Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 594
  • Last Modified:

Global Catalog Server function

I try to interprete the following statement :-

"Global Catalog stores a partial copy of all objects in all other domains within the forest. And this  partial copy holds the list of objects most frequently searched for "

If GC#1 is located at Domain#A , and DC#2 and DC#3 are located at Domain#B .
The DC#2 contains Printer#1 and Printer#2 ( as printer object ) . The DC#3 contains john_smith and mike_smith 2 user objects.  Domain#A and Domain#B are in the same forest.

GC= Global Catalog ; DC=Domain Controller

Would all these Printer#1 , Printer#2 , john_smith and mike_smith information would be replicated to GC#1 and stored in GC#1 ???  

Question:-
1) Can the client at Domain#A access Printer#1 , Printer#2  by query GC#1 ??
2) Can the client at Domain#A logon by using john_smith into domain#B by query GC#1 ??
0
kcn
Asked:
kcn
  • 6
  • 6
1 Solution
 
craig_j_LawrenceCommented:
Hi kcn,

I think both questions are related to permissions, more than information stored in the global catalog.

in response to question 1, the printer object is stored in the global catalog, and the users in domain A should see the object in a search. However, the print share will need to allow 'everyone' or 'authenicated users' permissions to allow the users in domain a to connect to and print to it.

for question 2, the GC role is a partial replica of attributes, not an authentication point. users attempting to logon using john_smith account would still need to contact a domain controller in domain b to complete the authentication request.

I hope that helps

Craig
0
 
kcnAuthor Commented:
Craig ,

Maybe I understand wrongly on GC role ???

Correct me if I understand wrongly in your explanation:-

For question(1) :-

(1a) can we configure  domain#B's printer giving permission to domain#A's workstation to print ??
(1b) I thought only the workstations join the same domain can print that domain's printer ??

For question(2),

(2a) user in Domain#A , ONLY can  SEARCH  the "user object"  like john_smith by GC#1 because GC#1 contains john_smith information , BUT , the user from Domain#A must logon to Domain#B by  using john_smith account.  Am I right ??

(2b) One extra extention question , in order for the user to logon to domain#B by using john_smith , the workstation that she/he used must join domain#B first before he/she can use this workstation  ?? Am I right ?  

(2c) If in this case , we cannot use the domain#A 's workstation to logon to domain#B ????
        We only can use the SAME domain workstation to logon to that domain ???
0
 
craig_j_LawrenceCommented:
1a) is is user based access, not workstation access to the printer share. You can add a group to the permissions to allow members from Domain A to print.

1b) as above, it is user based permissions to access the printer, it has nothing to do with workstation domain membership.

2a) hmmm.. looks like i may be confusing you. the global catalog hold a subset of attributes of objects from all domains in a forest. when you refer to a user in Domain searching for a user in domain B, what tool are you using? Applications will use the global catalog information, rather than a user searching against this information.

2b)No. The workstation can be in either domain, as long as there is a trust relationship between domains, users from both domainA and domainb will be able to logon to the workstation.

2c) No as above, as long as you have a trust relationship , users from either domain can logon to the workstation.


The global catalog role is not used as an authetication source for users from other domains, it is used mainly by applications that need information about objects in other domains.



0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
kcnAuthor Commented:
Craig ,

Can I put in this way :-

Correct each of my understanding if I am wrong .. thanks...

(a) Global Catalog is a subset service of Active Directory.

(b) Global Catalog service is ONLY use to SEARCH object attributes information and nothing to do with
      authentication .

(c) Authentication service is done by Active Directory's authentication service

(d) Without Global Catalog service in a domain , we CANNOT logon to that domain because short of
      user object attribute information unless there is a universal group membership caching in the local
      computer.

(e) In order to logon to one domain , we need to have both Authentication Service plus Global Catalog
      service from DC

(f) During Active Directory replication process , AD's data + Authentication information + Global Catalog
     will be replicated among the DC. In order to reduce the bandwidth of replication , we can remove
     Global Catalog service from Active Directory .  

(g) The user who is Domain#A 's member ( but not the domain#B member )  can use workstaton
      that previously join Domain#A ( but never join Domain#B) , to logon to Domain"B" as long as
      there is  a trust relationship between these 2 domains  
0
 
craig_j_LawrenceCommented:
(a) the global catalog is a collection addtional information about objects from other domains in the same forest.

(b) the global catalog role is required in a multi domain environment to validate Universal group membership, as part of the users access token. This is not important in a single domain environment

(c) correct

(d) without a GC, you cannot logon with a UPN (user@domain format) or if universal groups are in use. You should be able to logon with the domain\user format.

