Global Catalog
Global catalog (GC) is a role handled by domain controllers in an Active directory infrastructure. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. Partial copy’ refers to the set of attributes that are most used for searching every object in every domain. All domain controllers can be promoted as a GC and nowadays domain controllers are being promoted as a global catalog.
Global Catalog functionality
- AD object search.
- Verifying universal group membership.
- Authentication through UPN
- Exchange Address Book Search
- Checking references to objects within the forest
The replicas that are replicated to the global catalog also include the access permissions for each object and attribute.
If you are searching for an object that you do not have permission to access, you do not see the object in the list of search results. Users can find only objects to which they are allowed access. Global catalog server clients depend on DNS to provide the IP address of global catalog servers. DNS is required to advertise global catalog servers for domain controller location.
By default, first DC of in a forest will be a global catalog server and when we do server promotion, it gives the option for GC built. See below screenshot for reference.
How to Enable/Disable the Global Catalog Role on a Domain Controller?
We can enable the Global Catalog role on a domain controller in numerous ways:
- Using the graphical Active Directory Sites and Services console.
- Using PowerShell.
Run the mmc snap-in “Active Directory Sites and Services” (Start > Windows Administrative Tools or run the dssite.msc command).
Expand the Sites section and find the AD site that contains your domain controller.
Expand it, right-click on NTDS Settings and then select Properties.
Set the Global Catalog checkbox on the General tab to enable the GC role or uncheck it to disable it. Click OK to save your changes.
Once promoted to a GC server, an event with Event ID 1110 should appear in the Directory Service section of Event Viewer:
Once global Catalog server is build, error message will clear and 1119 event registered.
In this case, the value of the Global Catalog Promotion Complete registry setting under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key registry should be 1.
You can enable the Global Catalog role on a DC using the PowerShell command:
Set-ADObject -Identity (Get-ADDomainController DC12-Win2019).ntdssettingsobjectdn -Replace @{options=’1′}
To disable the GC role, use the command:
Set-ADObject -Identity (Get-ADDomainController DC12-Win2019).ntdssettingsobjectdn -Replace @{options=’0′}
Note – Each Active Directory domain must have at least one DC with the Global Catalog role. Therefore, you won’t be able to disable the GC option if it’s the only domain controller with this role.
After activating the Global Catalog role on DC, you can check its readiness. For this, the ldp.exe utility is used. Run the tool, select Connection > Connect > specify the DC name and a 389 as a connection port. Click Ok.
Verify the isGlobalCatalogReady: TRUE value in the LDP window. This means that your GC is ready.
Also, you can check GC readiness from the command prompt:
nltest /server: DC12-Win2019 /dsgetdc:Windowstechno.local
Check for a GC value in the Flags field.
Planning Global Catalog Server Placement
Global catalog placement requires planning except if you have a single-domain forest. In a single-domain forest, configure all domain controllers as global catalog servers. Because every domain controller stores the only domain directory partition in the forest, configuring each domain controller as a global catalog server doesn’t require any additional disk space usage, CPU usage, or replication traffic. In a single-domain forest, all domain controllers act as virtual global catalog servers; that is, they can all respond to any authentication or service request.
This special condition for single-domain forests is by design. Authentication requests don’t require contacting a global catalog server as they do when there are multiple domains, and a user can be a member of a universal group that exists in a different domain. However, only domain controllers that are designated as global catalog servers can respond to global catalog queries on the global catalog port 3268. To simplify administration in this scenario and to ensure consistent responses, designating all domain controllers as global catalog servers eliminates the concern about which domain controllers can respond to global catalog queries. Specifically, any time a user uses Start\Search\For People or Find Printers or expands Universal Groups, these requests go only to the global catalog.
In most cases, it’s recommended that you include the global catalog when you install new domain controllers. The following exceptions apply:
- Limited bandwidth: In remote sites, if the wide area network (WAN) link between the remote site and the hub site is limited, you can use universal group membership caching in the remote site to accommodate the logon needs of users in the site.
