Sei sulla pagina 1di 6

What Is the Global Catalog?

Updated: Oc tober 26, 2011 Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2 In this section Common Global Catalog Sc enarios 1 Global Cat alog Dependenc ies and Interac tions 2 Related Information3

The global c atalog is a distributed data repository that c ontains a searc hable, partial representation of every objec t in every domain in a multidomain Ac tive Direc tory Domain Servic es (AD DS) forest. The global c atalog is stored on domain c ontrollers that have been designated as global c atalog servers and is distributed through multimaster replic ation. Searc hes that are direc ted to the global c atalog are faster bec ause they do not involve referrals to different domain c ontrollers. Note In Windows Server 2003 and Mic rosoft Windows 2000 Server, the direc tory servic e is named Ac tive Direc tory. In Windows Server 2008 R2 and Windows Server 2008, the direc tory servic e is named Ac tive Direc tory Domain Servic es. The rest of this topic refers to AD DS, but the information is also applic able to Ac tive Direc tory.

In addition to c onfiguration and sc hema direc tory partition replic as, every domain c ontroller in a forest stores a full, writable replic a of a single domain direc tory partition. Therefore, a domain c ontroller c an loc ate only the objec ts in its domain. Loc ating an objec t in a different domain would require the user or applic ation to provide the domain of t he requested objec t . The global c atalog provides the ability to loc ate objec ts from any domain without having to know the domain name. A global c atalog server is a domain c ontroller that, in addition to its full, writable domain direc tory partition replic a, also stores a partial, read- only replic a of all ot her domain direc tory partitions in the forest. The additional domain direc tory partitions are partial bec ause only a limited set of attributes is inc luded for eac h objec t. By inc luding only the attributes that are most used for searc hing, every objec t in every domain in even the largest forest c an be represented in the database of a single global c atalog server. Note A global c atalog server c an also store a full, writable replic a of an applic ation direc tory partition, but objec ts in applic ation direc tory partitions are not replic ated to the global c atalog as partial, read- only direc tory partitions.

The global c atalog is built and updated automatic ally by the AD DS replic ation system. The attributes that are replic ated to the global c atalog are identified in the sc hema as t he partial attribute set (PAS) and are defined by default by Mic rosoft. However, to optimize searc hing, you c an edit the sc hema by adding or removing attributes that are stored in the global c atalog. In Windows 2000 Server environments, any c hange to the PAS results in full sync hronization (update of all attribut es) of the global c atalog. Later versions of Windows Server reduc e the impac t of updating the global c atalog by replic at ing only the attributes that c hange. In a single- domain forest, a global c atalog server stores a full, writable replic a of the domain and does not store any partial replic a. A global c atalog server in a single- domain forest func tions in the same manner as a non- global- c at alog

server exc ept for the proc essing of forest- wide searc hes.

Common Global Catalog Scenarios


The following events require a global c atalog server: Forest-wide searches. The global c atalog provides a resourc e for searc hing an AD DS forest. Forest- wide searc hes are identified by the LDAP port that they use. If the searc h query uses port 3268, the query is sent to a global c atalog server. User logon. In a forest that has more than one domain, two c onditions require the global c atalog during user authentic ation: In a domain that operates at the Windows 2000 native domain func tional level or higher, domain c ontrollers must request universal group membership enumeration from a global c atalog server. When a user princ ipal name (UPN) is used at logon and the forest has more than one domain, a global c atalog server is required to resolve the name. Universal Group Membership Cac hing: In a forest that has more than one domain, in sites that have domain users but no global c atalog server, Universal Group Membership Cac hing c an be used to enable c ac hing of logon c redentials so that the global c atalog does not have to be c ontac ted for subsequent user logons. This feature eliminates the need to retrieve universal group memberships ac ross a WAN link from a global c atalog server in a different site. Note Universal groups are available only in a domain that operates at the Windows 2000 native domain func tional level or higher.

Exc hange Address Book lookups. Servers running Mic rosoft Exc hange Server rely on ac c ess to the global c atalog for address information. Users use global c atalog servers to ac c ess the global address list (GAL).

Search Requests Bec ause a domain c ontroller that ac ts as a global c atalog server stores objec ts for all domains in the forest, users and applic ations c an use the global c atalog to loc ate objec ts in any domain within a multidomain forest without a referral to a different server. When a forest c onsists of a single domain, every domain c ontroller has a full, writable c opy of every objec t in the domain and forest. However, it is important to retain the global c atalog on at least one domain c ontroller bec ause many applic ations use port 3268 for searc hing. For example, if you do not have any global c atalog servers, the Search c ommand on the Start menu c annot loc ate objec ts in AD DS. The replic as that are replic ated to the global c atalog also inc lude the ac c ess permissions for eac h objec t and attribute. If you are searc hing for an objec t that you do not have permission to ac c ess, you do not see the objec t in the list of searc h results. Users c an find only objec ts to whic h they are allowed ac c ess. User Logon Support In addition to its role as a searc h provider, in a forest that has more than one domain, the global c atalog has a role as an identity sourc e during the user logon proc ess. Universal groups c an provide ac c ess to resourc es outside of the users domain. User princ ipal names (UPNs) c an spec ify a domain other than the domain of the user. By making universal group membership and UPN domain- user mapping information available on all global c atalog servers, the global c atalog provides the definitive sourc e for groups that are c apable of providing ac c ess in more than one domain and names that do not unequivoc ally identify the domain of the user. Universal Group Membership During the domain logon proc ess, the user must be authentic ated. During the authentic ation proc ess, the user is

