Recipe 3.23 Disabling the Global Catalog Requirement During a Windows 2000 Domain Login

3.23.1 Problem

You want to disable the requirement for a global catalog server to be reachable when a user logs into a Windows 2000 domain.

3.23.2 Solution Using a graphical user interface
  1. Open the Registry Editor (regedit).

  2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control.

  3. Right-click on LSA and select New Key.

  4. Enter IgnoreGCFailures for the key name and hit enter.

  5. Restart the server. Using a command-line interface
> reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures /ve
> shutdown /r Using VBScript
' This code enables the IgnoreGCFailres registry setting and reboots
strLSA = "HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures\"
Set objWSHShell = WScript.CreateObject("WScript.Shell")
objWSHShell.RegWrite strLSA, ""
WScript.Echo "Successfully created key"
WScript.Echo "Rebooting server . . . "
objWSHShell.Run "rundll32 shell32.dll,SHExitWindowsEx 2"

3.23.3 Discussion

With Windows 2000, a global catalog server must be contacted for every login attempt; otherwise, the login will fail (unless there is no network connectivity, which would result in a cached login). This is necessary to process all universal groups a user may be a member of. When a client attempts to authenticate with a domain controller, that domain controller contacts a global catalog server behind the scenes to enumerate the user's universal groups. See Recipe 7.9 for more details. If you have domain controllers in remote sites and they are not enabled as global catalog servers, you may run into a situation where users cannot login if the network connection to the network with the closest global catalog server fails.

Although there is a plausible workaround in Windows Server 2003 Active Directory (see Recipe 3.24), the only option you have available with Windows 2000 is to have the domain controllers ignore GC lookup failures. You can do this by adding an IgnoreGCFailures registry key under HKLM\SYSTEM\CurrentControlSet\Control\LSA on the domain controller(s) you want this to apply to. If you use universal groups in any capacity, having the domain controllers ignore GC failures can be very problematic because a user's token may not get updated with his universal group memberships. It may be useful, though, if you have branch-office sites where you cannot deploy domain controllers.

3.23.4 See Also

Recipe 3.24 for disabling the global catalog requirement for Windows Server 2003, Recipe 7.9 for enabling universal group caching, MS KB 216970 (Global Catalog Server Requirement for User and Computer Logon), and MS KB 241789 (How to Disable the Requirement that a Global Catalog Server Be Available to Validate User Logons)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List