NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

What is Global Catalog Server in Active Directory?

What you will learn from this article:

An Active Directory network would be made of forests and domains. The domain controllers (DC) of a particular domain would contain all the information of the domain they belong to. However, these DCs would not contain information about objects from other domains under the same forest. This may pose a problem when there is a need to look up information about an object from another domain. This is where global catalog servers come into play. In this article, we will see what are global catalog servers, what is their significance, and how to identify them in a domain.

What is a global catalog server?

A DC in an Active Directory (AD) network stores full information only related to the domain it is in. To locate objects outside its domain is beyond its scope. Hence, there is a need for a server called a global catalog server. The global catalog contains a partial representation of all objects in the entire forest. Hence, a global catalog server has the potential to search objects from any domain within the forest it is in.

The global catalog is built and updated automatically by the AD replication system. Only certain attributes of the objects which are likely to be searched in the queries are updated to these servers. This helps the entire process of replication and searching for the objects be fast. The global catalog is stored on domain controllers that have been designated as global catalog servers.

Active Directory partitions

All DCs will contain at least three partitions, which are as follows:

  • The domain partition: This partition contains information about a domain’s objects and their attributes. This partition is a writable replica.
  • The configuration partition: This partition contains information about the forest’s topology such as the domain controllers positioning, site links, and more. This partition is a writable replica.
  • The schema partition: This partition contains definitions of every object class in the forest and the rules that control the creation and manipulation of those objects. You can learn more about AD schema in this article. Every DC will have this partition as read-only, except for the Schema master DC, which will have a writable replica of the schema partition. You can learn more about the various FSMO roles of DCs in this article.

Each DC may also contain an application partition that contains information of applications that are integrated into AD.

Global catalog servers

Apart from these partitions, global catalog servers also would have a separate partition that contains partial information about objects in other domains A global catalog server may have multiple of these partitions depending on the number of domains in the forest. These partitions are read-only partitions.

How to check if a domain controller is a global catalog server?

To check if a DC is a global catalog server, you can perform the following steps:

  • Go to StartAdministrative ToolsActive Directory Sites and Services. The Active Directory Sites and Services Window opens.
  • In the left pane, expand the Sites container and locate the DC you want to check.
  • Expand the DC, right-click on its NTDS settings, and select Properties.
  • In the General tab, you will see a Global Catalog checkbox. If the DC is a global catalog server, the check box will be selected.
Checking id the DC is a Global Catalog server
Checking id the DC is a Global Catalog server

How to create a global catalog server?

To create a global catalog server, all you have to do is perform the steps mentioned above. The Global Catalog checkbox will be unchecked. If you select it and confirm the settings, the DC will become a global catalog server.

Functions of a global catalog server

Global catalog servers are capable of performing the following functions:

Authentication: Global catalog servers can perform two functions for the authentication process, which are:

User principal name resolution: Searching for the user principal name is done using the global catalog. This to identify the object’s distinguished name so the authentication request can be forwarded to the DC that is present in the object’s domain.

Universal group membership identification: Global catalogs contain information about universal groups. Hence, in multi-domain environments, global catalogs are used to check if the user logging on is part of any universal groups.

Searching for objects: As mentioned earlier, as global catalogs contain partial information about all objects in other domains in a multi-domain forest, global catalog servers are capable of performing search operations for identifying objects.

Related posts
Active Directory Fundamentals

Active Directory Basics: Everything you need to know

Active Directory Fundamentals

DNS and Active Directory

Active Directory Fundamentals

Microsoft Hello

Active Directory Fundamentals

Active Directory Certificate Services

Leave a Reply

Your email address will not be published. Required fields are marked *