Global Catalog versus Global Catalog Server
The first domain controller you create in Active Directory is a global catalog server. The global catalog is a storehouse of information that contains a subset of attributes for all objects in Active Directory. This is the information that is necessary to determine the location of any object in the directory. You can configure additional domain controllers to be global catalog servers to balance the logon authentication traffic and query traffic. There should be a global catalog server at each site. By default, the attributes that are stored in the global catalog are those that are most frequently used in queries (such as a user's first name, last name, and logon name).
The availability of global catalog servers is critical to the operation of the directory. For example, a global catalog server must be available when processing a user logon request for a native-mode domain or when a user logs on with a user principal name.
Placing global catalog servers
The first domain controller created in Active Directory is the global catalog server.
You can configure additional domain controllers
to be global catalog servers to balance the logon authentication traffic and query traffic.
Role of Global catalog in Active Directory
The global catalog performs two important directory roles by permitting the user to:
- Log on to the network by providing universal group membership information to a domain controller when a logon process is initiated
- Find directory information in the entire forest, regardless of the location of the data
How the global catalog server functions
Because the global catalog server accesses object information in the local domain, it limits the scope of the query. In this way, global catalog servers can be used to improve the performance of forest-wide searches in Active Directory. Because global catalogs require more replication traffic, you have to balance that against the speed of response. Let us look at an example using the Slide Show below.
Using Global Catalog to Scope of Query
In the example below, we are conducting a search for all of the printers in a forest:
- Without a global catalog server, a search for all the printers in a forest requires a search of every domain in the forest
- The result is increased traffic across the domains.
- With a global catalog server, information about objects in all domains in the forest is contained in the global catalog
- The query is resolved at the same domain location and is processed against the global catalog
- The results are returned promptly, and the query does not result in unnecessary traffic across the domains
- The global catalog server can therefore respond to queries about objects anywhere in the domain tree or forest with maximum speed and minimum network traffic
Limiting Query Scope
It is generally not desirable to make every domain controller a global catalog server.In some cases,
it may be more cost-effective to have logons take place over a fast link to another location rather than to place domain controllers and global catalogs at every site.
The domain controller and the global catalog server
When a user logs on, the domain controller servicing the authentication request must be able to communicate with a global catalog server.
This holds true for native mode, with some exceptions we will discuss later in this course. In mixed mode, a user could still log on to a down-level domain controller without a global catalog. However if a user uses a user principal name (UPN) to log on, a global catalog will always be required. In a single domain network, a global catalog server is not necessary for the logon process.
The user logon process
What happens where the global catalog server is not available and the user is a member of domain Admin group?
The link below describes the user logon process in this circumstance:
User Logon Global Catalog - Domain Controller
Cost of Global Catalog Servers
A global catalog contains both a complete copy of one domain and a read-only partial copy of every other domain in the forest.
For this reason, global catalogs generate more replication traffic than regular domain controllers. In some sites, additional global catalog servers might be necessary. In deciding to use more than one global catalog per site,
you should use the same failover and load distribution rules that you use in deciding to add individual domain controllers.
As a general rule, to take advantage of sites , Microsoft recommends that you assign at least one domain controller in each site as a global catalog server.
Additional global catalog servers may not add value. Only if you have multiple domains should you carefully consider assigning more than one global catalog per site. Even in a multiple domain system, usually only a single catalog server per site is necessary.
In the next lesson, we will look at the roles of operations masters.
Active Directory Administration
Forests: Two or more domain trees which do not share a contiguous namespace can be joined in a forest. Domains within a forest share two-way transitive trust relationships and share a common schema and global catalog.