(e) in general, yes

(f) not correct, replication between domain controllers in the same domain will contain all information for objects in its own domain (including authentication information), replication between different domains will only contain the global catalog attributes.
Yes you would reduce bandwidth usage for replication if you disabled the GC, but you may also cause issues for certain applications (such and Exchange and ISA server) which rely on the availability of a GC in their local AD site.

(g) not correct, a users from domain A can use a workstation that is joined to Domain B to logon to domain A, as long as there is a trust relationship configured between domain A and domain B (otherwise Domain would not be listed as an available domain in the domain drop down list on the logon screen.

I actually recommend having all domain controllers enabled as global catalogs, unless you are in a realy large (> 50000 object) forest.

Hope this helps

Craig
 
0
 
kcnAuthor Commented:
Craig,

Thanks.

(1)
The Primary DC of the domain by default  is a GC , how about Backup DC ( BDC ) ? Is BDC by default is also GC or not the GC until we configure it .
 
(2)
So, from (g) explaination , Domain#A's  user member only can logon to domain#A and CANNOT logon to domain#B even there is a trust relation between domain#A and domain#B  ???

Please clarify above 2 questions .

0
 
kcnAuthor Commented:
Craig ,

on your answer (d) , without the GC in the domain , we still can logon by user/domain format ??
How this format look like ???

I thought we totally cannot logon to the domain if GC is not present in the same domain , or, no link to other GC in the same forest ???
0
 
craig_j_LawrenceCommented:
(1) in active directory there is no longer the concept of a primary DC. The first DC in the domain will be a global catalog by default, others need to be enabled (in AD sites and services)

(2) That is correct, users accounts in domain A can only logon to domain A. Can you please explain your requirement a little more? are you trying to get users in domain to access files shares / printers in domain B??

happy to clarify further
0
 
craig_j_LawrenceCommented:
Hi KCN,

I am sorry, I am wrong about being able to logon without contacting a GC as stated in technet

Global Catalog and Domain Logon Support
In a native-mode domain, a Global Catalog server is a requirement for logging on to the domain. For this reason, it is advisable to have at least one Global Catalog server in a site. If a Global Catalog is not available in a site and there is another Global Catalog server in a remote site, the server in the remote site can be used for the logon process. If no Global Catalog is available in any site, the logon process proceeds with cached logon information.

 Note
A member of the Domain Admins group can complete the logon process (not cached) even when a Global Catalog server is not available.

This is from: http://technet.microsoft.com/en-us/library/cc977998.aspx

however, given that there always at least one GC available, this becomes irrelevant.

HTH
Craig

0
 
kcnAuthor Commented:
Hi Craig ,

To answer your below answer  
(2) That is correct, users accounts in domain A can only logon to domain A. Can you please explain your requirement a little more? are you trying to get users in domain to access files shares / printers in domain B??
==> Yes. I thinking of to use  Domain#A user account to access Domain#B 's  resources like files/printer.
       I do no think it work because Domain#A user only can logon to domain#A and access domain#A's
       resources .
==> But you mentioned Domain#A 's user can use  Domain#B 's workstation to logon to Domain#A and
       access Domain#A's resources because of trust relationship between Domain#A and Domain#B ,
       Am I right ???????  -   Question (1a)

For your last post's explanation :-

The user can logon to domain#A by using Domain#A 's  Admin Group even the GC is not present in the domain#A . In the other words , we CANNOT use domain#A 's user account ( non-admin group) to logon to domain#A  if the GC is not available . ( assuming this is single domain network )
==> Am I right ????  -- Question (1b) .

Please answer question (1a) and (1b)
0
 
kcnAuthor Commented:
Craig , are you there ?
0
 
craig_j_LawrenceCommented:
sorry was offline late yesterday

kcn, in answer to your questions

1a) a user in domain#A can acccess resources in the local domain (domain#A) given that it is in its 'home' domain. this access is granted in general by the domain users group. There is no need for a trust to access local Domain#A resources.

The user from Domain#A can logon to any workstation, as long as there is a trust to their 'home' domain.

Please try and separate logon to a workstation from access to resources. These are in no way related.

1b)you are correct, there needs to be at least one domain controller with a global catalog to allow non admin users to logon to the domain.



Here is an article that explains cross domain resource access a whole lot better than I can! http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx

in short to allow access to a resource in domain#A for an user object in Domain#B, you need to make sure that user object is granted access to the resource, either by explicitly allowing the user object access in the security tab on the resource (not preferred) or by making the use account a member of a group that has access to resource.

HTH

Craig
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now