Most of the organizations today use Active Directory for creating user and computer repositories, deploy polices and implement access / security control within their organizations and partner organization using Active Directory Trusts. Global Catalog plays important role in functioning of Active Directory infrastructure, user logons and working of multiple service. Let us understand Global Catalog:
Global Catalog stores:
- Own Domain – Writable copy of domain partition of its own domain
- Other Domains – Read-Only copy of Partial attribute set of other domains in the forest
- Trusted Forests – Additionally, it also stores Domain Tree Name namespace, UPN Name spaces, SPN Name spaces and Security ID (SID) name spaces of domains that it creates external trust with. This information gets replication to all Global Catalog servers in the forest
- Group Memberships – Global Catalog also contains Domain Local, Global and Universal Group membership of its own domain and Universal group membership of all other domains in the forest. Global Groups that are member of Universal Groups are also cached in the Global Catalog
Global Catalog helps with:
- Forest wide searches – Faster query of Active Directory objects within Forest
- User Logons – When a user uses SAM Account name to login, the authentication request goes directly to domain controller of the domain that contains the user account but when user uses User Principle Name (UPN), the request is first processed by Global Catalog to know which domain contains the user and then the request gets routed to corresponding domain controller
- Exchange – Exchange uses Global Catalog to identify email targets in the forest, they can be – Users, Security groups, Distribution groups, contacts, and folders. Exchange also uses Global Catalog to build the Address Book
- Recovery of Memberships during restore– It is advisable to perform Active Directory restores (especially authoritative) on Global Catalog servers so the corresponding memberships can also be restored as part of Active Directory Object recovery.
Additional points on Global Catalog:
- Use TCP port 3268 (unencrypted) and TCP 3269 (encrypted)
- Global Catalog content on domain controllers of different domains is also different. Therefore, if you have multi-domain infrastructure that has Exchange recipients then it is advisable to have domain controller from each domain with Global Catalog enabled.
- Recovery of Global Catalog is easy. Use Repadmin command to rebuild the Global Catalog content. Ensure that you disable Outbound replication before attempting to do so.
Hope the article has provided good technical Information on Global Catalog.