Global Catalog
The global catalog is a distributed data repository that is stored in global catalog servers and issued via multimaster replication. It basically is composed of a representation (partial) of every object in the multidomain Active Directory forest that can also be searched. The global catalog is used because searches can be made faster because they don't need to go through the hassle of involving referrals to different domain controllers.
In addition, the global catalog allows finding an object that you wish without needing to know the object's domain name. This is possible because not only does it hold a full, writable domain directory replica, but it also has a partial, read-only replica of all the domain directory partitions in the forest. Therefore, by being composed of only the most used attributes during searching, all objects in every domain in any small or big forest can be found and represented in the database of one global catalog server.
To maintain the ability to conduct a full, fast, and effective search, the global catalog is constantly updated by the Active Directory replication system. These attributes that are replicated to the catalog are known as partial attribute set (PAS). The PAS, in a Windows 2000 Server environment will cause a full synchronization of the global catalog to occur even if it may be a minor change. However, this issue was improved upon in the Windows 2003 Server environment with a change in the PAS by only updating the attributes that change.
How Does It Work?
As an example, if a user decides to search for all printers within the forest, a global catalog server will process the request submitted by the user by searching through the global catalog, and then output the results. Had it not been for the global catalog server, the user would have had to have searched separately in every forest.
When a user tries to run a certain query (an example of an interactive domain logon), the domain controller will authenticate the user by first validating the user's identity and also all groups that the user is a part of. This is because the global catalog is the hold of all memberships to all groups, which means that this access to a global catalog server is necessary to accessing all forests, and thus is a requirement for Active Directory authentications. Therefore, it is best to have at least one global catalog server in one Active Directory site. This is because then, the authenticating domain controller does not need to transmit queries over a WAN connection to source information and process tasks.
Ports Commonly Used by Global Catalog Servers
| Service Name | UDP | TCP |
|---|---|---|
| LDAP | 3268 (global catalog) | |
| LDAP | 3269 (global catalog SSL) | |
| LDAP | 389 | 389 |
| LDAP | 636 (SSL) | |
| RPC/REPL | 135(endpoint mapper) | |
| Kerberos | 88 | 88(global catalog) |
| DNS | 53 | 53 |
| SMB over IP | 445 | 445 |
|
|
- Global Catalog in Active Directory
Domains and Forests can also share resources available in active directory. These resources are searched by Global Catalog across domains and forests and this search is transparent to user. For example, if you make a search for all of the printers in a forest, this search goes to global catalog server for its query and [...]...
- Directory Partitions
The Active Directory database is logically separated into directory partitions: Schema partition Configuration partition Domain partition Application partition Each partition is a unit of replication and each partition has its own replication topology. Replication occurs between directory partition replicas. Minimum two directory partitions are common among all domain controllers in the same forest: the schema [...]...
- Active Directory Operations Masters
When a change is made to a domain, the change is replicated across all of the domain controllers in the domain. Some changes, such as those made to the schema, are replicated across all of the domains in the forest. This replication is called multimaster replication. But few changes are practically not possible to perform [...]...
- Tree and Forest in Active Directory
The Domain is the core unit of logical structure in Active Directory. All objects that share a common directory database and trust relationship with other domain and security policies are known as Domains. Each domain stores information only about the objects that belong to that domain. All security polices and settings, such as administrative rights, [...]...
- Replication Topology in Active Directory
Replication Topology is the route by which replication data travels throughout a network. Replication occurs between two domain controllers at a time. Over time, replication synchronizes information in Active Directory for an entire forest of domain controllers. To create a replication topology active directory must determine which domain controller's replicate data with other domain controllers. [...]...