The global catalog is the set of all objects in an Active Directory Domain Services (AD DS) forest. A global catalog server is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial, read-only copy of all objects for all other domains in the forest. Global catalog servers respond to global catalog queries.
Attributes that replicate to the global catalog
The partial, read-only copies of objects that make up the global catalog are described as "partial" because they include a limited set of attributes—the attributes that are required by the schema plus the attributes that are most commonly used in user search operations. These attributes are marked for inclusion in the partial attribute set (PAS) as part of their schema definitions. Storing the most commonly searched attributes of all domain objects in the global catalog makes searches more efficient for users without affecting network performance with unnecessary referrals to domain controllers and without requiring a global catalog server to store large amounts of data that is not needed.
Global catalog functionality
When you install AD DS, the global catalog for a new forest is created automatically on the first domain controller in the forest. You can add global catalog functionality to additional domain controllers. You can also remove the global catalog from a domain controller.
A global catalog server:
- Finds objects.
The global catalog enables user searches for directory information throughout all domains in a forest, regardless of where the data is stored. Searches within a forest are performed with maximum speed and minimum network traffic.
When a user searches for people or printers from the Start menu or selects the Entire Directory option in a query, that user is searching the global catalog. After the user enters a search request, the request is routed to the default global catalog port 3268 and sent to a global catalog server for resolution.
- Supplies user principal name
authentication.
A global catalog server resolves a user principal name (UPN) when the authenticating domain controller has no knowledge of the user account. For example, if a user’s account is located in sales1.cohovineyard.com and the user logs on with a UPN of luis@sales1.cohovineyard.com from a computer that is located in sales2.cohovineyard.com, the domain controller in sales2.cohovineyard.com cannot find the user’s account and it must contact a global catalog server to complete the logon process.
- Validates object references within a
forest.
Domain controllers use the global catalog to validate references to objects of other domains in the forest. When a domain controller holds a directory object with an attribute that contains a reference to an object in another domain, the domain controller validates the reference by contacting a global catalog server.
- Supplies universal group membership
information in a multiple-domain environment.
A domain controller can always discover domain local group and global group memberships for any user in its domain, and the membership of these groups is not replicated to the global catalog. In a single-domain forest, a domain controller can also always discover universal group memberships. However, universal groups can have members in different domains. For this reason, the member attribute of universal groups, which contains the list of members in the group, is replicated to the global catalog. When a user in a multiple-domain forest logs on to a domain where universal groups are allowed, the domain controller must contact a global catalog server to retrieve any universal group memberships that the user might have in other domains.
If a global catalog server is not available when a user logs on to a domain where universal groups are available, the user's client computer can use cached credentials to log on if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can log on only to the local computer.
Note The Administrator in the domain (the Builtin Administrator account) can always log on to the domain, even when a global catalog server is not available.
Universal group membership caching
On domain controllers running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 in a site that has no global catalog server, you can use universal group membership caching to reduce the need to contact a global catalog server in a different site. When this feature is enabled, the first time that a user logs on to a domain where universal groups are available, the user's universal group membership information is cached on the domain controller. Thereafter, the domain controller uses cached memberships to process the logon, rather than having to contact a global catalog server.