How to disable the requirement that a global catalog server be available to validate user logons

Placement of Global Catalog servers in remote sites is usually desired to improve performance in user logon time, searches and other actions requiring communication with Global Catalog servers, and to reduce wide area network (WAN) traffic. However, to reduce administrative intervention, hardware requirements, and other related overhead, in some situations you may not want to locate a Global Catalog server at a remote site. Essentially, duplicating the functions of the backup domain controller (BDC) in the Microsoft Windows NT 4.0 environment. This is especially relevant in environments that have a large number of sites, which could experience substantially increased hardware costs when the size of the sites may not justify that hardware and administration. The problem as noted earlier in this article, is that logons require the domain controller authenticating the user to contact a Global Catalog server to determine if the user is a member of any universal groups. So if the remote office does not have a Global Catalog server and a Global Catalog server cannot be contacted (for various reasons) the user's logon request may not work (based on the rules stated earlier).

Windows 2003 offers an alternative to the setting below known as universal group caching. When this is enabled for a site, users who log on while a Global Catalog server is online can continue to do so if the Global Catalog server is offline at the next logon.

For more information on universal group caching, read the Global Catalog Processes and Interactions section at the following Microsoft Web site:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

To eliminate the need for a Global Catalog server at a site and avoid potential denial of user logon requests, use the following steps to enable logons when a Global Catalog server is not available.

For Windows 2000

1. Start Registry Editor (Regedt32.exe).
2. Locate and then click the following key in the registry:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. On the Edit menu, click Add Key, and then add the following registry key:
   Key name:

   IgnoreGCFailures
   Note Windows 2000 provides this key for diagnostic purposes. There is no specific value to specify for this key. Only the presence or the absence of this key is tested.
4. Quit Registry Editor.
5. Restart the domain controller.

For Windows 2003

1. Start Registry Editor (Regedit.exe).
2. Locate and then click the following key in the registry:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. On the Edit menu, click New, click DWORD Value, and then add the following registry key:
   Key name:

   IgnoreGCFailures

   
   Value: 1
4. Quit Registry Editor.
5. Restart the domain controller.

This setting needs to be set on the domain controller that performs the initial authentication of the user.

Note This setting causes potential security vulnerabilities if universal groups are also used.

Important If this setting is enabled, universal groups should not be used because if a user is a member of a universal group and the group is denied access to a resource, the key turns off enumeration of universal groups so the universal group SID is not added to the user's token and the user could have access to the resource.