Solved

What is Global Catalog in the Active Directory?

Posted on 2010-08-28
13
1,735 Views
Last Modified: 2012-05-10
What is Global Catalog in the Active Directory? Just explain me in simple english what is Global Catalog and its function and why we require Global Catalog...

Please dont share any links
0
Comment
Question by:moonpavan
  • 3
  • 3
  • 2
  • +5
13 Comments
 
LVL 3

Accepted Solution

by:
Andre Thibodeau earned 100 total points
Comment Utility
Simply put....

The global catalog is a database that is of searchable format that contains all of the objects in your Active Directory.

You need a GC to query objects in your Active Directory, for example, Exchange will use a GC to look up an email address.

Andre
0
 
LVL 2

Assisted Solution

by:LTCexpert
LTCexpert earned 100 total points
Comment Utility
Global catalogue is like the master of domain controllers.
If you have one DC your GC will be on that server. If you have multiple DC's the GC will be on the first, which will  be in charge of replicating the active directory to the DCs and making sure they are alway on the same up to date version.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
Comment Utility
the second answer is wrong....GCs are not "master domain controllers"   they are also not in charge of replicating AD.


A global catalog contains every object in the AD forest.  The GC contains full attributes for every object in its own domain (domain partition) and only a partial set of attributes for objects outside of its domain. (partial attribute set/PAS)

http://technet.microsoft.com/en-us/library/cc736934(WS.10).aspx

Try to make every DC a GC if you can (if your bandwidth can support it in a muti-domain forest for example).  In 2008 the GC is selected by default during dcpromo.

So you might be thinking...what role does a GC play in a single domain forest....no real role because the DC already knows about all the objects in the domain partition.

Thanks

Mike
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
Comment Utility
The global catalog contains all of the objects (computers, users, etc) that exist in the entire forest and is replicated to al least on Global catalog server in each domain. While it contains ALL of the objects in the forest, it does NOT include ALL DETAILS of ALL OBJECTS in the forest, just the ones which are considrered to be 'important', (you can edit the list of which values are held in GC if you really want to).When requests for object information is made across domains then Global Catalog provides an efficient way of returning that information without having to refer the query to the specific domain in which the object exists.

A Few things which are forest rather than domain based are also held exclusively in Global Catalog - Universal Group Membership for example.

When a user logs on then in addition to a domain controller being required to authenicate the user, the global calalog must also be queried in order to determine which univeral groups a user belongs to (if any). By default, if no global catalog is available users will not be allowed to log on and their membership of universal groups cannot be determined and its just possible (though not very likely, that there have been some permissions explicitly denied to a univeral group of which the user is a member)
0
 
LVL 2

Assisted Solution

by:Vegaskid1973
Vegaskid1973 earned 100 total points
Comment Utility
Active Directory is a database that contains various types of objects including computers and users. Domain controllers (DCs) have a copy of all the objects that are part of the same domain that the DCs belong to and all the attributes for each of those objects.

In a forest with multiple domains, the DCs in each domain will therefore have different objects in their own AD i.e. UserA in DomainA will not be contained in the Active Directory of Domain B.

A Global Catalog (GC) is a server that has a complete list of all objects in not only the domain, but the forest. It's not a complete copy of all Active Directory objects AND attributes in the forest, its stripped down to contain the most commonly searched details. Think of it like a phone book. You dont use a phone book to find out what colour eyes somebody has or what their favourite food is, but for phone number and address it is perfectly suitable.

Hope that explains the what. Now the why. Possibly the biggest reason is for something called Universal groups. These 'mother of all groups' can be used on Access Control Lists across the forest AND contain user accounts from across the forest too. Universal group membership is something that is stored in the GC.

If I log on to my domain and a GC is not available at that time, my logon token can not have any universal group membership information, which means I am unable to access any resources that those universal groups would have normally permitted me.

Another important use of the GC is in an Exchange environment. If I want to send an email to a user in another domain within the same forest, I can access a local GC, which will provide me with that person's email address. Without the concept of GCs, I would have to poll that user's own Active Directory. The GC effectively reduces the amount of authentication that occurs between different domains in a forest.

Also worth noting is that the GC is the same, regardless of which domain it is in. It has details from across the forest. Also note that every single domain in a forest must have at least one GC.

Hope this is what you were after.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
A GC is not the exact same regardless of the domain.

It contains a full copy of the domain partition of the domain its in...doesn't contain a full attribute set of every domain in the forest.

yes it contains all the objects but not the same attributes from domain to domain.

Thanks

Mike
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 12

Expert Comment

by:Dave
Comment Utility
Key thing about a GC is that its only relevant if you hve more than one domain. If you have only one domain just mark all DCs as GCs and forget abut it until some one asks you to have two domains.

If some one does ask you to create a second domain, either shoot them, or ask again on here why its a bad idea to have more than one domain.

If you do have more than one domain then you need GCs because they contain enough info about the other domains for things like group membership.

The other key aspect of GCs is that Exchange uses them, so if you have multiple domains and exchange make sure you have enough GCs.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
As Mike wrote, GC contains only partial information of objects in whole forest (for other domains) and full for its own domain. It doesn't contain details for each account/group in the forest, it knows where particular object exists (in which domain). If someone queries a GC it gives back an information which domain should be contacted (in general description). A database which stores details is called Directory Information Tree (ntds.dit file) where all details are available.

Am I right Mike (more or less) ? ;)
0
 
LVL 12

Expert Comment

by:Dave
Comment Utility
Seems a little like less to me. When you ask AD about an object you need to specify which domain to search in. If you ask a DC for that domain that owns the object you get all details, if you ask a GC from another domain you get a subset of the deails. You choose how to ask by which TCP port you contact.

There is as far as I know only one ntds.dit file and that holds all the AD information that a particular server has. So Config partition, Schema Partition and Domain partitions. For its own domain all info, for other domains all objects, but a subset of the fields.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Functions of a GC:

- Provide "universial group membership" information to a DC when a logon process is initiated

- holds a partial reference to every object in the forest so a DC in domain A can find objects in domain B.

- "universial group membership" are stored only in the GC. (Unlike "Global groups" which is stored in AD in each domain).
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
@g4ugm: you're right about ntds.dit It contains all partitions inside. I wanted short cut my minds too much in foreign language, so it sounds without any sense. Thanks for highlighting :)
0
 
LVL 12

Expert Comment

by:Dave
Comment Utility
Thats fine. Its hard enough to understand some of the Microsoft stuff when English is you Native Language...
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
jSiek yup you have it down for the most part, it does contain some details of the objects....and that can be modified in the schema

http://support.microsoft.com/kb/248717

Also right about the partitions....my friends at CB5 have a great blog entry on GC partitions (must read)   http://cbfive.com/blog/post/Global-Catalog-Partitions.aspx

Thanks

Mike
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now