribute.

With Windows 2000, anytime you added an attribute to the partial attribute set, a full sync of all of the global catalog contents was done for every global catalog server. This could have a major impact on replication in some multidomain environments, as the amount of data that needs to replicate across your forest could be significant. Fortunately, this limitation was removed in Windows Server 2003 so that a full sync is no longer performed. Removing an attribute from the partial attribute list does not force a global catalog sync, even under Windows 2000.

You can find which attributes are included in the global catalog by using a query with the following criteria:

Base
cn=Schema,cn=Configuration,<ForestRootDN>
Filter
(&(objectcategory=attributeSchema)(isMemberOfPartitalAttributeSet=TRUE))
Scope
onelevel

Alternatively, to find attributes that aren't in the global catalog, you only need to change part of the previous filter to the following:

(isMemberOfPartialAttributeSet=FALSE)

10.14.4 See Also

MS KB 229662 (How to Control What Data Is Stored in the Global Catalog), MS KB 230663 (HOW TO: Enumerate Attributes Replicated to the Global Catalog), MS KB 232517 (Global Catalog Attributes and Replication Properties), MS KB 248717 (How to Modify Attributes That Replicate to the Global Catalog), MS KB 257203 (Common Default Attributes Set for Active Directory and Global Catalog), and MS KB 313992 (HOW TO: Add an Attribute to the Global Catalog in Windows 2000)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List