Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Use Microsoft Active Directory for authentication
Microsoft Active Directory Global Catalog
Overview
A Global Catalog is a single LDAP repository that contains a subset of user information from all the domains in the forest, including...
- user IDs
- authentication information
- groups
The primary two functions of a Global Catalog within the Microsoft Active Directory are...
- logon capability
- directory queries
We can use the Global Catalog on any domain controller in the forest, even in subdomains. The Global Catalog is a solution to the WAS limitation of a "single registry".
Users from the local domain controller contain group "memberOf" information. Users from a foreign domain controller contain limited "memberOf" information because the global group information is not replicated to every domain controller.
Nested global groups in universal groups
Global groups in universal groups...
...where...
- Users are distributed across domain controllers in a forest containing multiple domain controllers.
- Users are defined in global groups within their own local domain controller.
- A universal group contains the global groups, which reflects a Java EE role that maps to a set of users spread across multiple domain controllers.
One method to handle multiple domain controllers requires that WAS...
- Follow LDAP referrals to find the home domain controller for each user
- Perform nested group queries
This approach does not use the Global Catalog.
Another method, and the simplest approach...
- Has universal groups that contain users
- Uses a Global Catalog
If you configure WAS to use Global Catalog as its LDAP registry and follow referrals, individual users are visible in each domain controller. Because a user must exist only once in the registry, all logins fail.
If you configure WAS to use Global Catalog as its LDAP registry and do not follow referrals, and the individual users are within global groups, then group membership is incomplete.
When you configure WAS to use Global Catalog as its LDAP registry, do not follow referrals, and users are directly contained within universal global groups, then group membership is complete.
concepts
Groups spanning domains with Microsoft ADAuthentication using Microsoft AD
Options for finding group membership within a Microsoft AD forest
Locate user group memberships in a LDAP registry
Authenticate users with LDAP registries in a Microsoft AD forest
Use Microsoft AD for authentication