Active Directory Logical Structure

Previous Topic Next Topic

Global Catalog Servers

Every domain controller in a forest stores three full, writable directory partitions: a domain directory partition, a schema directory partition, and a configuration directory partition. A Global Catalog is a domain controller that stores these writable directory partitions, as well as a partial, read-only copy of all other domain directory partitions in the forest. The additional directory partitions are "partial" because, although they collectively contain every object in the directory, only a limited set of specific attributes are included for each object. The Global Catalog is built automatically by the Active Directory replication system.

All of the directory partitions on a Global Catalog server, whether full or partial partitions, are stored in a single directory database (Ntds.dit) on that server. There is no separate storage area for Global Catalog attributes; they are treated as additional information in the domain controller directory database.

When a new domain is added to the forest, the information about the new domain is stored in the configuration directory partition, which reaches the Global Catalog server (and all domain controllers) through replication of forest-wide information. When a new Global Catalog server is designated, this information is also stored in the configuration directory partition and replicated to all domain controllers in the forest.

Global Catalog Attributes

In its role as a domain controller, a Global Catalog server stores one domain directory partition that has writable objects with a full complement of writable attributes. The objects in all other domain directory partitions in the forest are stored on a Global Catalog server as read-only objects with a partial set of attributes. An attribute is marked as being replicated to the Global Catalog as part of its schema definition. In the Active Directory Schema console in MMC, you can use the Replicate this attribute to the Global Catalog check box to designate an attributeSchema object as a member of the attribute set that is replicated to the Global Catalog servers. If this check box is selected, the value in the attribute isMemberOfPartialAttributeSet on the attributeSchema object is set to TRUE, and the attribute is replicated to the Global Catalog as part of normal Active Directory replication. The replication topology for the Global Catalog is generated automatically by the Knowledge Consistency Checker (also known as the "KCC"), a built-in process that implements a replication topology that is guaranteed to deliver the contents of every directory partition to every Global Catalog server. The attributes replicated into the Global Catalog include a base set defined by Microsoft. Administrators can use the Active Directory Schema console to specify additional attributes to meet the needs of their installation.

For information about adding an attribute to the Global Catalog attribute set, see Windows 2000 Server Help and "Active Directory Schema" in this book. For information about the Knowledge Consistency Checker and replication, see "Active Directory Replication" in this book.

Designating a Global Catalog

The first domain controller in a forest is automatically designated as a Global Catalog. Thereafter, a domain controller can be designated as a Global Catalog in the NTDS Settings Properties dialog box in Active Directory Sites and Services. The NTDS Settings object is a child of the server object, which is a child of the site object in the Sites container. When you select the Global Catalog Server check box, the domain controller is added to the Global Catalog replication topology and populated by means of the normal replication process. When you change an attribute that is flagged as belonging in the Global Catalog in any domain, it is replicated to all Global Catalog servers.

The NTDS Settings object has the multivalue attribute hasMasterNCs, which identifies the directory partitions that the domain controller stores. ("NC" stands for "naming context," which is a synonym for "directory partition.") For every domain controller, there are exactly three "master" (full and writable) directory partitions: the domain directory partition, the schema directory partition, and the configuration directory partition. The NTDS Settings object also has the multivalue attribute hasPartialReplicationNCs. If the domain controller is a Global Catalog server, this attribute has a value for each domain directory partition in the forest, and it receives attribute changes through replication with each respective domain directory partition in the forest.

Because the NTDS Settings object is stored in the configuration directory partition, which is replicated to all domain controllers in the forest, all domain controllers have the information about which servers are Global Catalog servers.

For more information about designating a Global Catalog server, see Windows 2000 Server Help.

Global Catalog and Domain Logon Support

In a native-mode domain, a Global Catalog server is a requirement for logging on to the domain. For this reason, it is advisable to have at least one Global Catalog server in a site. If a Global Catalog is not available in a site and there is another Global Catalog server in a remote site, the server in the remote site can be used for the logon process. If no Global Catalog is available in any site, the logon process proceeds with cached logon information.


note-icon

Note

A member of the Domain Admins group can complete the logon process (not cached) even when a Global Catalog server is not available.

Universal Group Membership

The reason that a Global Catalog must be available for the domain logon process is that the membership for universal groups is not stored on all domain controllers. Because the membership of all universal groups is replicated to Global Catalog servers, the complete universal group membership of a user can be determined by querying a Global Catalog server.


note-icon

Note

Universal groups are available only when a domain is in native mode.

During the logon process, a security token that contains the groups to which the user belongs is associated with the user. Because universal group membership is stored only on Global Catalog servers, only these servers can identify a user as having membership in a specific universal group. If a universal group is present as an access control entry in an access control list on a specific directory object, the access token associated with the user during the logon session must contain that group in order for the Allow or Deny access permission to be applied to the user. Otherwise, a user could be granted access (on the basis of another group membership) to an object that is specifically denied that user as a member of the universal group. Similarly, this user would not be able to gain access to resources to which he or she has legitimate access as a member of the universal group.


note-icon

Note

Deny access permission is processed before Allow access permission. Therefore, if you are denied access to an object by virtue of membership in one group and allowed access by virtue of membership in another group, the Deny access takes precedence over the Allow access.

User Principal Name and Global Catalog Logon Support

User principal names are user names that can be used when a user is logging on to a Windows 2000 domain. A user also can provide a SAM account name (<DomainName\UserName>). In the Windows 2000 logon screen, you can type your user name and select the domain name from the list, or you can use the user principal name. If you use the user principal name, when you type the "at" sign (@), the domain list is unavailable; Windows 2000 takes the domain name from the user principal name suffix.

The user principal name format (<UserName>@<DNSDomainName>) is resolved by the Global Catalog server. If a company has more than one forest and uses trust relationships between the domains in the different forests, a user principal name cannot be used to log on to a domain that is outside the forest because the user principal name is resolved in the Global Catalog of the forest. For information about Global Catalog placement to facilitate logging on to domains, see "Designing the Active Directory Structure" in the Deployment Planning Guide.

Search Requests and the Global Catalog

Because the Global Catalog stores every object in the forest, it can be used to locate objects in any domain without a referral to a different server. When a search request is sent to port 389 (the default LDAP port), the search is conducted on a single directory partition. If the object is not found in that directory partition (and is not in the schema or configuration directory partitions), the request is referred to a domain controller in a different domain that is assumed to contain the requested object, on the basis of the distinguished name that is presented in the search request.

When a search request is sent to port 3268 (the default Global Catalog port), the search includes all directory partitions in the forest — that is, the search is processed by a Global Catalog server. If the request specifies attributes that are part of the Global Catalog attribute set, the Global Catalog can return results for objects in any domain without generating a referral to a domain controller in a different domain.

For more information about LDAP search referrals and Global Catalog searches, see "Name Resolution in Active Directory" in this book.

© 1985-2000 Microsoft Corporation. All rights reserved.