Global Catalog Server function

Posted on 2010-08-30
Last Modified: 2012-05-10
I try to interprete the following statement :-

"Global Catalog stores a partial copy of all objects in all other domains within the forest. And this  partial copy holds the list of objects most frequently searched for "

If GC#1 is located at Domain#A , and DC#2 and DC#3 are located at Domain#B .
The DC#2 contains Printer#1 and Printer#2 ( as printer object ) . The DC#3 contains john_smith and mike_smith 2 user objects.  Domain#A and Domain#B are in the same forest.

GC= Global Catalog ; DC=Domain Controller

Would all these Printer#1 , Printer#2 , john_smith and mike_smith information would be replicated to GC#1 and stored in GC#1 ???  

1) Can the client at Domain#A access Printer#1 , Printer#2  by query GC#1 ??
2) Can the client at Domain#A logon by using john_smith into domain#B by query GC#1 ??
Question by:kcn
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6

Expert Comment

ID: 33563284
Hi kcn,

I think both questions are related to permissions, more than information stored in the global catalog.

in response to question 1, the printer object is stored in the global catalog, and the users in domain A should see the object in a search. However, the print share will need to allow 'everyone' or 'authenicated users' permissions to allow the users in domain a to connect to and print to it.

for question 2, the GC role is a partial replica of attributes, not an authentication point. users attempting to logon using john_smith account would still need to contact a domain controller in domain b to complete the authentication request.

I hope that helps


Author Comment

ID: 33564021
Craig ,

Maybe I understand wrongly on GC role ???

Correct me if I understand wrongly in your explanation:-

For question(1) :-

(1a) can we configure  domain#B's printer giving permission to domain#A's workstation to print ??
(1b) I thought only the workstations join the same domain can print that domain's printer ??

For question(2),

(2a) user in Domain#A , ONLY can  SEARCH  the "user object"  like john_smith by GC#1 because GC#1 contains john_smith information , BUT , the user from Domain#A must logon to Domain#B by  using john_smith account.  Am I right ??

(2b) One extra extention question , in order for the user to logon to domain#B by using john_smith , the workstation that she/he used must join domain#B first before he/she can use this workstation  ?? Am I right ?  

(2c) If in this case , we cannot use the domain#A 's workstation to logon to domain#B ????
        We only can use the SAME domain workstation to logon to that domain ???

Expert Comment

ID: 33564063
1a) is is user based access, not workstation access to the printer share. You can add a group to the permissions to allow members from Domain A to print.

1b) as above, it is user based permissions to access the printer, it has nothing to do with workstation domain membership.

2a) hmmm.. looks like i may be confusing you. the global catalog hold a subset of attributes of objects from all domains in a forest. when you refer to a user in Domain searching for a user in domain B, what tool are you using? Applications will use the global catalog information, rather than a user searching against this information.

2b)No. The workstation can be in either domain, as long as there is a trust relationship between domains, users from both domainA and domainb will be able to logon to the workstation.

2c) No as above, as long as you have a trust relationship , users from either domain can logon to the workstation.

The global catalog role is not used as an authetication source for users from other domains, it is used mainly by applications that need information about objects in other domains.

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Author Comment

ID: 33564178
Craig ,

Can I put in this way :-

Correct each of my understanding if I am wrong .. thanks...

(a) Global Catalog is a subset service of Active Directory.

(b) Global Catalog service is ONLY use to SEARCH object attributes information and nothing to do with
      authentication .

(c) Authentication service is done by Active Directory's authentication service

(d) Without Global Catalog service in a domain , we CANNOT logon to that domain because short of
      user object attribute information unless there is a universal group membership caching in the local

(e) In order to logon to one domain , we need to have both Authentication Service plus Global Catalog
      service from DC

(f) During Active Directory replication process , AD's data + Authentication information + Global Catalog
     will be replicated among the DC. In order to reduce the bandwidth of replication , we can remove
     Global Catalog service from Active Directory .  

(g) The user who is Domain#A 's member ( but not the domain#B member )  can use workstaton
      that previously join Domain#A ( but never join Domain#B) , to logon to Domain"B" as long as
      there is  a trust relationship between these 2 domains  

Expert Comment

ID: 33564319
(a) the global catalog is a collection addtional information about objects from other domains in the same forest.

(b) the global catalog role is required in a multi domain environment to validate Universal group membership, as part of the users access token. This is not important in a single domain environment

(c) correct

(d) without a GC, you cannot logon with a UPN (user@domain format) or if universal groups are in use. You should be able to logon with the domain\user format.

