Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Global Catalog Server function

Posted on 2010-08-30
Medium Priority
Last Modified: 2012-05-10
I try to interprete the following statement :-

"Global Catalog stores a partial copy of all objects in all other domains within the forest. And this  partial copy holds the list of objects most frequently searched for "

If GC#1 is located at Domain#A , and DC#2 and DC#3 are located at Domain#B .
The DC#2 contains Printer#1 and Printer#2 ( as printer object ) . The DC#3 contains john_smith and mike_smith 2 user objects.  Domain#A and Domain#B are in the same forest.

GC= Global Catalog ; DC=Domain Controller

Would all these Printer#1 , Printer#2 , john_smith and mike_smith information would be replicated to GC#1 and stored in GC#1 ???  

1) Can the client at Domain#A access Printer#1 , Printer#2  by query GC#1 ??
2) Can the client at Domain#A logon by using john_smith into domain#B by query GC#1 ??
Question by:kcn
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6

Expert Comment

ID: 33563284
Hi kcn,

I think both questions are related to permissions, more than information stored in the global catalog.

in response to question 1, the printer object is stored in the global catalog, and the users in domain A should see the object in a search. However, the print share will need to allow 'everyone' or 'authenicated users' permissions to allow the users in domain a to connect to and print to it.

for question 2, the GC role is a partial replica of attributes, not an authentication point. users attempting to logon using john_smith account would still need to contact a domain controller in domain b to complete the authentication request.

I hope that helps


Author Comment

ID: 33564021
Craig ,

Maybe I understand wrongly on GC role ???

Correct me if I understand wrongly in your explanation:-

For question(1) :-

(1a) can we configure  domain#B's printer giving permission to domain#A's workstation to print ??
(1b) I thought only the workstations join the same domain can print that domain's printer ??

For question(2),

(2a) user in Domain#A , ONLY can  SEARCH  the "user object"  like john_smith by GC#1 because GC#1 contains john_smith information , BUT , the user from Domain#A must logon to Domain#B by  using john_smith account.  Am I right ??

(2b) One extra extention question , in order for the user to logon to domain#B by using john_smith , the workstation that she/he used must join domain#B first before he/she can use this workstation  ?? Am I right ?  

(2c) If in this case , we cannot use the domain#A 's workstation to logon to domain#B ????
        We only can use the SAME domain workstation to logon to that domain ???

Expert Comment

ID: 33564063
1a) is is user based access, not workstation access to the printer share. You can add a group to the permissions to allow members from Domain A to print.

1b) as above, it is user based permissions to access the printer, it has nothing to do with workstation domain membership.

2a) hmmm.. looks like i may be confusing you. the global catalog hold a subset of attributes of objects from all domains in a forest. when you refer to a user in Domain searching for a user in domain B, what tool are you using? Applications will use the global catalog information, rather than a user searching against this information.

2b)No. The workstation can be in either domain, as long as there is a trust relationship between domains, users from both domainA and domainb will be able to logon to the workstation.

2c) No as above, as long as you have a trust relationship , users from either domain can logon to the workstation.

The global catalog role is not used as an authetication source for users from other domains, it is used mainly by applications that need information about objects in other domains.

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 33564178
Craig ,

Can I put in this way :-

Correct each of my understanding if I am wrong .. thanks...

(a) Global Catalog is a subset service of Active Directory.

(b) Global Catalog service is ONLY use to SEARCH object attributes information and nothing to do with
      authentication .

(c) Authentication service is done by Active Directory's authentication service

(d) Without Global Catalog service in a domain , we CANNOT logon to that domain because short of
      user object attribute information unless there is a universal group membership caching in the local

(e) In order to logon to one domain , we need to have both Authentication Service plus Global Catalog
      service from DC

(f) During Active Directory replication process , AD's data + Authentication information + Global Catalog
     will be replicated among the DC. In order to reduce the bandwidth of replication , we can remove
     Global Catalog service from Active Directory .  

(g) The user who is Domain#A 's member ( but not the domain#B member )  can use workstaton
      that previously join Domain#A ( but never join Domain#B) , to logon to Domain"B" as long as
      there is  a trust relationship between these 2 domains  

Expert Comment

ID: 33564319
(a) the global catalog is a collection addtional information about objects from other domains in the same forest.

(b) the global catalog role is required in a multi domain environment to validate Universal group membership, as part of the users access token. This is not important in a single domain environment

(c) correct

(d) without a GC, you cannot logon with a UPN (user@domain format) or if universal groups are in use. You should be able to logon with the domain\user format.

