Searching the Global Catalog vs. Searching the Domain#The decision whether to search the Global Catalog or the domain is based on the scope of the search:
- When the scope of a search is the domain or an organizational unit, the query can be resolved within the domain partition by using an LDAP search.
- When the scope of a search is the forest, the query can be resolved within any partition by using a Global Catalog search.
Global Catalog Search Base#For an LDAP search, you must supply a valid base distinguished name. For a Global Catalog search, the base distinguished name can be any value, including the value "NULL" (" "). A base distinguished name of NULL effectively scopes the search on the search computer to the Global Catalog. If you use a NULL base distinguished name with a scope of one level or subtree and specify port 389 (the default LDAP port), the search fails. Therefore, if you submit a NULL search to the Global Catalog port and then change the port to the LDAP port, you must change the base distinguished name for the search to succeed.
Characteristics of a Global Catalog Search#The following characteristics differentiate a Global Catalog search from a standard LDAP search:
- Global Catalog Search Requests are directed to port 3268/3269, which explicitly indicates that Global Catalog semantics are required.
- Global Catalog Search Requests can specify a non-instantiated search base, indicated as "com" or " " (blank search base).
- Global Catalog Search Requests cross directory partition boundaries. The extent of the LDAP search is the directory partition.
- Global Catalog Search Requests do not return Subordinate Referrals. Results are based solely on the contents of the Global Catalog.
External Referral from Global Catalog#An external referral can be returned by the Global Catalog if a base-level search for an external directory is submitted and if the distinguished name of the external directory uses the domain component (dc=) naming attribute. This referral is returned according to the ability of Active Directory to construct a DNS name from the domain components of the distinguished name and not based on the presence of any cross-reference object. The same referral is returned by using the LDAP port; it is not specific to the Global Catalog. (For more information about constructing a DNS name from the domain components, see "Superior References" earlier in this chapter.)
Effect of Global Catalog When Searching Back Links and Forward Links#Some Active Directory attributes cannot be located specifically by finding a row in the directory database. A Back Link is an attribute that can be computed only by referencing another attribute, called a forward link. An example of a Back Link attribute is the memberOf attribute on a user object, which relies on the group attribute members to derive its values. For example, if you request the groups of which a specific user is a member, the forward link members, an attribute of the group object, is searched to find values that match the username that you specified.
Because of the way that groups are enumerated by the Global Catalog, the results of a Back Link search can vary, depending on whether you search the Global Catalog (port 3268) or the domain (port 389), the kind of groups the user belongs to (global groups vs. domain local groups), and whether the user belongs to groups outside the local domain.
- Connecting to the local domain does not locate the user's group membership in groups outside the domain.
- Connecting to the Global Catalog locates the user's membership in global groups but not in domain local groups because local groups are not replicated to the Global Catalog.
CAN NOT MODIFY Group MemberShips from GC -LDAP: error code 53 - 00002035: LdapErr: DSID-0C090C80, comment: Operation not allowed through GC port, data 0, v2580/%