A global catalog server makes it possible to search the entire Active Directory Domain Services (AD DS) forest without referrals to a domain controller in the domain that stores the target of the search. When you add the global catalog to a domain controller, a partial, read-only replica of every domain in the forest (other than the domain that the new global catalog server stores) is replicated to the domain controller. Global catalog servers are required for searching and for processing domain logons in forests where universal groups are available.

Global catalog servers and domains

Global catalog servers respond to forest-wide Lightweight Directory Access Protocol (LDAP) queries over port 3268. The global catalog eliminates the need for a query to be sent to multiple domain controllers until the query locates the domain that contains the requested object.

When a forest contains only one domain, all domain controllers have the full complement of objects that can be searched, and a global catalog server is not required to eliminate referrals to other domains. However, because the global catalog port is different from the default LDAP port (389), global catalog queries must locate a global catalog server. In a single-domain forest, by configuring all domain controllers as global catalog servers you ensure that global catalog queries are load-balanced evenly among all domain controllers in the domain. Because no additional replication or processing of other domain data is required, the single-domain global catalog server requires no special hardware advantages over other domain controllers.

If a forest contains more than one domain, however, a global catalog server must store and replicate domain data for all domains in the forest. In this case, determine the placement of global catalog servers in your forest according to site needs, as described in the following section.

Global catalog servers and sites

To optimize network performance in a multiple-site environment, consider adding global catalog servers in sites according to the needs in the sites for fast search responses and domain logons. In a single-site, multiple-domain environment, a single global catalog server is usually sufficient to cover common Active Directory queries and logons. Use the information in the following table to determine whether your multiple-domain, multiple-site environment can benefit from additional global catalog servers.

Use a global catalog when … Advantage Disadvantage

A commonly used application in the site uses port 3268 to resolve global catalog queries.

Performance improvement

Additional network traffic due to global catalog replication

A slow or unreliable wide area network (WAN) connection is used to connect to other sites. Use the same failure rules and load distribution rules that you use for individual domain controllers to determine whether additional global catalog servers are necessary in each site.

Fault tolerance

Additional network traffic due to global catalog replication

Users in the site belong to a Windows 2000 domain with the domain functional level set to Windows 2000 native. In this case, all users must obtain universal group membership information from a global catalog server. If a global catalog server is not located in the same site, all logon requests must be routed over a WAN connection to a global catalog server in another site.

You can use universal group membership caching, a feature that is available on domain controllers running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 to eliminate the need to contact a global catalog server in a different site during domain logons.

Fast user logons

Additional network traffic due to global catalog replication