(e) in general, yes

(f) not correct, replication between domain controllers in the same domain will contain all information for objects in its own domain (including authentication information), replication between different domains will only contain the global catalog attributes.
Yes you would reduce bandwidth usage for replication if you disabled the GC, but you may also cause issues for certain applications (such and Exchange and ISA server) which rely on the availability of a GC in their local AD site.

(g) not correct, a users from domain A can use a workstation that is joined to Domain B to logon to domain A, as long as there is a trust relationship configured between domain A and domain B (otherwise Domain would not be listed as an available domain in the domain drop down list on the logon screen.

I actually recommend having all domain controllers enabled as global catalogs, unless you are in a realy large (> 50000 object) forest.

Hope this helps


Author Comment

ID: 33564404


The Primary DC of the domain by default  is a GC , how about Backup DC ( BDC ) ? Is BDC by default is also GC or not the GC until we configure it .
So, from (g) explaination , Domain#A's  user member only can logon to domain#A and CANNOT logon to domain#B even there is a trust relation between domain#A and domain#B  ???

Please clarify above 2 questions .


Author Comment

ID: 33564417
Craig ,

on your answer (d) , without the GC in the domain , we still can logon by user/domain format ??
How this format look like ???

I thought we totally cannot logon to the domain if GC is not present in the same domain , or, no link to other GC in the same forest ???

Expert Comment

ID: 33564422
(1) in active directory there is no longer the concept of a primary DC. The first DC in the domain will be a global catalog by default, others need to be enabled (in AD sites and services)

(2) That is correct, users accounts in domain A can only logon to domain A. Can you please explain your requirement a little more? are you trying to get users in domain to access files shares / printers in domain B??

happy to clarify further

Expert Comment

ID: 33564441

I am sorry, I am wrong about being able to logon without contacting a GC as stated in technet

Global Catalog and Domain Logon Support
In a native-mode domain, a Global Catalog server is a requirement for logging on to the domain. For this reason, it is advisable to have at least one Global Catalog server in a site. If a Global Catalog is not available in a site and there is another Global Catalog server in a remote site, the server in the remote site can be used for the logon process. If no Global Catalog is available in any site, the logon process proceeds with cached logon information.

A member of the Domain Admins group can complete the logon process (not cached) even when a Global Catalog server is not available.

This is from:

however, given that there always at least one GC available, this becomes irrelevant.



Author Comment

ID: 33564736
Hi Craig ,

To answer your below answer  
(2) That is correct, users accounts in domain A can only logon to domain A. Can you please explain your requirement a little more? are you trying to get users in domain to access files shares / printers in domain B??
==> Yes. I thinking of to use  Domain#A user account to access Domain#B 's  resources like files/printer.
       I do no think it work because Domain#A user only can logon to domain#A and access domain#A's
       resources .
==> But you mentioned Domain#A 's user can use  Domain#B 's workstation to logon to Domain#A and
       access Domain#A's resources because of trust relationship between Domain#A and Domain#B ,
       Am I right ???????  -   Question (1a)

For your last post's explanation :-

The user can logon to domain#A by using Domain#A 's  Admin Group even the GC is not present in the domain#A . In the other words , we CANNOT use domain#A 's user account ( non-admin group) to logon to domain#A  if the GC is not available . ( assuming this is single domain network )
==> Am I right ????  -- Question (1b) .

Please answer question (1a) and (1b)

Author Comment

ID: 33565512
Craig , are you there ?

Accepted Solution

craig_j_Lawrence earned 500 total points
ID: 33572727
sorry was offline late yesterday

kcn, in answer to your questions

1a) a user in domain#A can acccess resources in the local domain (domain#A) given that it is in its 'home' domain. this access is granted in general by the domain users group. There is no need for a trust to access local Domain#A resources.

The user from Domain#A can logon to any workstation, as long as there is a trust to their 'home' domain.

Please try and separate logon to a workstation from access to resources. These are in no way related.

1b)you are correct, there needs to be at least one domain controller with a global catalog to allow non admin users to logon to the domain.

Here is an article that explains cross domain resource access a whole lot better than I can!

in short to allow access to a resource in domain#A for an user object in Domain#B, you need to make sure that user object is granted access to the resource, either by explicitly allowing the user object access in the security tab on the resource (not preferred) or by making the use account a member of a group that has access to resource.



Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question