active directory

Understanding Global Catalog (Active Directory)


In addition to the 5 FSMO roles in Active Directory, there is the sixth (unofficial) domain controller role Global catalog (GC). Unlike FSMO roles, any controller in a domain can have a Global Catalog role, i.e. it doesn’t require the uniqueness of a server within an Active directory domain or forest. However, the Global Catalog is the most important DC role from the practical point of view.

A Global Catalog server is a domain controller that stores copies of all Active Directory objects in the forest. It stores a complete copy of all objects in the directory of your domain and a partial copy of all objects of all other forest domains. Thus, the Global Catalog allows users and applications to find objects in any domain of the current forest by searching for attributes included to GC.

The Global Catalog contains a basic (but incomplete) set of attributes for each forest object in each domain (Partial Attribute Set, PAT). The GC receives data from all the domain directory partitions in the forest, they are copied using the standard AD replication service. Whether the attribute is copied to the Global Catalog is determined by the schema. If necessary, you can configure additional attributes that will be replicated to the GC using the Active Directory Schema snap-in. To add an attribute to the GC, you must select the option Replicate This Attribute To The Global catalog. As a result, the value of the isMemberOfPartialAttributeSet attribute parameter is set to true.

READ ALSO  How to Download and Install the Windows 10 ADK

active directory account name properties

To find the list of DC’s that contains the Global Catalog in the current forest, run the command in the PowerShell console:

Get-ADForest |select -ExpandProperty GlobalCatalogs |Format-Table

expand global catalog active directory

Or this command:

dsquery server -forest –isgc

The first GC server was automatically created on the first domain controller in the forest when you were installing Active Directory Domain Services. In the case of a single site, even if it contains multiple domains, a single Global Catalog server is usually sufficient to process Active Directory requests. In a multi-site environment (in order to optimize network performance) consider adding GC servers to ensure a quick response to search queries and fast logon. Also, at least one GC server must be present on each AD site where Exchange is supposed to be installed.

You can assign additional domain controllers as GC by selecting the Global Catalog option in the Active Directory Sites And Services snap-in.

global catalog active directory

The global catalog server is used for the following purposes:

  • Object search if a user searches for an object by specifying All directory parameter in the query, this request is redirected to port 3268 and sent to the GC server. If, for any reason, there is no GC server in the domain, users and applications will not be able to perform searches in the forest;
  • Authentication the GC server is the source of authentication at the time the user logs on to the domain. The global catalog server resolves the user name if the authenticating domain controller does not have information about user’s account;
  • Verifying membership in universal groups in a multi-domain environment in the verification process, the domain controller verifies the authenticity of the user, after which the user receives authorization data to access the resources. To provide this information, the domain controller retrieves the security identifiers (SIDs) for all security groups that the user is a member of and adds these identifiers to the user’s access token. Because universal groups can contain user and group accounts from any domain in the forest, group membership in them can only be resolved by the GC Server that has catalog information at the forest level;
  • Checking references to objects within the forest Domain controllers use a Global Catalog to validate references to objects in other domains in the forest. That’s why if the domain controller contains an object with an attribute, that contains a reference to an object in another domain the domain controller checks the link by establishing a connection to the Global Catalog server;
  • Exchange Address Book Search when users in their Outlook clients want to find a person within their organization, they usually search through the global address list (GAL). The GAL is a list, that Exchange creates as a result of an LDAP query to search for all mail-enabled objects users, contacts, and groups. When a user tries to open an address book in Microsoft Outlook, or writes a message and enters a name or address in the To field, Outlook uses the GC Server specified by the Exchange server. To search for Global Catalog servers, Exchange mail servers use Active Directory and DNS.
READ ALSO  Setting Default File Associations using Group Policy

For resiliency purposes it is important to keep at least a few domain controllers with the Global Catalog role. It will be better if each domain has a minimum of one GC. However, it is better to have a Global Catalog on every DC in the forest. This will also have a positive effect on load balancing, it is important to notice that from now on you will not have to worry about the infrastructure master FSMO role (for more details read this article).

If you can’t make all DCs the Global Catalog, then take care that the infrastructure master FSMO role does not reside on the GC Server, otherwise it will stop its functioning (phantom records will not be created/changed) and as a consequence you will get irrelevant data in AD.

If there is no Global Catalog server, users can not log in, and the Exchange mail server can’t send and receive mail. That’s why the Global Catalog is the most important role of the domain controller, without GC role the functioning of Active Directory is almost impossible.


You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
Grant Full Access to All Mailboxes in Exchange 200... This is a short tutorial on how to add full access to all mailboxes in Exchange 2007 and 2010 for a an additional user. This can come in handy when sa...
Add Calendar Permissions in Office 365 via Powersh... This is a tutorial on adding calendar permissions in Office 365 for your users via Powershell. You can add permissions onto a specific mailbox, or you...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...