Alexander’s Blog

Universal Groups in Windows Server can be useful. However, they also have a couple of drawbacks. One downside is that the Universal Group membership is kept in the Global Catalog servers. In a multiple domain environment, when a user try to logon to the domain the Global Catalog server has to be available to enumerate the Universal Group membership. This can be an issue when users are logging on in a remote site with slow or unreliable connection. Without the Global Catalog server they cannot logon. By caching the Universal Group membership on a Domain Controller in a remote site you can allow users to logon even when the network connection to the main office is down.

By default, the cached membership is update every 8 hours. Each refresh cycle can refresh hundreds of accounts at a time (500 accounts to be exact). You can modify the cached Universal Group information in the registry. Here’s the procedure.

1. Go to Start, Run, and type regedit.exe to start the registry editor.
2. Locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
3. On the menu click Edit, New, DWORD Value and enter one of the values that Microsoft has posted in a table in a TechNet article How the Global Catalog Works. It’s a lengthy article so I have posted the table here for your convenience. Press Enter after typing the entry.
4. Double-click the value you just entered and type a number from the Notes column in the table mentioned above in step 3.
5. Press OK and close the registry editor.

Microsoft has made the Group Policy Settings Reference for Windows Server 2008 Beta 3 available for download in the form of an Excel spreadsheet.

The spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (admx/adml) delivered with Windows Server 2008 Beta 3. The policy settings included in this spreadsheet cover Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP Professional, and Windows 2000. You can configure these policy settings when you edit Group Policy objects (GPOs). In addition, this spreadsheet includes the following categories of security policy settings: Account Policies (Password Policy, Account Lockout Policy, and Kerberos Policy), Local Policies (Audit Policy, User Rights Assignment, and Security Options), Event Log, Restricted Groups, System Services, Registry, and File System policy settings. Note: This does not include security settings that exist outside of the Security Settings extension (scecli.dll), such as Wireless Network extension, Public Key Policies, or Software Restriction Policies.

Click here to download the spreadsheet.

Microsoft has a performance testing tool for Active Directory called ADTest. It is primarily an Active Directory load-generation tool that allows you to simulate client transactions on the host server. According to Microsoft “By varying client load, you can relate the transaction rate to resource utilization on the server and get some idea about the requirements for your environment. Because ADTest can perform generic Active Directory requests, it can also create an organizational unit structure inside Active Directory. You can add many organizational units and user objects in those ADTest-created organizational units. You can also add attributes to the user objects. Once you have created the Active Directory structure you require, you can use ADTest to perform various Active Directory requests, including Modify and Search. Several pre-built tests have been written to reproduce some typical activities you might want to evaluate. Examples of these pre-built tests are: an interactive logon, a batch logon, a search for a random user, and a modification of an attribute of a random user. By varying your hardware environment or other test parameters, you can gain insight into the performance sensitivities of your particular setup.”

Microsoft reminds users that benchmarking and performance exercises only useful for a general understanding of the hardware requirements for various implementations. The tests that you run take place in a limited lab environments so they may not translate directly to real-world scenarios. In other words, use this tool just to get some general ideas and don’t depend on the results too much for a production environment.

You can download the tool here.

Microsoft’s Group Policy Management Console (GPMC) is a useful tool to manage Group Policies in Active Directory. However, unfortunately GPMC does not run on certain 64-bit Windows operating system, such as Windows Server 2003 and Windows XP. GPMC only runs on:

1. 32-bit Windows Server 2003
2. 32-bit Windows XP Professional with SP1 or later and .NET Framework

Microsoft has not updated GPMC in almost 3 years. The current download for GPMC was published in June 2004. If you have a pure 64-bit Windows Server 2003 environment, you might want to consider installing GPMC on a 32-bit Windows XP Professional.

On May 8, 2007 I posted this challenge to select four radio buttons simultaneously on a Windows Server 2003 computer.

Here is the answer to the challenge :).

1. Create a Universal Distribution group, e.g. Test. Make sure it has an e-mail address, if not type one, e.g. billg@example.com.
2. Double-click the group you just created.
3. Delete (or shift-delete because you will need to paste it back again later) the e-mail address and then click Apply. You will see both Global and Universal buttons selected under Group scope.
4. Click on Security under Group type and then click Apply. At this point you will have both Global and Universal selected under Group scope and Security selected under Group type.
5. Type in (or paste) the e-mail address back again and then click Apply.
6. What you get is all four radio buttons selected at the same time.

Once you close the window and go back in again, fortunately you’ll see the last options that you selected, rather than the multiple selections.

I haven’t tested this on every combination or version of the server but I am able to duplicate this process repeatedly with the same results on:

1. Windows Server 2003 Enterprise Edition with SP1
2. Windows Server 2003 R2 Enterprise (64-bit) with SP2 and all the latest patches