Windows Server - Global Catalog

What is the Global Catalog?

The global catalog helps users find resources

The global catalog provides a central directory of every object in the forest, and is unique in each AD DS forest. Unlike the individual domain partitions that store a complete writeable attribute set for all objects in the domain, the global catalog is a read-only list of some attributes for every object in the forest. The global catalog makes it easy to locate objects from different domains in a multi-domain forest. For example, Microsoft Exchange Server uses the global catalog to locate all email recipients in a forest.

The forest has a single global catalog. All domain controllers that are assigned the global catalog role share this global catalog. By default, the first domain controller in the forest root domain hosts the global catalog.

How does the global catalog work?

The global catalog speeds up searches

In a given domain, a query for an object is directed to one of the domain controllers in that domain. But that query does not include results about objects in other domains in the forest. For a query to include results from other domains in the forest, you must query a domain controller that's a global catalog server. Basically the global catalog speeds up searches for objects that might be stored on domain controllers in a different domain in the forest. To improve searching across domains in a forest, you should configure additional domain controllers to store a copy of the global catalog. In a single domain, all domain controllers should be configured to hold a copy of the global catalog.

When to use the global catalog?

There are various reasons why you might run a search against a global catalog instead of a domain controller that's not a global catalog.

• Exchange email. When a server that's running Exchange Server receives an incoming email, it has to search for the recipient’s account so that it can decide how to route the message. By automatically querying a global catalog, the server that's running Exchange Server can locate the recipient in a multiple domain environment.
• Authentication. When a user signs in to their Active Directory account, the domain controller that performs the authentication must contact a global catalog to check for universal group memberships before the user is authenticated.

What is the Global Catalog? - This topic reviews common global catalog usage scenarios, and global catalog dependencies and interactions.

Windows Server Infrastructure - Basics

Question: What is an Organizational Unit (OU) and why would you create additional OUs?
Show Answer
An OU is an object in a domain that you can use to store user objects, computer objects, group objects, and other AD DS objects. You typically create additional OUs when you want to delegate control to a specific group or link a Group Policy Object to the OU.


Question: What are the five flexible single master operations (FSMO) roles and where do they exist?
Show Answer
FSMO roles are special roles within a forest and domain. There are two FSMO roles at the forest level: Schema Master and Domain Naming Master. There are three FSMO roles at the domain level: RID Master, Infrastructure Master, and PDC Emulator.

Question: What is a trust relationship and which type of trust relationship is used to improve user logon times between two domains in a forest?
Show Answer
Trust relationships are authentication pipelines between different domains. Shortcut trusts can be used to improve user logon times between two domains in an Active Directory forest.


Question: Which optional AD DS feature enables you to quickly restore objects that have been deleted?
Show Answer
The Active Directory Recycle Bin, an optional feature of AD DS, provides a simplified process for restoring deleted objects.

Question: What is Server Core and what are some advantages of using it?
Show Answer
Server Core is the default Windows Server installation option. Server Core does not have a graphical user interface. Server Core installs fewer components so fewer updates are required. Server Core removes unneeded files so disk space and memory requirements are less. Lastly, fewer files and components means less opportunity for security threats.

Question: Which feature can you use to define different password policies and account lockout settings in a domain?
Show Answer
Fine-grained password policies let you specify different password policies and account lockout policies for different groups of users. For example, executives, administrators, service accounts, or regular users.

Question: Aziz has reported he is unable to sign in to the domain. The error message is, “The trust relationship between this workstation and the primary domain failed.” What is likely the problem and how should you fix it?
Show Answer
Most likely the problem is a broken secure channel. You can use Active Directory Users and Computers or PowerShell to reset the computer account and rejoin the computer to the domain.

Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.

Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.

Question: What is an AD DS site and when should you consider creating a site?
Show Answer
An AD DS site represents the physical structure, or topology, of your network. There are several reasons to consider creating additional sites such as: number of users at a location, slow links between locations, service localization, and AD DS database replication.


Question: When should you use an authoritative restore?
Show Answer
An authoritative restore is necessary when a known good copy of AD DS has been restored that contains objects that must override the existing state of other objects in the AD DS database.

Question: How are Group Policy settings and a Group Policy preferences different?
Show Answer
Group policy settings and group policy preferences are different. Preferences are not enforced, can reapply automatically, and can use item-level targeting.

Windows Server Infrastructure - Basics

Question: What is an Organizational Unit (OU) and why would you create additional OUs?
Show Answer
An OU is an object in a domain that you can use to store user objects, computer objects, group objects, and other AD DS objects. You typically create additional OUs when you want to delegate control to a specific group or link a Group Policy Object to the OU.


Question: What are the five flexible single master operations (FSMO) roles and where do they exist?
Show Answer
FSMO roles are special roles within a forest and domain. There are two FSMO roles at the forest level: Schema Master and Domain Naming Master. There are three FSMO roles at the domain level: RID Master, Infrastructure Master, and PDC Emulator.

Question: What is a trust relationship and which type of trust relationship is used to improve user logon times between two domains in a forest?
Show Answer
Trust relationships are authentication pipelines between different domains. Shortcut trusts can be used to improve user logon times between two domains in an Active Directory forest.


Question: Which optional AD DS feature enables you to quickly restore objects that have been deleted?
Show Answer
The Active Directory Recycle Bin, an optional feature of AD DS, provides a simplified process for restoring deleted objects.

Question: What is Server Core and what are some advantages of using it?
Show Answer
Server Core is the default Windows Server installation option. Server Core does not have a graphical user interface. Server Core installs fewer components so fewer updates are required. Server Core removes unneeded files so disk space and memory requirements are less. Lastly, fewer files and components means less opportunity for security threats.

Question: Which feature can you use to define different password policies and account lockout settings in a domain?
Show Answer
Fine-grained password policies let you specify different password policies and account lockout policies for different groups of users. For example, executives, administrators, service accounts, or regular users.

Question: Aziz has reported he is unable to sign in to the domain. The error message is, “The trust relationship between this workstation and the primary domain failed.” What is likely the problem and how should you fix it?
Show Answer
Most likely the problem is a broken secure channel. You can use Active Directory Users and Computers or PowerShell to reset the computer account and rejoin the computer to the domain.

Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.

Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.

Question: What is an AD DS site and when should you consider creating a site?
Show Answer
An AD DS site represents the physical structure, or topology, of your network. There are several reasons to consider creating additional sites such as: number of users at a location, slow links between locations, service localization, and AD DS database replication.

 
Question: When should you use an authoritative restore?
Show Answer
An authoritative restore is necessary when a known good copy of AD DS has been restored that contains objects that must override the existing state of other objects in the AD DS database.

Question: How are Group Policy settings and a Group Policy preferences different?
Show Answer
Group policy settings and group policy preferences are different. Preferences are not enforced, can reapply automatically, and can use item-level targeting.