Physical Structure  «Prev 

Limiting Scope of Query in Active Directory

How Active Directory Searches Work

Active Directory Searches Architecture

The architecture for Active Directory searches includes both client and server components. On the client side, a "directory client application" constructs LDAP[1] requests to be sent to Active Directory. The LDAP requests can be one of several types, including
  1. connect,
  2. bind (authentication),
  3. modify, and
  4. unbind.
Depending on how a directory client application is written, one of three different application programming interfaces (APIs) is used to submit requests. The LDAP requests are received and processed by the Directory System Agent (DSA), which is represented by Ntdsa.dll on a domain controller. Ntdsa.dll runs as a part of the local security authority (LSA), which runs as Lsass.exe. The architecture for Active Directory searches is shown in the following figure. The components of the architecture for Active Directory searches are described in the following table.


Mastering Active Directory
Without a global catalog server, a search for all the printers in a forest requires a search of every domain in the forest

The result is increased traffic across the domains.

With a global catalog server, information about objects in all domains in the forest is contained in the global catalog

The query is resolved at the same domain location and is processed against the global catalog

The results are returned promptly, and the query does not result in unnecessary traffic across the domains

The global catalog server can therefore respond to queries about objects anywhere in the domain tree or forest with maximum speed and minimum network traffic

Global Catalog Server

Some domain controllers are global catalog servers. Depending on your network configuration, you may have several global catalog servers. Global catalog servers perform two major functions:
  1. Global catalog servers contain a full replica of all Active Directory objects in their domain and a partial replica of all Active Directory objects in other domains in the forest. For example, let’s say that Karen Anderson, a user in a domain called triton.com, needs to use a printer in the prod.triton.com domain. Karen searches for the printer. In order to fulfill Karen’s request, a global catalog server is consulted because the global catalog server has a partial replica of all objects in the other domain. Using the global catalog server, Karen can find and connect to a desired printer (assuming she has appropriate permission to do so).
    A partial replica simply means that the global catalog server is aware of the object and the most common attributes for that object. Since its job is to help with user queries, only the most common attributes that might be used in a search process are kept on global catalog server.
  2. Global catalog servers are required for user logons. This may sound strange, but global catalog servers assist with user logons in that they provide information about Universal groups, a new type of group in Windows 2000, to a domain controller where the logon request initiated.
[1] (LDAP) Lightweight Directory Access Protocol:LDAP is an open and cross platform protocol used for directory services authentication.