Physical Structure  «Prev  Next»
Lesson 6 Global catalog server
Objective Describe the global catalog and the global catalog server.

Global Catalog versus Global Catalog Server

The first domain controller you create in Active Directory is a global catalog server. The global catalog is a storehouse of information that contains a subset of attributes for all objects in Active Directory. This is the information that is necessary to determine the location of any object in the directory. You can configure additional domain controllers to be global catalog servers to balance the logon authentication traffic and query traffic. There should be a global catalog server at each site. By default, the attributes that are stored in the global catalog are those that are most frequently used in queries (such as a user's first name, last name, and logon name).
The availability of global catalog servers is critical to the operation of the directory. For example, a global catalog server must be available when processing a user logon request for a native-mode domain or when a user logs on with a user principal name.

Placing Global Catalog Servers

The first domain controller created in Active Directory is the global catalog server.
You can configure additional domain controllers to be global catalog servers to balance the logon authentication traffic and query traffic.
Question: When using Active Directory, how do you assign the global catalog servers in a single domain environment?
In a single domain environment, the global catalog servers can be assigned in Active Directory by following these steps:
  1. Open the Active Directory Sites and Services console from the Administrative Tools menu.
  2. Expand the Sites container, and then expand the site that contains the domain controller that you want to designate as a global catalog server.
  3. Expand the Servers container, and then select the domain controller that you want to designate as a global catalog server.
  4. Right-click the server and select Properties.
  5. In the server's Properties window, select the NTDS Settings tab.
  6. In the NTDS Settings tab, right-click on the connection object for the domain controller, and select Properties.
  7. In the connection object's Properties window, select the General tab.
  8. Check the box next to "Global Catalog", and click OK.
  9. If prompted, click Yes to confirm that you want to make the server a global catalog server.
  10. Repeat these steps for any other domain controllers that you want to designate as global catalog servers.

By designating a domain controller as a global catalog server, you are enabling it to store a copy of all objects in the forest, making it faster and more efficient to search for objects across domains. It is recommended to have at least two global catalog servers in each domain for redundancy and high availability.
In a single domain environment, global catalog servers are not required to process a user logon request.
However, you should assign global catalog servers in a single domain environment for the reasons listed below:
  1. Clients still seek global catalog servers for search operations.
  2. Having global catalog servers already in place makes the system more scalable if you later choose to add more domains.
    As always, the cost of global catalog replication is weighed against the need for speedier logon and response to global catalog queries.

Global Catalog Server

None of the objects contained in an application partition are replicated to the Global Catalog. Even if a domain controller that holds a replica of an application partition is also a Global Catalog server, the domain controller will not return any objects from the application partition during a Global Catalog search. This is registered only if the domain controller is also a Global Catalog server. You can query
with nslookup to obtain a list of all the Global Catalog servers in the forest.
One interesting thing to note about SRV records is the seventh field, which designates the port used to contact the service on that host. In all of these cases, 3268 is used, which corresponds to the Global Catalog port. You may have also noticed the entries that contain Default-First-Site-Name.
Each Global Catalog server registers site-specific records so clients can find the optimal Global Catalog based on their site membership.

Role of Global catalog in Active Directory

The global catalog performs two important directory roles by permitting the user to:
  1. Log on to the network by providing universal group membership information to a domain controller when a logon process is initiated
  2. Find directory information in the entire forest[1], regardless of the location of the data

How the global catalog server functions

Because the global catalog server accesses object information in the local domain, it limits the scope of the query. In this way, global catalog servers can be used to improve the performance of forest-wide searches in Active Directory. Because global catalogs require more replication traffic, you have to balance that against the speed of response. Let us look at an example using the Slide Show below.

Using Global Catalog to Scope of Query

In the example below, we are conducting a search for all of the printers in a forest:

1) Running Programs 1 2) Running Programs 2 3) Running Programs 3 4) Running Programs 4 5) Running Programs 5 6) Running Programs 6

Program 1 Program 2 Program 3 Program 4 Program 5 Program 6
  1. Without a global catalog server, a search for all the printers in a forest requires a search of every domain in the forest
  2. The result is increased traffic across the domains.
  3. With a global catalog server, information about objects in all domains in the forest is contained in the global catalog
  4. The query is resolved at the same domain location and is processed against the global catalog
  5. The results are returned promptly, and the query does not result in unnecessary traffic across the domains
  6. The global catalog server can therefore respond to queries about objects anywhere in the domain tree or forest with maximum speed and minimum network traffic

Limiting Query Scope
It is generally not desirable to make every domain controller a global catalog server.In some cases, it may be more cost-effective to have logons take place over a fast link to another location rather than to place domain controllers and global catalogs at every site.

The domain controller and the global catalog server

When a user logs on, the domain controller servicing the authentication request must be able to communicate with a global catalog server.
This holds true for native mode, with some exceptions we will discuss later in this course. In mixed mode, a user could still log on to a down-level domain controller without a global catalog. However if a user uses a user principal name (UPN) to log on, a global catalog will always be required. In a single domain network, a global catalog server is not necessary for the logon process.

The user logon process

What happens where the global catalog server is not available and the user is a member of domain Admin group?
The link below describes the user logon process in this circumstance:

User Logon Global Catalog - Domain Controller

Cost of Global Catalog Servers

A global catalog contains both a complete copy of one domain and a read-only partial copy of every other domain in the forest. For this reason, global catalogs generate more replication traffic than regular domain controllers. In some sites, additional global catalog servers might be necessary. In deciding to use more than one global catalog per site, you should use the same failover and load distribution rules that you use in deciding to add individual domain controllers.
As a general rule, to take advantage of sites , Microsoft recommends that you assign at least one domain controller in each site as a global catalog server.
Additional global catalog servers may not add value. Only if you have multiple domains should you carefully consider assigning more than one global catalog per site. Even in a multiple domain system, usually only a single catalog server per site is necessary. In the next lesson, we will look at the roles of operations masters.

Active Directory Administration
[1]Forests: Two or more domain trees which do not share a contiguous namespace can be joined in a forest. Domains within a forest share two-way transitive trust relationships and share a common schema and global catalog.