+

Search Tips   |   Advanced Search

Microsoft Active Directory Global Catalog

A Global Catalog is a Global Catalog Server. A Global Catalog holds a full set of attributes for the domain in which it resides and a subset of attributes for all objects in the Microsoft Active Directory Forest. The primary two functions of a Global Catalog within the Microsoft Active Directory are logon capability and Microsoft Active Directory queries.

A Global Catalog in a Microsoft Active Directory installation with the product is a single Lightweight Directory Access Protocol (LDAP) repository containing a subset of user information from all the domains in the forest. This information includes user IDs, authentication information, and groups, but not all the group information.

We can use the Global Catalog on any domain controller in the forest, even in subdomains. The Global Catalog is a solution to the WAS limitation of a "single registry". There are limitations to the Global Catalog. Users from the local domain controller contain group "memberOf" information. Users from a foreign domain controller contain limited "memberOf" information because the global group information is not replicated to every domain controller.


Nested global groups in universal groups

This is a typical structure of group membership and consists of the following characteristics:

The following figure illustrates nested global groups in universal groups.

Figure 1. Nested global groups in universal groups . This figure illustrates nested global groups in universal groups.

It is a challenge to develop methods of configuring WebSphere Application Server to be able to find users and their group memberships when the information is spread across multiple domain controllers. One method requires that WebSphere Application Server follow LDAP referrals to find the home domain controller for each user and that WebSphere Application Server perform nested group queries.

Avoid trouble: This approach does not use the Global Catalog.gotcha

Another method and the simplest approach has universal groups containing users and uses a Global Catalog, which requires using referrals. The figure that follows illustrates this method.

Figure 2. Locating group memberships. This figure illustrates the process of locating group memberships.

A variation on this method is to not use universal groups. We can use this approach when universal groups are not available.

Avoid trouble: This approach does not use the Global Catalog.gotcha

We might consider using the Microsoft Active Directory Global Catalog as the WAS registry. There are three scenarios; however, the first two scenarios demonstrate how failures occur.

  1. If we configure WebSphere Application Server to use Global Catalog as its LDAP registry and follow referrals, then individual users are visible in each domain controller. Because a user must exist only once in the registry, all logins fail.

  2. If we configure WebSphere Application Server to use Global Catalog as its LDAP registry and do not follow referrals and the individual users are within global groups, then group membership is incomplete. See the following figure, which illustrates this limitation.

    Figure 3. Global catalog (without using referrals). An illustration of a Global Catalog without using referrals

  3. When you configure WebSphere Application Server to use Global Catalog as its LDAP registry, do not follow referrals, and users are directly contained within universal global groups, then group membership is complete.

When you select any of these scenarios, consult appropriate Microsoft Active Directory information to completely understand any implications the scenarios might have on the configuation planning.gotcha


Related concepts

  • Groups spanning domains with Microsoft Active Directory
  • Authentication using Microsoft Active Directory
  • Options for finding group membership within a Microsoft Active Directory forest


    Related tasks

  • Use Microsoft Active Directory for authentication
  • Locating user group memberships in a Lightweight Directory Access Protocol registry
  • Authenticating users with LDAP registries in a Microsoft Active Directory forest