- Infrastructure operations master role incompatibility: Don’t place the global catalog on a domain controller that hosts the infrastructure operations master role in the domain unless all domain controllers in the domain are global catalog servers or the forest has only one domain.
Adding global catalog servers based on application requirements
Certain applications, such as Microsoft Exchange, Message Queuing (also known as MSMQ), and applications using DCOM don’t deliver adequate response over latent WAN links and therefore need a highly available global catalog infrastructure to provide low query latency. Determine whether any applications that perform poorly over a slow WAN link are running in locations or whether the locations require Microsoft Exchange Server. If your locations include applications that don’t deliver adequate response over a WAN link, you must place a global catalog server at the location to reduce query latency.
Read-only domain controllers (RODCs) can be promoted successfully to global catalog server status. However, certain directory-enabled applications cannot support an RODC as a global catalog server. For example, no version of Microsoft Exchange Server uses RODCs. However, Microsoft Exchange Server works in environments that include RODCs, as long as there are writable domain controllers available. Exchange Server 2007 effectively ignores RODCs. Exchange Server 2003 also ignores RODCs in default conditions where Exchange components automatically detect available domain controllers. No changes were made to Exchange Server 2003 to make it aware of read-only directory servers. Therefore, trying to force Exchange Server 2003 services and management tools to use RODCs may result in unpredictable behavior.
Adding global catalog servers for a large number of users
Place global catalog servers at all locations that contain more than 100 users to reduce congestion of network WAN links and to prevent productivity loss in case of WAN link failure.
Using highly available bandwidth
You don’t need to place a global catalog at a location that doesn’t include applications that require a global catalog server, includes less than 100 users, and is also connected to another location that includes a global catalog server by a WAN link that is 100 percent available for Active Directory Domain Services (AD DS). In this case, the users can access the global catalog server over the WAN link.
Roaming users need to contact the global catalog servers whenever they log on for the first time at any location. If the logon time over the WAN link is unacceptable, place a global catalog at a location that is visited by a large number of roaming users.
Enabling universal group membership caching
For locations that include less than 100 users and that don’t include a large number of roaming users or applications that require a global catalog server, you can deploy domain controllers that are running Windows Server 2008 and enable universal group membership caching. Ensure that the global catalog servers aren’t more than one replication hop from the domain controller on which universal group membership caching is enabled so that universal group information in the cache can be refreshed.
For a worksheet to assist you in documenting where you plan to place global catalog servers and domain controllers with universal group caching enabled.
Frequently Asked Questions
Can the Global Catalog role be enabled on any domain controller?
Absolutely! The Global Catalog role can be enabled on any domain controller. The process can be executed using the Active Directory Sites and Services MMC console, PowerShell commands, or the dsmod.exe tool. However, remember to consider the Infrastructure Master FSMO role when configuring your Global Catalog servers.
What is the connection between the Global Catalog role and the Exchange Server?
The Global Catalog plays a key role in supporting Exchange Server functionalities. When users attempt to find a person within the organization in Outlook, the Exchange Server utilizes Active Directory and DNS to locate Global Catalog servers. Without a functioning GC, the Exchange Server can’t send and receive emails.
Why should I be concerned about the placement of Global Catalog servers?
Optimal placement of Global Catalog servers improves load balancing and ensures resilience in your network. Placing GC servers intelligently, especially in a multi-site environment, can optimize network traffic, reduce service delays, and provide quicker responses to search queries and logons.
Wrapping up
Understanding the function of the Global Catalogue (GC) in an Active Directory setting is crucial for proficient network administration. It helps with Active Directory object searches throughout the forest and is crucial for group membership verification, user authentication, and even Exchange Server support.
Although assigning the GC role to any domain controller improves flexibility, it’s important to setup these servers appropriately for better load balancing, improved network traffic management, and quicker reaction times. Recall that the robustness and general performance of your network depend heavily on a properly configured Global Catalogue.
So, that’s all in this blog. I will meet you soon with next stuff. Have a nice day!!!
Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.
