This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links

Version management

Difference between version and

At line 1 added 67 lines
!!! Overview
[{$pagename}] in [Microsoft Active Directory] is is a [Distributed system] [Data Store Service] where only the [Partial Attribute Set] [Replicated|Replication] to specific [{$pagename}] [Domain Controllers].
[{$pagename}] is primarily used for as a [Discovery Mechanism] and to enhance searching. [{$pagename}] provides a searchable catalog of all objects in every [AD DOMAIN] in an [AD Forest].
!! Global Catalog Servers
A [{$pagename}] server is a [Domain Controller] that stores [{$pagename}] information; its [database] stores rows for every object in the [AD Forest] instead of rows for only the objects in one [AD DOMAIN].
The rows that store objects that occur in [AD DOMAIN] directory partitions other than the local domain partition hold only a subset of attributes for each object. In this way, the [Global Catalog] enables forest-wide searches without requiring replication of the entire contents of Active Directory to every [Domain Controller].
The [Knowledge Consistency Checker] ([KCC]) process creates a [replication] topology that ensures delivery of the contents of every [Microsoft Active Directory] [partition] to every [{$pagename}] [server] in the [AD Forest].
%%information
A [Global Catalog] server stores full (writable) copies of the schema and configuration directory partitions — the same as any domain controller.
%%
!! Characteristics of [{$pagename}]
* [{$pagename}]s are also [Domain Controllers]
* [{$pagename}] servers stores information about __all objects__ of all domains of the entire forest.
* [{$pagename}] servers do __Not the complete set of attributes__ for these objects are stored.
* [{$pagename}] servers replicate the data with all other [{$pagename}]s in the forest.
* [{$pagename}] function increases replication load on the regarding server.
* [{$pagename}] access over LDAP is done as a normal LDAP connection over TCP port 3268 (or 3269 for LDAP over SSL).
* [{$pagename}] requests are __Read Only__.
* [{$pagename}] [Domain Controller] have a [DNS SRV Record] is created in [DNS].
By default, the server on which you install Active Directory to create the first domain in a new forest is a Global Catalog server. Thereafter, you must designate additional Global Catalog servers, if they are needed.
!! Searches That Use the [Global Catalog] by Default
Any time that you specify port 3268, you are searching in the [{$pagename}].
In addition, the [{$pagename}] is searched by default under the following conditions:
* During the logon process when a user principal name is presented. The Global Catalog is searched to find the domain and account name on the basis of the user principal name.
* During the logon process to expand [Universal Groups] as [Universal Group] membership can span domains.
* When you choose Entire Directory in a search-scope list.????
* When you write the value for a distinguished name-valued property, where the distinguished name represents a nonlocal object. For example, if the member that you are adding is from a different domain, the Global Catalog is used to verify that the user object represented by the distinguished name actually exists.
!! Locating [{$pagename}] [Domain Controllers]
In an [Microsoft Active Directory] environment, all [{$pagename}] are anchored in DNS. The [DNS SRV Records] 'GC._msdcs.example.com' So if your root domain in the forest is e.g. example.com, then you get a list of all GCs with this command:
%%prettify
{{{
nslookup -type=any gc._msdcs.example.com
}}} /%
Will return all the [Domain Controllers] that are [{$pagename}]
You can also use [dsquery]
%%prettify
{{{
dsquery server -isgc
}}} /%
Will return the [distinguished Names] of all the [Domain Controllers] that are [{$pagename}] for the current domain.
And using an [Search Request] [LDAP SearchFilters]
%%prettify
{{{
(&(objectClass=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))
}}} /%
!! [Active Directory Groups]
Not all [Active Directory Groups] and their [members] are available within the [{$pagename}].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]