The Active Directory Global Catalog Server
Carrying on the theme from the Active Directory FSMO roles article, I thought I would put a little information around another really important AD component – the Global Catalog server.
The following article covers what is the Active Directory Global Catalog server, why it is important and the best practises around its placement…
AD Global Catalog Server
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain within an Active Directory Forest.
The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multi-master replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes are included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.
How and what is updated?
The good news is this is all automatic and is kept up-to-date via Active Directory multi-master replication.
The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined by default by Microsoft. However, it is possible to add additional attributes to the global catalog by editing the AD schema.
When is it used?
The Active Directory Global Catalog server is used in the following situations:
- Forest-wide searches: The global catalog provides a resource for searching an AD DS forest. Forest-wide searches are identified by the LDAP port that they use. If the search query uses port 3268, the query is sent to a global catalog server.
- User Logon: In a multi-domain forest, a global catalog server is required during user logon in the following scenarios:
- Domain controllers request universal group membership from global catalog servers. This can be prevented by using Universal Group Membership caching.
- When a User Principal Name (UPN) is used to login, the global catalog server is required to resolve the name (i.e. it is required to determine what domain in the forest the user is a member of)
- Exchange Address Book Look-ups: Microsoft Exchange servers rely on the global catalog server to do address look-ups. In addition, users use the global catalog when accessing the Global Address List.
How critical is a global catalog server in my domain?
The short answer to this is… EXTREMELY critical!
If a global catalog is not available when a user initiates a network logon process, the user can log on only to the local computer. There must be a global catalog server available so that users can log on and locate Active Directory resources.For this reason, it is recommended to ensure you do the following:
- Protect your domain controller that hosts the global catalog – i.e. make sure it is highly available, hosted on good hardware, running on a supported platform, and is regularly maintained
- Ensure you document who is your global catalog server, so that in the event of a disaster you get that domain controller up first
- If possible, deploy multiple global catalog servers in your environment
How do I promote a domain controller to become a Global Catalog server?
By default, the first domain controller you install in a forest will automatically be a global catalog server as well.
If you require additional global catalog servers within your environment, then you can promote an existing domain controller. To do this, follow the instructions here >>> How to promote a domain controller to a global catalog.
How many should I have?
The answer to this question depends on your environment, the resources you have available and your requirements, however in general follow the guidelines below:
Single-Domain Forest:
In a single-domain forest, configure all domain controllers as global catalog servers. Because every domain controller stores the only domain directory partition in the forest, configuring each domain controller as a global catalog server does not require any additional disk space usage, CPU usage, or replication traffic.
Multi-Domain Forest:
In a multi-domain forest, you need to do some planning around your requirements. When planning for the placements of global catalog servers, you should take into account the following:
- Do any applications need a global catalog at a specific site? (e.g. Microsoft Exchange)?
- Do you have more than 100 users in a site?
- Do you have slow WAN links and many users logging in from remote locations?
If you answer yes to any of the above questions, then it is strongly recommended that you place a Global Catalog server at that specific site.
For more information about the placement and planning of the Global Catalog, see the following Microsoft Technet article >> Planning Global Catalog Server Placement.
Let me know if you have any comments or questions below
Luca
Comments