In a multiple-domain and multiple-site design, user logon and forest-wide searches require that multiple domains be contacted to identify user accounts and to identify membership in universal groups. To improve performance in these situations, use the following features:

Feature Description
Global Catalog The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server.
  • By default, all domain controllers are global catalog servers.
  • The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced.
  • The Global Catalog is distributed through multimaster replication.

To designate a server as a global catalog server, use one of the following:

  • In Active Directory Users and Computers, edit the domain controller computer account. On the General tab, click the NTDS Settings... button.
  • In Active Directory Sites and Services, edit the NTDS Settings properties beneath the server object.

Promoting a domain controller to be a global catalog server commonly takes a significant amount of time. Make sure that there is sufficient time for the account and the schema information to replicate to the new global catalog server.

To add and store an attribute to the Global Catalog in a forest, use the Active Directory Schema snap-in to:

  1. Extend the Active Directory Schema.
  2. Edit the attribute's properties and select the Replicate this attribute to the Global Catalog.
Universal Group Membership Caching (UGMC) As its name implies, the Universal Group Membership Caching feature caches the group membership of universal groups. During logon, universal group membership is checked for the user. By caching the group membership on a local domain controller:
  • The authenticating domain controller does not need to contact other domain controllers for the group membership information.
  • Logon will still be allowed in the event of a WAN failure that separates a remote site from the remainder of the network.

Edit the NTDS Site Settings of the site to enable UGMC. All domain controllers in a site must be running Windows Server 2003 or higher for universal group membership caching to work.

Within a site, you will typically use a global catalog server or Universal Group Membership Caching (but not both). Place a global catalog server in the site if any of the following are true (use UGMC if all of the following are not true):

  • The site has more than 100 users.
  • The WAN link connecting the site to the rest of the network is reliable and fast.
  • The location has roaming users.
  • The location runs an application that requires a global catalog server.

Lightweight Directory Access Protocol (LDAP) is the primary global catalog protocol that specifies directory communications. Be aware of the following LDAP details:

  • LDAP runs directly over TCP/IP, and it can also run over User Datagram Protocol (UDP) connectionless transports.
  • Clients use LDAP to query, create, update, and delete information that is stored in a directory service over a TCP connection through the TCP default port 389. When a search request is sent to port 389, the search is conducted on a single domain directory partition.
  • If the object is not found in that domain or the schema or configuration directory partitions, the domain controller refers the request to a domain controller in the domain that is indicated in the distinguished name of the object.
  • Global catalog clients can use LDAP to query Active Directory over a TCP connection through the TCP port 3268.
    • When a search request is sent to port 3268, the search includes all directory partitions in the forest (i.e. the search is processed by a global catalog server).
    • Only global catalog servers receive LDAP requests through port 3268.
  • Active Directory supports LDAP v2 and LDAP v3. LDAP v3 is an industry standard that can be used with any directory service that implements the LDAP protocol. LDAP v3 is backward compatible with LDAP v2.