Although the global catalog is not one of the five FSMO roles, the services it provides are of critical importance to the functionality of the Active Directory network. The global catalog holds a subset of forest-wide Active Directory objects and acts as a central repository by holding a complete copy of all objects from the host server’s local domain along with a partial copy of all objects from other domains within the same forest, called the partial attribute set (PAS). This partial copy of forest-wide data includes a subset of each object’s attributes. The attributes included in this subset are necessary to provide functionality such as logon, object searches, and universal group memberships.
- 1 Understanding the Functions of the Global Catalog
- 2 Benefits of Universal Group Caching
Understanding the Functions of the Global Catalog
By default, the first domain controller installed in the forest root domain is designated as a global catalog server. However, any or all domain controllers in a domain can be designated as global catalog servers. As an Active Directory administrator, you need to carefully weigh the benefits of designating additional domain controllers in your environment as global catalogs against the resulting performance implications.
The global catalog has four main functions in an Active Directory environment:
1. Facilitating searches for objects in the forest:
When a user initiates a search for an object in Active Directory, the request is automatically sent to TCP port 3268, which is used by Active Directory to direct these requests to global catalog servers. One of the SRV records used by Active Directory refers to the global catalog, which listens on port 3268 to respond to these requests.
2. Resolving User Principal Names (UPNs):
UPNs allow to log on to domains across the forest using a standardized naming format that matches the format used for email addresses. When a local domain controller receives a request for logon via a UPN, it contacts a global catalog server to complete the logon process. For example, assume the user account for smith resides in the abcpublishing.com domain, and smith is currently working from the tokyo.abcpublishing.com location. Because smith travels frequently between the various corporate locations, he uses the UPN, [email protected], to log on to his network account and his email account. Upon receiving a logon attempts from smith, a local domain controller searches for a global catalog server to resolve [email protected] to a username. The global catalog server stores enough information about the user to permit or deny the logon request. For example, if a time restriction allows logons only during business hours and smith is attempting to log on after hours, the global catalog will have a copy of that information and, therefore, smith’s logon request will be denied. Because of this need to allow user authentication across domains, Active Directory must be able to contact a global catalogs to process any user logon, even in a single-domain environment.
3. Maintaining Universal Group Membership Information:
Active Directory users can be permitted or denied access to a resource based on their group memberships. This information is an important part of a user’s security token, which is used to determine which resources a user can and cannot access. Domain local and global group memberships are stored at the domain level, universal group memberships are stored in the global catalog. A universal group can contain users, groups, and computers from any domain in the forest. In addition, universal groups, through their membership in domain local groups, can receive permissions for any resource anywhere in the forest. A user who is a member of a universal group can be granted or denied permission to access resources throughout the forest. This presents another reason why a global catalog is required for a successful first-time logon to Active Directory. Without the global catalog available to query universal group memberships, a computer picture of the user’s group memberships cannot be created and the logon process would be incomplete.
4. Maintaining a Copy of all Objects in the Domain:
A domain controller that has been configured as a global catalog will contain a copy of its own domain NC, as well as a copy of the partial attribute set (PAS) of every other domain NC in the forest. Each object class has a certain list of attributes that are included in the PAS. This is defined within the Active Directory schema. You can add attributes to the PAS by modifying the attribute so that it is indexed, which means that it will be stored in the PAS and replicated to all global catalog servers in the forest.
If the user has successfully logged on in the past and you have enabled cached credentials in your environment, a user will be able to log on using a cached copy of his or her logon credentials that have been stored on his or her local workstation. Allowing these credentials to be cached on a local computer can pose a security threat for certain companies. For example, if you have a computer that is shared by multiple users with different access permissions, cached credentials could be used for an allow an unauthorized user to gain access to a resource.
For sites that do not have a global catalog server available, Windows Server 2003 and 2008 offer a feature called universal group membership caching. This stores universal group memberships on a local domain controller that can be used for logon to the domain, eliminating the need for frequent access to a global catalog server. The universal group membership caching feature allows domain controllers to process a logon or resource request without the presence of a global catalog server. For universal group membership caching to function, a user must have successfully logged on when a global catalog server was available and universal group membership caching is not available to record the user’s information into cache and the global catalog server goes offline, the logon attempt will fail.
Benefits of Universal Group Caching
Universal group membership caching is enabled on a per-site basis. The information in the cache is refreshed every elight hours, by default, using a confirmation request sent by the local domain controller to a global catalog server.
Universal group caching has the following benefits:
- It eliminates the need to place a global catalog in a remote location where the link speed is slow or unreliable.
- It provides better logon performance for users with cached information. If the global catalog is located across a WAN link, cached credentials can replace the need to have logon traffic sent across a slow or unreliable link.
It minimizes WAN usage for replication traffic because the domain controller does not have to hold information about forest-wide objects. In addition, these remote domain controllers are not listed in DNS as providers of global catalog services for the forest.