Configuring Active Directory Infrastructure - configuring the global catalog
Understanding the Global Catalog
Although the global catalog is not one of the five FSMO roles, the services it provides are of critical importance to the functionality of the Active Directory network. The global catalog (GC) contains a forest of Active Directory objects, acting as a main storage of the copies of all objects from host server's local domain, as well as other domains within the forest. This is called partial attribute set, or PAS. It includes a subset of the attributes for each object. These attributes are crucial in providing basic user functionality, including logon, searches and membership features.
By default, the first domain controller installed in the forest root domain is designated as a global catalog server. However, any or all domain controllers in a domain can be designated as global catalog servers. As an Active Directory administrator, you need to carefully weigh the benefits of designating additional domain controllers in your environment as global catalogs against the resulting performance implications.
The global catalog has four main functions in an Active Directory environment:
- Facilitating searches for objects in the forest. The moment a new search for an object is initiated in Active Directory, the query is automatically sent to TCP port 3268. From there, the request is forwarded to a global catalog server. SRV records employed by Active Directory refer to the global catalog, tapping in to the port to answer these requests.
- Resolving User Principal Names (UPNs). UPNs allow users to log on to domains across the forest using a standardized naming format that matches the format used for email addresses, such as firstname.lastname@example.org. When a local domain controller receives a request for logon via a UPN, it contacts a global catalog server to complete the logon process. For example, assume the user account for jsmith resides in the acme.com domain, and jsmith is currently working from the Tokyo acme.com location. Because jsmith travels frequently between the various corporate locations, he uses the UPN, email@example.com, to log on to his network account and his email account. Upon receiving a logon attempt from jsmith, a local domain controller searches for a global catalog server to resolve firstname.lastname@example.org to a username. The global catalog server stores enough information about the user to permit or deny the logon request. For example, if a time restriction allows logons only during business hours and jsmith is attempting to log on after hours, the global catalog will have a copy of that information and, therefore, jsmith's logon request will be denied. Because of this need to allow user authentication across domains, Active Directory must be able to contact a global catalog (or have a mechanism to cache global catalog information as you will see shortly) to process any user logon, even in a single-domain environment.
- Maintaining universal group membership information. Active Directory users can be permitted or denied access to a resource based on their group memberships. This information is an important part of a user's security token, which is used to determine which resources a user can and cannot access. Domain local and global group memberships are stored at the domain level; universal group memberships are stored in the global catalog. A universal group can contain users, groups, and computers from any domain in the forest. In addition, universal groups, through their membership in domain local groups, can receive permissions for any resource anywhere in the forest. A user who is a member of a universal group can be granted or denied permission to access resources throughout the forest. This presents another reason why a global catalog is required for a successful first-time logon to Active Directory. Without the global catalog available to query universal group memberships, a complete picture of the user's group memberships cannot be created and the logon process would be incomplete.
- Maintaining a copy of all objects in the domain. A domain controller that has been configured as a global catalog will contain a copy of its own domain NC, as well as a copy of the partial attribute set (PAS) of every other domain NC in the forest. Each object class has a certain list of attributes that are included in the PAS. This is defined within the Active Directory schema. You can add attributes to the PAS by modifying the attribute so that it is indexed, which means that it will be stored in the PAS and replicated to all global catalog servers in the forest.