Print Friendly and PDF

Global Catalog

The Global Catalog is the central repository of information about objects in a tree or forest but with a limited number of each objects attribute. The domain controller that holds a copy of the Global Catalog is the Global Catalog Server. The global catalog server makes it possible to search the entire AD DS forest without referrals to the domain controller that stores the target of the search. The global catalog server is also required for searching and processing domain logons in forests where universal groups is available

The Global Catalog Server have three functions:


Enables a user to logon to a network by providing universal group membership information
Finds directory information regardless of which dc that holds the data.
Resolves user principal names (UPN)

If your forest contains only one domain ,then all domain controllers have the full complement of the objects that can be searched,but if you have forest that contains more than one domain the global catalog server must store and replicate domain data. When you install AD DS the global catalog for the forest is created automatically on the first DC in the forest . You can add or remove a global catalog from the domain controller by going to Active Directory Sites and Services then double-click on the domain controller holding the global catalog,then right-click on the NTDS settings and then properties.

One important thing is that if the global catalog is not available when the user in universal security group logs on, the computer uses cached credentials (added in Windows 2003) to allow access ,but only if the user has successfully logged on to the domain before,if not the user can only log locally if you have not enabled the universal caching feature. This is done in Active Directory Sites and Services.Click the site where you like to enable the function in the details pane right-click NTDS settings and choose Properties


Read Only Domain Controllers and Global Catalog Servers

RODCs can be Global Catalog Servers,but some directory-enabled application can not be supported for example Exchange Servers 2003 and 2007 ignores the RODC ,but works in environments that include RODC as long as you have writable domain controllers available.