Global catalog and User Logon

A domain controller can locate only the objects in its domain. Locating an object in a different domain would require access to a global catalog server.
A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest.
The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined by default by Microsoft.
In addition to its activities as a domain controller, the global catalog server supports the following special activities in the forest:
User logon: Domain controllers must contact a global catalog server to retrieve any SIDs of universal groups that the user is a member of.

userlogon

(1) Client logs on to the domain, which prompts
(2) a DNS query for the closest domain controllers.
(3) Client contacts the returned domain controller DCx for authentication.
(4) DCx queries DNS to find the closest global catalog server and then
(5) contacts the returned global catalog server DCy to retrieve the universal groups for the user
The global catalog stores the membership (the member attribute) of only universal groups.

Additionally, if the user specifies a logon name in the form of a UPN (which has the format sAMAccountName@DNSDomainName), the domain controller contacts a global catalog server to retrieve the domain of the user:

userlogonwithUPN

Universal and global group caching and updates: In sites where Universal Group Membership Caching is enabled, domain controllers cache group memberships and keep the cache updated by contacting a global catalog server.
Caching group membership reduces WAN traffic, which helps in sites where updating the cached group membership of security principals generates less traffic than replicating the global catalog to the site.

Speak Your Mind

*