validated (the domain c ontroller verifies the identity of the user) and the user rec eives authorization data for ac c ess to resourc es. To provide authorization data of a user, the authentic ating domain c ontroller retrieves the sec urit y identifiers (SIDs) for all sec urity groups of whic h the user is a member and adds these SIDs to the users ac c ess token. In a forest that has more than one domain, the global c atalog is the only loc ation where memberships of all universal groups in that forest c an be asc ertained. For this reason, ac c ess to a global c atalog server is required for suc c essful authentic ation in a domain that c an have universal groups. The global c atalog stores the membership (the member attribut e) of only universal groups. The membership of other groups c an be asc ertained at the domain level. Bec ause a universal group c an have members from domains other than the domain where the group objec t is stored and c an be used t o provide ac c ess to resourc es in any domain, only a global c atalog server is guaranteed to have all universal group memberships that are required for authentic ation. For example, a user might be a member of a universal group that has its group objec t stored in a different domain but provides ac c ess to resourc es in the users domain. To ensure that the user c an be authorized to ac c ess resourc es appropriately in t his domain, the domain c ontroller must have ac c ess to the membership of all universal groups in the forest. If a global c atalog server is not available, the user logon fails. User Principal Name A user princ ipal name (UPN) is a logon name that takes the form of an e- mail address. A UPN spec ifies the user ID followed by a DNS domain name, separated by an "@" c harac ter (for example, jsmith@c ontoso.c om). UPNs allow administrative management of the UPN suffix to provide logon names that: Matc h the users e- mail name. Do not reveal the domain struc ture of the forest.

When a user ac c ount is c reated, the UPN suffix is generated by default as userName@ DnsDomainName, but it c an be c hanged administratively. For example, in a forest that has four domains, the UPN suffix might be c onfigured to map to the external DNS name for the organizat ion. The userPrincipalName attribute of the user ac c ount identifies the UPN and is replic ated to the global c atalog. When you use a UPN to log on to a domain, your workstation c ontac ts a global c atalog server to resolve the name bec ause the UPN suffix is not nec essarily the domain for whic h t he c ontac ted domain c ontroller is authoritative. If the DNS domain name in the UPN suffix is not a valid DNS domain, the logon fails. Assuming the UPN suffix is a valid DNS name, the global c atalog server returns the name of the AD DS domain to your workstation, whic h then queries DNS for a domain c ontroller in that domain. If a c ompany has more than one forest and uses trust relationships between the domains in the different forests, a UPN c annot be used to log on to a domain that is outside the users forest bec ause the UPN is resolved in the global c atalog of the users forest. Universal Group Membership Caching Universal Group Membership Cac hing eliminates the need for a domain c ontroller in a multidomain forest to c ontac t a global c atalog server during the logon proc ess in domains where universal groups are available. Cac hing group membership reduc es WAN traffic , whic h helps in sites where updating the c ac hed group membership of sec urity princ ipals, inc luding user and c omputer ac c ounts, generates less traffic than replic ating the global c atalog to the site. Use the following c riteria to determine if a site is a good c andidate for Universal Group Membership Cac hing: Number of users and c omputers in the site: The site has less than 500 c ombined users and c omputers, inc luding transient users who log on oc c asionally but not on a regular basis. The c ac he of a user who logs on onc e c ontinues to be updated periodic ally for 180 days after the first logon. A general limit of 500 membership c ac hes c an be updated at a time. If greater than 500 sec urity princ ipals have c ac hed group memberships, some c ac hes might not be updated. Number of domain c ontrollers: Eac h domain c ontroller performs a refresh on every user in its site onc e every eight hours. Depending on the number of domains in the forest, 500 sec urity princ ipals and two domain

c ontrollers c ould generate more WAN traffic t han plac ing a global c atalog server in the site. Therefore, you need to rationalize the WAN c osts when exc eeding 500 sec urity princ ipals and two domain c ontrollers. Toleranc e for high latenc y in group updates. Bec ause domain c ontrollers in the site where Universal Group Membership Cac hing is enabled update the membership c ac hes every eight hours, and bec ause c redentials are always taken from the c ac he, updates to group memberships are not reflec ted in the sec urity princ ipals c redentials for up to eight hours.

