The global catalog represents a distributed data repository. It is a searchable and a partial representation of every object. The objects are in every domain in a multidomain active directory domain services (AD DS) forest. You can store these global catalogs on domain controllers that are designated as global catalog servers. They are distributed through multimaster replication. If you direct the searches directly to the global catalog, they are faster as they do not include referrals to different domain controllers now. You need to determine how to find a global catalog server. This can be told by knowing whether a domain controller is a global catalog server.
Other than configuration and schema directory partition replicas, every domain controller in a forest stores a full and exact replica of a single domain directory partition. So, a domain controller is able to find only the objects in its domain. Finding an object in a different domain needs the user or application to provide the domain of the requested object.
The global catalog can locate objects from any domain without any knowhow of the domain name. A global catalog server is basically a domain controller that can store a partial and read-only replica of the remaining domain directory partitions. The additional domain directory partitions are partial because there are limited set of attributes for each object. When you include the only attributes that you use for searching, the database of a single global catalog server can represent every object in every domain even in the largest forest.
The following events require a global catalog server:
The global catalog provides a resource to search an AD DS forest. Ldap port distinguishes the Forest-wide searches easily. If the search query makes use of port 3268, the global catalog server will take care of the search query.
In a forest containing more than one domain, two conditions require the global catalog during user authentication:
In a domain operating with the Windows 2000 or higher version, the domain controllers must request universal group membership details from a global catalog server.
When the logon occurs with a user principal name (UPN) and the forest contains more than one domain, you require a global catalog server to resolve the name.
Universal Group Membership Caching: In a forest containing more than one domain and in sites that contains domain users but no global catalog server, you can use universal group membership caching to enable caching of logon credentials. Now, the global catalog does not require contacting for subsequent user logons. This feature gets rid of the need to retrieve universal group memberships across a WAN link from a global catalog server in a different site.
You can use the setting on the NTDS Settings object to denote whether a domain controller is specified as a global catalog server.
You have to be a member of the domain users group in active directory to use this procedure.
To identify whether a domain controller is a global catalog server:
First of all, open active directory sites and services.
In the console tree, enlarge the sites container. Now, expand the domain controller’s site that you want to check. Expand the server’s container and after that expand the server object.
Right click on the NTDS settings object. After that click the properties tab.
On the general tab, if the Global Catalog box is chosen, the domain controller is assigned as a global catalog server.
Configuring Global Catalog:
To configure a domain controller as a Global Catalogs is a skill. At the start, it is a difficult process but once you practice it and check the Global Catalog box, you will always remember that difficult path.
Let us start with the active directory sites and services snap-in. Expand sites and set default fist site name for server. Choose your server and search for the NTDS settings. Now, Right click and choose properties tab. You just need to tick the global catalog box now.
You need to reboot the Windows Server 2000 server. The problem is that the interface does not tell you to reboot. This problem is taken care by the Windows Server 2003. Now you do not have to reboot while you enable or disable global catalog.
The only difference on these instructions is that the servers are on different sites and not in the Default-First-Site-Name.
If there are firewall restrictions, LDAP uses port 389 for read and write and port 3268 for global catalog search operations.
You need not to worry even when you have only one domain.
Even when you have only one domain, there is nothing wrong if you don’t have a local global catalog server. However, in case of a forest then there can be a problem and delays can result into a problem unless you locate global catalog servers judiciously. The root of the problem is listing universal group membership. It is actually pointless to use universal groups in a single domain. If you did so, they will result into users in your domain. There is no need to check other domains.
Global catalog servers’ summary:
Here the most important point with active directory is that the domain controllers, which are not global catalog servers, cannot find universal groups in other domains. They have to contact a global catalog server otherwise the domain controller cannot proceed with the logon request. This is done for security purposes. You can also plan for extra global catalog servers. However, if there is only one domain, you do not require any more Global Catalog servers.
Global catalog is basically a data repository. Now, you know all about the global catalog servers. How to find a global catalog server is not a difficult work for you now. You just need a few steps that can help you to find a global catalog server.