Solved

Global Catalog Server function

Posted on 2010-08-30
12
584 Views
Last Modified: 2012-05-10
I try to interprete the following statement :-

"Global Catalog stores a partial copy of all objects in all other domains within the forest. And this  partial copy holds the list of objects most frequently searched for "

If GC#1 is located at Domain#A , and DC#2 and DC#3 are located at Domain#B .
The DC#2 contains Printer#1 and Printer#2 ( as printer object ) . The DC#3 contains john_smith and mike_smith 2 user objects.  Domain#A and Domain#B are in the same forest.

GC= Global Catalog ; DC=Domain Controller

Would all these Printer#1 , Printer#2 , john_smith and mike_smith information would be replicated to GC#1 and stored in GC#1 ???  

Question:-
1) Can the client at Domain#A access Printer#1 , Printer#2  by query GC#1 ??
2) Can the client at Domain#A logon by using john_smith into domain#B by query GC#1 ??
0
Comment
Question by:kcn
  • 6
  • 6
12 Comments
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 33563284
Hi kcn,

I think both questions are related to permissions, more than information stored in the global catalog.

in response to question 1, the printer object is stored in the global catalog, and the users in domain A should see the object in a search. However, the print share will need to allow 'everyone' or 'authenicated users' permissions to allow the users in domain a to connect to and print to it.

for question 2, the GC role is a partial replica of attributes, not an authentication point. users attempting to logon using john_smith account would still need to contact a domain controller in domain b to complete the authentication request.

I hope that helps

Craig
0
 

Author Comment

by:kcn
ID: 33564021
Craig ,

Maybe I understand wrongly on GC role ???

Correct me if I understand wrongly in your explanation:-

For question(1) :-

(1a) can we configure  domain#B's printer giving permission to domain#A's workstation to print ??
(1b) I thought only the workstations join the same domain can print that domain's printer ??

For question(2),

(2a) user in Domain#A , ONLY can  SEARCH  the "user object"  like john_smith by GC#1 because GC#1 contains john_smith information , BUT , the user from Domain#A must logon to Domain#B by  using john_smith account.  Am I right ??

(2b) One extra extention question , in order for the user to logon to domain#B by using john_smith , the workstation that she/he used must join domain#B first before he/she can use this workstation  ?? Am I right ?  

(2c) If in this case , we cannot use the domain#A 's workstation to logon to domain#B ????
        We only can use the SAME domain workstation to logon to that domain ???
0
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 33564063
1a) is is user based access, not workstation access to the printer share. You can add a group to the permissions to allow members from Domain A to print.

1b) as above, it is user based permissions to access the printer, it has nothing to do with workstation domain membership.

2a) hmmm.. looks like i may be confusing you. the global catalog hold a subset of attributes of objects from all domains in a forest. when you refer to a user in Domain searching for a user in domain B, what tool are you using? Applications will use the global catalog information, rather than a user searching against this information.

2b)No. The workstation can be in either domain, as long as there is a trust relationship between domains, users from both domainA and domainb will be able to logon to the workstation.

2c) No as above, as long as you have a trust relationship , users from either domain can logon to the workstation.


The global catalog role is not used as an authetication source for users from other domains, it is used mainly by applications that need information about objects in other domains.



0
 

Author Comment

by:kcn
ID: 33564178
Craig ,

Can I put in this way :-

Correct each of my understanding if I am wrong .. thanks...

(a) Global Catalog is a subset service of Active Directory.

(b) Global Catalog service is ONLY use to SEARCH object attributes information and nothing to do with
      authentication .

(c) Authentication service is done by Active Directory's authentication service

(d) Without Global Catalog service in a domain , we CANNOT logon to that domain because short of
      user object attribute information unless there is a universal group membership caching in the local
      computer.

(e) In order to logon to one domain , we need to have both Authentication Service plus Global Catalog
      service from DC

(f) During Active Directory replication process , AD's data + Authentication information + Global Catalog
     will be replicated among the DC. In order to reduce the bandwidth of replication , we can remove
     Global Catalog service from Active Directory .  

(g) The user who is Domain#A 's member ( but not the domain#B member )  can use workstaton
      that previously join Domain#A ( but never join Domain#B) , to logon to Domain"B" as long as
      there is  a trust relationship between these 2 domains  
0
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 33564319
(a) the global catalog is a collection addtional information about objects from other domains in the same forest.

(b) the global catalog role is required in a multi domain environment to validate Universal group membership, as part of the users access token. This is not important in a single domain environment

(c) correct

(d) without a GC, you cannot logon with a UPN (user@domain format) or if universal groups are in use. You should be able to logon with the domain\user format.

