Global catalog replication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Global catalog replication

Replication of the global catalog ensures that users throughout the forest have fast access to information about every object in the forest. The default attributes that make up the global catalog provide a baseline of the most commonly searched attributes. These attributes are replicated to the global catalog as part of normal Active Directory replication.

The replication topology for the global catalog is generated automatically by the Knowledge Consistency Checker (KCC). However, the global catalog is replicated only to other domain controllers that have been designated as global catalogs. Global catalog replication is affected both by the attributes marked for inclusion in the global catalog, and by universal group memberships.

Adding attributes

Active Directory defines a base set of attributes for each object in the directory. Each object and some of its attributes (such as universal group memberships) are stored in the global catalog. Using the Active Directory Schema snap-in, you can specify additional attributes to be kept in the global catalog.

In Windows 2000 forests, extending the partial attribute set causes a full synchronization of all object attributes stored in the global catalog (for all domains in the forest). In a large, multi-domain forest, this synchronization can cause significant network traffic. Between domain controllers enabled as global catalogs that are running Windows Server 2003, only the newly added attribute is replicated. For more information about adding attributes to the global catalog, see Customizing the global catalog.

Preventing unpredictable access to global catalog data

Special security consideration should be given when specifying permissions on domain data that is also replicated to the global catalog. When a user connects to a global catalog, an impersonation token is created for the user, which is used in subsequent access control decisions on the global catalog. The user's universal, global and domain local group memberships are represented in this token. However, only domain local groups from the domain that the domain controller hosting the global catalog (to which the user has connected) belongs to and of which the user is a member show up in the user's token. Domain local groups in the user's domain (and in other domains) of which the user is a member do not show up in the access token.

A global catalog stores a replicated, read-only copy of all objects in the forest and a partial set of each object's attributes, including the security descriptor for each object. The security descriptor contains a discretionary access control list (DACL), which specifies permissions on the object. When a user connects to a global catalog and tries to access an object, an access check is performed based on the user's token and the object's DACL. Any permissions specified in the object's DACL for domain local groups that are not from the domain that the domain controller hosting the global catalog (to which the user has connected) belongs to, will be ineffective because only domain local groups from the global catalog's domain of which the user is a member are represented in the user's access token. As a result, a user may be denied access when access should have been granted, or allowed access when access should have been denied.

As a best practice, you should avoid using domain local groups when assigning permissions on Active Directory objects, or be aware of the implications if you do use them. To prevent unauthorized access to global catalog data, use global groups or universal groups instead. For information about global and universal groups, see Group scope.

How universal groups affect global catalog replication

Groups with universal scope, and their members, are listed exclusively in the global catalog. Groups with global or domain local scope are also listed in the global catalog, but their members are not. This reduces the size of the global catalog and the replication traffic associated with keeping the global catalog up to date. You can improve network performance by using groups with global or domain local scope for directory objects that will change frequently.

When you first create a universal group, you do so from any domain that is set to the domain functional level of Windows 2000 or higher. The universal group resides in the domain directory partition in which it was created and is also replicated to the global catalog. Updates to the group membership are thereafter replicated to both the domain and the global catalog.

For more information about domain functional levels, see Domain and forest functionality.