Platform SDK: Active Directory, ADSI, and Directory Services

Binding to the Global Catalog

The global catalog is a namespace that contains directory information from all domains in a forest. The global catalog contains a partial replica of every domain directory. It contains an entry for every object in the enterprise forest, but does not contain all the properties of each object. Instead, it contains only the properties that are specified for inclusion in the global catalog.

The global catalog is kept on specific servers throughout the enterprise. Only domain controllers can serve as global catalog servers. Administrators indicate whether a given domain controller will hold a global catalog by using the Active Directory Sites and Services Manager.

When you bind to the global catalog with ADSI, use the GC: moniker.

There are two ways to bind to the global catalog:

Bind to the enterprise root object to search across all domains in the forest.
Bind to a specific object to search that object and its children. For example, if you bind to a domain that has two domains beneath it in a domain tree in the forest, you can search across those three domains. Note that the distinguished name for the object you want to bind to is exactly the same as the distinguished name used to bind to the LDAP: namespace. Recall that LDAP: is a full replica of a single domain and that GC: is a partial replica of all domains in the forest.

As with the LDAP: moniker, you can use serverless binding (recommended) or bind to a specific global catalog server.

To search the entire forest

Bind to the root of the GC namespace (GC:).
Enumerate the GC container. The GC container contains a single object that you can use to search the entire forest.
Use the object in the container to perform the search. In C/C++, call QueryInterfaceto get an IDirectorySearch pointer on the object so that you can use the IDirectorySearch interface to perform the search. In Visual Basic, use the object returned from the enumeration in your ADO query.

To enumerate the global catalog servers in a site, perform an LDAP subtree search of cn=<yoursite>,cn=sites,<DN of the configurationNamingContext>, using the following filter string:

(&(objectCategory=ntdsDsa)(options:1.2.840.113556.1.4.803:=1))

This filter uses the OID for the LDAP_MATCHING_RULE_BIT_AND operator (1.2.840.113556.1.4.803) to find ntdsDsa objects that have the low-order bit set in the bitmask of the options attribute. The low-order bit, which corresponds to the NTDSDSA_OPT_IS_GC constant defined in ntdsapi.h, identifies the ntdsDsa object of a global catalog server.

The parent of the ntdsDsa object is the server object, and the dNSHostName property of the server object is the DNS name of the global catalog server.

Note that you cannot use #define constants such as NTDSDSA_OPT_IS_GC and LDAP_MATCHING_RULE_BIT_AND directly in a search filter string. However, you could use these constants as arguments to a function such as wsprintf to insert the constant values into a filter string.