(e) in general, yes

(f) not correct, replication between domain controllers in the same domain will contain all information for objects in its own domain (including authentication information), replication between different domains will only contain the global catalog attributes.
Yes you would reduce bandwidth usage for replication if you disabled the GC, but you may also cause issues for certain applications (such and Exchange and ISA server) which rely on the availability of a GC in their local AD site.

(g) not correct, a users from domain A can use a workstation that is joined to Domain B to logon to domain A, as long as there is a trust relationship configured between domain A and domain B (otherwise Domain would not be listed as an available domain in the domain drop down list on the logon screen.

I actually recommend having all domain controllers enabled as global catalogs, unless you are in a realy large (> 50000 object) forest.

Hope this helps

Craig
 
0
 

Author Comment

by:kcn
ID: 33564404
Craig,

Thanks.

(1)
The Primary DC of the domain by default  is a GC , how about Backup DC ( BDC ) ? Is BDC by default is also GC or not the GC until we configure it .
 
(2)
So, from (g) explaination , Domain#A's  user member only can logon to domain#A and CANNOT logon to domain#B even there is a trust relation between domain#A and domain#B  ???

Please clarify above 2 questions .

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:kcn
ID: 33564417
Craig ,

on your answer (d) , without the GC in the domain , we still can logon by user/domain format ??
How this format look like ???

I thought we totally cannot logon to the domain if GC is not present in the same domain , or, no link to other GC in the same forest ???
0
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 33564422
(1) in active directory there is no longer the concept of a primary DC. The first DC in the domain will be a global catalog by default, others need to be enabled (in AD sites and services)

(2) That is correct, users accounts in domain A can only logon to domain A. Can you please explain your requirement a little more? are you trying to get users in domain to access files shares / printers in domain B??

happy to clarify further
0
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 33564441
Hi KCN,

I am sorry, I am wrong about being able to logon without contacting a GC as stated in technet

Global Catalog and Domain Logon Support
In a native-mode domain, a Global Catalog server is a requirement for logging on to the domain. For this reason, it is advisable to have at least one Global Catalog server in a site. If a Global Catalog is not available in a site and there is another Global Catalog server in a remote site, the server in the remote site can be used for the logon process. If no Global Catalog is available in any site, the logon process proceeds with cached logon information.

 Note
A member of the Domain Admins group can complete the logon process (not cached) even when a Global Catalog server is not available.

This is from: http://technet.microsoft.com/en-us/library/cc977998.aspx

however, given that there always at least one GC available, this becomes irrelevant.

HTH
Craig

0
 

Author Comment

by:kcn
ID: 33564736
Hi Craig ,

To answer your below answer  
(2) That is correct, users accounts in domain A can only logon to domain A. Can you please explain your requirement a little more? are you trying to get users in domain to access files shares / printers in domain B??
==> Yes. I thinking of to use  Domain#A user account to access Domain#B 's  resources like files/printer.
       I do no think it work because Domain#A user only can logon to domain#A and access domain#A's
       resources .
==> But you mentioned Domain#A 's user can use  Domain#B 's workstation to logon to Domain#A and
       access Domain#A's resources because of trust relationship between Domain#A and Domain#B ,
       Am I right ???????  -   Question (1a)

For your last post's explanation :-

The user can logon to domain#A by using Domain#A 's  Admin Group even the GC is not present in the domain#A . In the other words , we CANNOT use domain#A 's user account ( non-admin group) to logon to domain#A  if the GC is not available . ( assuming this is single domain network )
==> Am I right ????  -- Question (1b) .

Please answer question (1a) and (1b)
0
 

Author Comment

by:kcn
ID: 33565512
Craig , are you there ?
0
 
LVL 6

Accepted Solution

by:
craig_j_Lawrence earned 500 total points
ID: 33572727
sorry was offline late yesterday

kcn, in answer to your questions

1a) a user in domain#A can acccess resources in the local domain (domain#A) given that it is in its 'home' domain. this access is granted in general by the domain users group. There is no need for a trust to access local Domain#A resources.

The user from Domain#A can logon to any workstation, as long as there is a trust to their 'home' domain.

Please try and separate logon to a workstation from access to resources. These are in no way related.

1b)you are correct, there needs to be at least one domain controller with a global catalog to allow non admin users to logon to the domain.



Here is an article that explains cross domain resource access a whole lot better than I can! http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx

in short to allow access to a resource in domain#A for an user object in Domain#B, you need to make sure that user object is granted access to the resource, either by explicitly allowing the user object access in the security tab on the resource (not preferred) or by making the use account a member of a group that has access to resource.

HTH

Craig
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now