In addition to the 5 FSMO roles in Active Directory, there is the sixth (unofficial) domain controller role — Global catalog (GC). Unlike FSMO roles, any controller in a domain can have a Global Catalog role, i.e. it doesn’t require the uniqueness of a server within an Active directory domain or forest. However, the Global Catalog is the most important DC role from the practical point of view.
A Global Catalog server is a domain controller that stores copies of all Active Directory objects in the forest. It stores a complete copy of all objects in the directory of your domain and a partial copy of all objects of all other forest domains. Thus, the Global Catalog allows users and applications to find objects in any domain of the current forest by searching for attributes included to GC.
The Global Catalog contains a basic (but incomplete) set of attributes for each forest object in each domain (Partial Attribute Set, PAT). The GC receives data from all the domain directory partitions in the forest, they are copied using the standard AD replication service. Whether the attribute is copied to the Global Catalog is determined by the schema. If necessary, you can configure additional attributes that will be replicated to the GC using the Active Directory Schema snap-in. To add an attribute to the GC, you must select the option Replicate This Attribute To The Global catalog. As a result, the value of the isMemberOfPartialAttributeSet attribute parameter is set to true.
To find the list of DC’s that contains the Global Catalog in the current forest, run the command in the PowerShell console:
Get-ADForest |select -ExpandProperty GlobalCatalogs |Format-Table
Or this command:
dsquery server -forest –isgc
The first GC server was automatically created on the first domain controller in the forest when you were installing Active Directory Domain Services. In the case of a single site, even if it contains multiple domains, a single Global Catalog server is usually sufficient to process Active Directory requests. In a multi-site environment (in order to optimize network performance) consider adding GC servers to ensure a quick response to search queries and fast logon. Also, at least one GC server must be present on each AD site where Exchange is supposed to be installed.
You can assign additional domain controllers as GC by selecting the Global Catalog option in the Active Directory Sites And Services snap-in.
The global catalog server is used for the following purposes:
- Object search — if a user searches for an object by specifying All directory parameter in the query, this request is redirected to port 3268 and sent to the GC server. If, for any reason, there is no GC server in the domain, users and applications will not be able to perform searches in the forest;
- Authentication — the GC server is the source of authentication at the time the user logs on to the domain. The global catalog server resolves the user name if the authenticating domain controller does not have information about user’s account;
- Verifying membership in universal groups in a multi-domain environment — in the verification process, the domain controller verifies the authenticity of the user, after which the user receives authorization data to access the resources. To provide this information, the domain controller retrieves the security identifiers (SIDs) for all security groups that the user is a member of and adds these identifiers to the user’s access token. Because universal groups can contain user and group accounts from any domain in the forest, group membership in them can only be resolved by the GC Server that has catalog information at the forest level;
- Checking references to objects within the forest — Domain controllers use a Global Catalog to validate references to objects in other domains in the forest. That’s why if the domain controller contains an object with an attribute, that contains a reference to an object in another domain — the domain controller checks the link by establishing a connection to the Global Catalog server;
- Exchange Address Book Search — when users in their Outlook clients want to find a person within their organization, they usually search through the global address list (GAL). The GAL is a list, that Exchange creates as a result of an LDAP query to search for all mail-enabled objects — users, contacts, and groups. When a user tries to open an address book in Microsoft Outlook, or writes a message and enters a name or address in the To field, Outlook uses the GC Server specified by the Exchange server. To search for Global Catalog servers, Exchange mail servers use Active Directory and DNS.
For resiliency purposes it is important to keep at least a few domain controllers with the Global Catalog role. It will be better if each domain has a minimum of one GC. However, it is better to have a Global Catalog on every DC in the forest. This will also have a positive effect on load balancing, it is important to notice that from now on you will not have to worry about the infrastructure master FSMO role (for more details read this article).
If you can’t make all DCs the Global Catalog, then take care that the infrastructure master FSMO role does not reside on the GC Server, otherwise it will stop its functioning (phantom records will not be created/changed) and as a consequence — you will get irrelevant data in AD.
If there is no Global Catalog server, users can not log in, and the Exchange mail server can’t send and receive mail. That’s why the Global Catalog is the most important role of the domain controller, without GC role the functioning of Active Directory is almost impossible.