Global Catalog versus Global Catalog Server

The first domain controller you create in Active Directory is a global catalog server. The global catalog is a storehouse of information that contains a subset of attributes for all objects in Active Directory. This is the information that is necessary to determine the location of any object in the directory. You can configure additional domain controllers to be global catalog servers to balance the logon authentication traffic and query traffic. There should be a global catalog server at each site. By default, the attributes that are stored in the global catalog are those that are most frequently used in queries (such as a user's first name, last name, and logon name).
The availability of global catalog servers is critical to the operation of the directory. For example, a global catalog server must be available when processing a user logon request for a native-mode domain or when a user logs on with a user principal name.

• Placing Global Catalog Servers: The first domain controller created in Active Directory is the global catalog server. You can configure additional domain controllers to be global catalog servers to balance the logon authentication traffic and query traffic.

In a single-domain Active Directory environment, a Global Catalog (GC) server is essential for performing forest-wide searches and handling logon requests. By default, the first domain controller (DC) installed in the forest is automatically configured as a Global Catalog server. If you need to assign additional Global Catalog servers, you can do so by following these steps:
Steps to Assign a Global Catalog Server:

1. Open Active Directory Sites and Services: On a domain controller, open the "Active Directory Sites and Services" console. You can do this by typing `dssite.msc` in the Run dialog (press `Win + R`).
2. Navigate to the Domain Controller:
   • In the console, expand the "Sites" container, then expand the site that contains the domain controller you want to configure as a Global Catalog server.
   • Expand the "Servers" container and select the domain controller you want to modify.
3. Modify the NTDS Settings:
   • Under the selected domain controller, click on the "NTDS Settings" object.
   • Right-click "NTDS Settings", and then select "Properties".
4. Enable Global Catalog:
   • In the NTDS Settings Properties window, check the box labeled "Global Catalog" to assign this domain controller as a Global Catalog server.
   • Click OK to save the hanges.
5. Verify the Configuration:
   • After enabling the Global Catalog role, you can verify the configuration by checking the event logs or using tools like `repadmin` to ensure that the server is functioning as a Global Catalog server.

Important Notes:

• Replication Considerations: Assigning additional Global Catalog servers will increase the replication traffic, as Global Catalogs must hold partial copies of all objects in the forest. Ensure your network can handle this extra load.
• Redundancy: In larger environments or critical systems, it’s recommended to have multiple Global Catalog servers for redundancy.

Assigning Global Catalog servers in a single domain is generally straightforward, and having more than one can provide fault tolerance.
In a single domain environment, global catalog servers are not required to process a user logon request.
However, you should assign global catalog servers in a single domain environment for the reasons listed below:

1. Clients still seek global catalog servers for search operations.
2. Having global catalog servers already in place makes the system more scalable if you later choose to add more domains. As always, the cost of global catalog replication is weighed against the need for speedier logon and response to global catalog queries.

None of the objects contained in an application partition are replicated to the Global Catalog. Even if a domain controller that holds a replica of an application partition is also a Global Catalog server, the domain controller will not return any objects from the application partition during a Global Catalog search. This is registered only if the domain controller is also a Global Catalog server. You can query

gc._msdcs.mycorp.com

with nslookup to obtain a list of all the Global Catalog servers in the forest.
One interesting thing to note about SRV records is the seventh field, which designates the port used to contact the service on that host. In all of these cases, 3268 is used, which corresponds to the Global Catalog port. You may have also noticed the entries that contain Default-First-Site-Name. Each Global Catalog server registers site-specific records so clients can find the optimal Global Catalog based on their site membership.

• Role of Global Catalog in Active Directory: The global catalog performs two important directory roles by permitting the user to:
  1. Log on to the network by providing universal group membership information to a domain controller when a logon process is initiated
  2. Find directory information in the entire forest^[1], regardless of the location of the data

Because the global catalog server accesses object information in the local domain, it limits the scope of the query. In this way, global catalog servers can be used to improve the performance of forest-wide searches in Active Directory. Because global catalogs require more replication traffic, you have to balance that against the speed of response. Let us look at an example using the Slide Show below.

• Using Global Catalog to Scope of Query:
  In the example below, we are conducting a search for all of the printers in a forest:

The architecture for Active Directory searches includes both client and server components. On the client side, a "directory client application" constructs LDAP^[2] requests to be sent to Active Directory. The LDAP requests can be one of several types, including

1. connect,
2. bind (authentication),
3. modify, and
4. unbind.

Depending on how a directory client application is written, one of three different application programming interfaces (APIs) is used to submit requests. The LDAP requests are received and processed by the Directory System Agent (DSA), which is represented by Ntdsa.dll on a domain controller. Ntdsa.dll runs as a part of the local security authority (LSA), which runs as Lsass.exe. The architecture for Active Directory searches is shown in the following figure. The components of the architecture for Active Directory searches are described in the following table.

• Global Catalog Server
  Some domain controllers are global catalog servers. Depending on your network configuration, you may have several global catalog servers. Global catalog servers perform two major functions:
  1. Global catalog servers contain a full replica of all Active Directory objects in their domain and a partial replica of all Active Directory objects in other domains in the forest. For example, let’s say that Karen Anderson, a user in a domain called triton.com, needs to use a printer in the prod.triton.com domain. Karen searches for the printer. In order to fulfill Karen’s request, a global catalog server is consulted because the global catalog server has a partial replica of all objects in the other domain. Using the global catalog server, Karen can find and connect to a desired printer (assuming she has appropriate permission to do so). A partial replica simply means that the global catalog server is aware of the object and the most common attributes for that object. Since its job is to help with user queries, only the most common attributes that might be used in a search process are kept on global catalog server.
  2. Global catalog servers are required for user logons. This may sound strange, but global catalog servers assist with user logons in that they provide information about Universal groups, a new type of group in Windows 2000, to a domain controller where the logon request initiated.

It is generally not desirable to make every domain controller a global catalog server.In some cases, it may be more cost-effective to have logons take place over a fast link to another location rather than to place domain controllers and global catalogs at every site.

When a user logs on, the domain controller servicing the authentication request must be able to communicate with a global catalog server.
This holds true for native mode, with some exceptions we will discuss later in this course. In mixed mode, a user could still log on to a down-level domain controller without a global catalog. However if a user uses a user principal name (UPN) to log on, a global catalog will always be required. In a single domain network, a global catalog server is not necessary for the logon process.

• The user logon process: What happens where the global catalog server is not available and the user is a member of domain Admin group?
  The link below describes the user logon process in this circumstance:

A global catalog contains both a complete copy of one domain and a read-only partial copy of every other domain in the forest. For this reason, global catalogs generate more replication traffic than regular domain controllers. In some sites, additional global catalog servers might be necessary. In deciding to use more than one global catalog per site, you should use the same failover and load distribution rules that you use in deciding to add individual domain controllers. As a general rule, to take advantage of sites , Microsoft recommends that you assign at least one domain controller in each site as a global catalog server.
Additional global catalog servers may not add value. Only if you have multiple domains should you carefully consider assigning more than one global catalog per site. Even in a multiple domain system, usually only a single catalog server per site is necessary.In the next lesson, we will look at the roles of operations masters.

[1] Forests:: Two or more domain trees which do not share a contiguous namespace can be joined in a forest. Domains within a forest share two-way transitive trust relationships and share a common schema and global catalog.

[2] (LDAP) Lightweight Directory Access Protocol:LDAP is an open and cross platform protocol used for directory services authentication.