Address Book Lookups Exc hange Server uses the global c atalog to store mail rec ipient data that enables c lients in a forest to send and rec eive e- mail messages.

Global Catalog Dependencies and Interactions


Global c atalog servers have the following dependenc ies and interac tions with other Windows Server tec hnologies: AD DS installation. When AD DS is installed on t he first domain c ontroller in a forest, the installation applic ation c reates that domain c ontroller as a global c atalog server. AD DS replic ation. The global c atalog is built and maintained by AD DS replic ation: Subsequent to forest c reation, when a domain c ontroller is designated as a global c atalog server, AD DS replic ation automatic ally transfers PAS replic as to the domain c ontroller, inc luding the partial replic a of every domain in the forest other than the loc al domain. To fac ilitate intersite replic ation of global c atalog server updates, AD DS replic ation selec ts global c atalog servers as bridgehead servers whenever a global c atalog server is present in a site and domains that are not present in the site exist in other sites in the forest. Domain Name System (DNS). Global c atalog server c lients depend on DNS to provide the IP address of global c atalog servers. DNS is required to advertise global c atalog servers for domain c ontroller loc ation. Net Logon servic e. Global c atalog advertisement in DNS depends on the Net Logon servic e to perform DNS registrations. When replic ation of the global c atalog is c omplete, or when a global c atalog server starts, the Net Logon servic e publishes servic e (SRV) resourc e rec ords in DNS that spec ific ally advertise the domain c ontroller as a global c atalog server. Domain c ontroller Loc ator: When a global c atalog server is requested (by a user or applic ation that launc hes a searc h over port 3268, or by a domain c ontroller that is authentic ating a user logon), the domain c ontroller Loc ator queries DNS for a global c atalog server.

In the following diagram, global c atalog interac tions inc lude trac king a global c atalog server through the following interac tions, whic h are indic ated by boxes: Active Directory installation of a new forest: Global c atalog c reation oc c urs during AD DS installation of the first domain c ontroller in the forest. Net Logon registration: Resourc e rec ords are registered in DNS to advertise the domain c ontroller as a global c atalog server. AD DS replication: When a new domain c ontroller (DC2) is c reated and an administrator designat es it as a global c atalog server, replic ation of the PAS from DC1 oc c urs. DC1 in DomainA replic ates c hanges for DomainA to DC2, and DC2 replic ates updates to data for DomainB to DC1. DC location: The dotted lines enc lose the proc esses whereby two c lients loc ate a global c atalog server by

querying DNS: A through C: (A) ClientX sends a query to the global c atalog, whic h prompts (B) a DNS query to loc ate t he c losest global c at alog server, and then (C) the c lient c ontac ts the returned global c atalog server DC2 to resolve the query. 1 through 5: (1) ClientY logs on to the domain, whic h prompts (2) a DNS query for the c losest domain c ontrollers. (3) ClientY c ontac ts the returned domain c ontroller DC3 for authentic ation. (4) DC3 queries DNS t o find the c losest global c atalog server and then (5) c ontac ts the returned global c atalog server DC2 to retrieve the universal groups for the user.

Interactions with Other Windows Technologies

The global c atalog solves the problem of how to loc ate domain data that is not stored on a domain c ontroller in the domain of the c lient that requires the information. By using different ports for standard LDAP queries (port 389) and global c atalog queries (port 3268), AD DS effec tively separates forest- wide queries that require a global c atalog server from loc al, domainwide queries that c an be servic ed by the domain c ontroller in the users domain.

Related Information
Ac tive Direc tory Replic ation Topology Tec hnic al Referenc e4 DNS Support for Ac tive Direc tory Tec hnic al Referenc e5 Ac tive Direc tory Sc hema Tec hnic al Referenc e6

Links Table 1http://technet.microsoft.com/en- us/library/cc728188(d=printer,v=ws.10).aspx#w2k3tr_gcatg_what_ogrl 2http://technet.microsoft.com/en- us/library/cc728188(d=printer,v=ws.10).aspx#w2k3tr_gcatg_what_uvnm 3http://technet.microsoft.com/en- us/library/cc728188(d=printer,v=ws.10).aspx#w2k3tr_gcatg_what_lvwp 4http://technet.microsoft.com/en- us/library/cc755326(v=ws.10).aspx 5http://technet.microsoft.com/en- us/library/cc781627(v=ws.10).aspx

6http://technet.microsoft.com/en- us/library/cc759402(v=ws.10).aspx

Community Content Windows 2008 GC I didn't realize t hat users didn't hit a GC at logon unless there was more than one domain in the forest! 7/27/2011 Jac ob Moran 11/30/2010 Balasubbarao c howdary

2012 Mic rosoft. All rights reserved.

Potrebbero piacerti anche