Learn how to use Global Catalog and UGMC In Active Directory
In a multiple-domain and multiple-site design, user logon and forest-wide searches require that multiple domains be contacted to identify user accounts and to identify membership in universal groups. To improve performance in these situations, use the following features:
|Global Catalog||The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server.
To designate a server as a global catalog server, use one of the following:
Promoting a domain controller to be a global catalog server commonly takes a significant amount of time. Make sure that there is sufficient time for the account and the schema information to replicate to the new global catalog server.
To add and store an attribute to the Global Catalog in a forest, use the Active Directory Schema snap-in to:
|Universal Group Membership Caching (UGMC)||As its name implies, the Universal Group Membership Caching feature caches the group membership of universal groups. During logon, universal group membership is checked for the user. By caching the group membership on a local domain controller:
Edit the NTDS Site Settings of the site to enable UGMC. All domain controllers in a site must be running Windows Server 2003 or higher for universal group membership caching to work.
Within a site, you will typically use a global catalog server or Universal Group Membership Caching (but not both). Place a global catalog server in the site if any of the following are true (use UGMC if all of the following are not true):
- The site has more than 100 users.
- The WAN link connecting the site to the rest of the network is reliable and fast.
- The location has roaming users.
- The location runs an application that requires a global catalog server.
Lightweight Directory Access Protocol (LDAP) is the primary global catalog protocol that specifies directory communications. Be aware of the following LDAP details:
- LDAP runs directly over TCP/IP, and it can also run over User Datagram Protocol (UDP) connectionless transports.
- Clients use LDAP to query, create, update, and delete information that is stored in a directory service over a TCP connection through the TCP default port 389. When a search request is sent to port 389, the search is conducted on a single domain directory partition.
- If the object is not found in that domain or the schema or configuration directory partitions, the domain controller refers the request to a domain controller in the domain that is indicated in the distinguished name of the object.
- Global catalog clients can use LDAP to query Active Directory over a TCP connection through the TCP port 3268.
- When a search request is sent to port 3268, the search includes all directory partitions in the forest (i.e. the search is processed by a global catalog server).
- Only global catalog servers receive LDAP requests through port 3268.
- Active Directory supports LDAP v2 and LDAP v3. LDAP v3 is an industry standard that can be used with any directory service that implements the LDAP protocol. LDAP v3 is backward compatible with LDAP v2.