The role of the global catalog
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The role of the global catalog
A global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest, as shown in the following figure.
The partial copies of all domain objects included in the global catalog are those most commonly used in user search operations. These attributes are marked for inclusion in the global catalog as part of their schema definition. Storing the most commonly searched upon attributes of all domain objects in the global catalog provides users with efficient searches without affecting network performance with unnecessary referrals to domain controllers.
You can manually add or remove other object attributes to the global catalog by using the Active Directory Schema snap-in. For more information, see Customizing the global catalog.
A global catalog is created automatically on the initial domain controller in the forest. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller. For more information, see Enable or disable a global catalog.
A global catalog performs the following directory roles:
Finds objects
A global catalog enables user searches for directory information throughout all domains in a forest, regardless of where the data is stored. Searches within a forest are performed with maximum speed and minimum network traffic.
When you search for people or printers from the Start menu or choose the Entire Directory option within a query, you are searching a global catalog. Once you enter your search request, it is routed to the default global catalog port 3268 and sent to a global catalog for resolution. For more information, see Finding directory information and "Finding information in Active Directory" at the Microsoft Windows Resource Kits Web site.
Supplies user principal name authentication
A global catalog resolves user principal names (UPNs) when the authenticating domain controller does not have knowledge of the account. For example, if a user’s account is located in example1.microsoft.com and the user decides to log on with a user principal name of user1@example1.microsoft.com from a computer located in example2.microsoft.com, the domain controller in example2.microsoft.com will be unable to find the user’s account, and will then contact a global catalog to complete the logon process. For more information, see Active Directory naming.
Supplies universal group membership information in a multiple domain environment
Unlike global group memberships, which are stored in each domain, universal group memberships are only stored in a global catalog. For example, when a user who belongs to a universal group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the global catalog provides universal group membership information for the user’s account at the time the user logs on to the domain.
If a global catalog is not available when a user logs on to a domain set to the functional level of Windows 2000 native or higher, the computer will use cached credentials to log on the user if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can only log on to the local computer. However, if a user logs on as the Administrator in the domain (Builtin Administrator account), the user can always log on to the domain, even when a global catalog is not available.
For more information about universal groups, see Group scope. For more information about universal groups and replication, see Global catalog replication and Global catalogs and sites.
Note
- When there is only one domain in a forest, it is not necessary for users to obtain universal group memberships from a global catalog when logging on. This is because Active Directory can detect that there are no other domains in the forest and will prevent a query to the global catalog for this information.
Validates object references within a forest
A global catalog is used by domain controllers to validate references to objects of other domains in the forest. When a domain controller holds a directory object with an attribute containing a reference to an object in another domain, this reference is validated using a global catalog.