(e) in general, yes

(f) not correct, replication between domain controllers in the same domain will contain all information for objects in its own domain (including authentication information), replication between different domains will only contain the global catalog attributes.
Yes you would reduce bandwidth usage for replication if you disabled the GC, but you may also cause issues for certain applications (such and Exchange and ISA server) which rely on the availability of a GC in their local AD site.

(g) not correct, a users from domain A can use a workstation that is joined to Domain B to logon to domain A, as long as there is a trust relationship configured between domain A and domain B (otherwise Domain would not be listed as an available domain in the domain drop down list on the logon screen.

I actually recommend having all domain controllers enabled as global catalogs, unless you are in a realy large (> 50000 object) forest.

Hope this helps


Author Comment

ID: 33564404


The Primary DC of the domain by default  is a GC , how about Backup DC ( BDC ) ? Is BDC by default is also GC or not the GC until we configure it .
So, from (g) explaination , Domain#A's  user member only can logon to domain#A and CANNOT logon to domain#B even there is a trust relation between domain#A and domain#B  ???

Please clarify above 2 questions .


Author Comment

ID: 33564417
Craig ,

on your answer (d) , without the GC in the domain , we still can logon by user/domain format ??
How this format look like ???

I thought we totally cannot logon to the domain if GC is not present in the same domain , or, no link to other GC in the same forest ???

Expert Comment

ID: 33564422
(1) in active directory there is no longer the concept of a primary DC. The first DC in the domain will be a global catalog by default, others need to be enabled (in AD sites and services)

(2) That is correct, users accounts in domain A can only logon to domain A. Can you please explain your requirement a little more? are you trying to get users in domain to access files shares / printers in domain B??

happy to clarify further

Expert Comment

ID: 33564441

I am sorry, I am wrong about being able to logon without contacting a GC as stated in technet

Global Catalog and Domain Logon Support
In a native-mode domain, a Global Catalog server is a requirement for logging on to the domain. For this reason, it is advisable to have at least one Global Catalog server in a site. If a Global Catalog is not available in a site and there is another Global Catalog server in a remote site, the server in the remote site can be used for the logon process. If no Global Catalog is available in any site, the logon process proceeds with cached logon information.

A member of the Domain Admins group can complete the logon process (not cached) even when a Global Catalog server is not available.

This is from:

however, given that there always at least one GC available, this becomes irrelevant.



Author Comment

ID: 33564736
Hi Craig ,

To answer your below answer  
(2) That is correct, users accounts in domain A can only logon to domain A. Can you please explain your requirement a little more? are you trying to get users in domain to access files shares / printers in domain B??
==> Yes. I thinking of to use  Domain#A user account to access Domain#B 's  resources like files/printer.
       I do no think it work because Domain#A user only can logon to domain#A and access domain#A's
       resources .
==> But you mentioned Domain#A 's user can use  Domain#B 's workstation to logon to Domain#A and
       access Domain#A's resources because of trust relationship between Domain#A and Domain#B ,
       Am I right ???????  -   Question (1a)

For your last post's explanation :-

The user can logon to domain#A by using Domain#A 's  Admin Group even the GC is not present in the domain#A . In the other words , we CANNOT use domain#A 's user account ( non-admin group) to logon to domain#A  if the GC is not available . ( assuming this is single domain network )
==> Am I right ????  -- Question (1b) .

Please answer question (1a) and (1b)

Author Comment

ID: 33565512
Craig , are you there ?

Accepted Solution

craig_j_Lawrence earned 2000 total points
ID: 33572727
sorry was offline late yesterday

kcn, in answer to your questions

1a) a user in domain#A can acccess resources in the local domain (domain#A) given that it is in its 'home' domain. this access is granted in general by the domain users group. There is no need for a trust to access local Domain#A resources.

The user from Domain#A can logon to any workstation, as long as there is a trust to their 'home' domain.

Please try and separate logon to a workstation from access to resources. These are in no way related.

1b)you are correct, there needs to be at least one domain controller with a global catalog to allow non admin users to logon to the domain.

Here is an article that explains cross domain resource access a whole lot better than I can!

in short to allow access to a resource in domain#A for an user object in Domain#B, you need to make sure that user object is granted access to the resource, either by explicitly allowing the user object access in the security tab on the resource (not preferred) or by making the use account a member of a group that has access to resource.



Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question