Overview#

Global Catalog Servers#

A Global Catalog server is a Domain Controller that stores extra information; its database stores rows for every object in the AD Forest instead of rows for only the objects in one AD DOMAIN.

The rows that store objects that occur in AD DOMAIN directory partitions other than the local domain partition hold only a subset of attributes for each object. In this way, the Global Catalog enables forest-wide searches without requiring replication of the entire contents of Active Directory to every Domain Controller.

The Knowledge Consistency Checker (KCC) process creates a replication topology that ensures delivery of the contents of every directory partition to every Global Catalog server in the AD Forest.

A Global Catalog server stores full (writable) copies of the schema and configuration directory partitions — the same as any domain controller.

Characteristics of Global Catalog#

  • Global Catalogs are also Domain Controllers
  • Global Catalog servers stores information about all objects of all domains of the entire forest.
  • Global Catalog servers do Not the complete set of attributes for these objects are stored.
  • Global Catalog servers replicate the data with all other Global Catalogs in the forest.
  • Global Catalog function increases replication load on the regarding server.
  • Global Catalog access over LDAP is done as a normal LDAP connection over TCP port 3268 (or 3269 for LDAP over SSL).
  • Global Catalog requests are Read Only.
  • Global Catalog Domain Controller have a DNS SRV Record is created in DNS.

By default, the server on which you install Active Directory to create the first domain in a new forest is a Global Catalog server. Thereafter, you must designate additional Global Catalog servers, if they are needed.

Searches That Use the Global Catalog by Default#

Any time that you specify port 3268, you are searching in the Global Catalog.

In addition, the Global Catalog is searched by default under the following conditions:

  • During the logon process when a user principal name is presented. The Global Catalog is searched to find the domain and account name on the basis of the user principal name.
  • During the logon process to expand Universal Groups as Universal Group membership can span domains.
  • When you choose Entire Directory in a search-scope list.????
  • When you write the value for a distinguished name-valued property, where the distinguished name represents a nonlocal object. For example, if the member that you are adding is from a different domain, the Global Catalog is used to verify that the user object represented by the distinguished name actually exists.

Locating Global Catalog Domain Controllers#

In an Microsoft Active Directory environment, all Global Catalog are anchored in DNS. The DNS SRV Records 'GC._msdcs.example.com' So if your root domain in the forest is e.g. example.com, then you get a list of all GCs with this command:
nslookup -type=any gc._msdcs.example.com

Will return all the Domain Controllers that are Global Catalog

You can also use dsquery

dsquery server -isgc 
Will return the distinguished Names of all the Domain Controllers that are Global Catalog for the current domain.

And using an Search Request LDAP SearchFilters

(&(objectClass=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))

Active Directory Groups#

Not all Active Directory Groups and their members are available within the Global Catalog.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-11) was last changed on 04-Apr-2016 18:08 by jim