A feature of Active Directory (AD) domain controllers, the global catalog allows a domain controller to provide detailed information on all the objects in the forest, independent of whether the object in consideration is a member of the domain controller’s domain. If the global catalog feature is enabled with a domain controller, that domain controller can be termed a global catalog server. A global catalog server performs several functions that are required in a multi-domain forest environment. Two of the most important functions of a global catalog server are described below:

  • Authentication – A domain controller processes the authentication request and provides information related to the authorization for all the groups for which the user account is a member. This authentication information is included in the user access token generated by the system.
  • Object Search – The directory structure of a forest is made transparent by the global catalog for users who are performing a search operation.

Active directory partitions

Understanding how the Active Directory (AD) database is structured will help us in understanding how a global catalog works. The AD database is stored in a single file named NTDS.dit by the domain controllers. The database itself is separated into partitions which facilitate efficient replication and simplify the administration of the database.
Each domain controller has at least three partitions:

  • Domain Partition which stores information on the domain’s objects and their attributes
  • Configuration Partition which stores information on the forest topology, domain controllers, and site links
  • Schema Partition which stores definitions of every object class of the forest and the rules which determine the creation and use of those objects

Additionally, Application Partitions may also be maintained in the domain controllers which store information pertaining to AD-integrated apps and any object type except for the security principles.

Deployment of global catalog servers

Upon successful creation of a new domain, the first domain controller becomes a global catalog server. Enabling the Global Catalog checkbox in the NTDS Settings of the server allows the configuration of additional domain controllers as global catalogs. There are two ways to do this:

  • Access the Active Directory Sites and Services management console
  • Set-ADObject PowerShell cmdlet by inserting the following code:

Set-ADObject -Identity (Get-ADDomainController -Server ).NTDSSettingsObjectDN -Replace @{options=’1′}
Every domain which is a part of the forest should contain at least one global catalog server. This will remove the need to have an authenticating domain controller that communicates along the length and breadth of the network in order to retrieve global catalog information. Where it is not possible or feasible to deploy a global catalog server for a domain, Universal Group Membership caching can be enabled to reduce network traffic related to authentication. It will also allow logon authentication when communication with a global catalog server is not possible from within the remote site.

1 comment on “What is a Global Catalog Server?

  1. Wow, wonderful blog layout! How long have you been blogging
    for? you make blogging look easy. The overall look of
    your web site is wonderful, as well as the content!

Leave a Reply

Your email address will not be published. Required fields are marked *