Domain Controller Roles - protege987/Active-Directory-Domain-Services GitHub Wiki
Introduction
When setting up a new PC you can choose to install windows server and configure it to be the server role. When creating a new forest, domain or an additional domain controller (DC) in an existing domain you can configure the DC by installing AD DS. A domain controller stores object for only 1 domain but if a DC is set as global catalog server then it copies of all Active Directory objects in the forest. It stores a complete copy of all objects in the directory of your domain and a partial copy of all objects of all other forest domains.
What does this mean?
Having Global catalog (GC) allows users and applications to find objects in any domain of the current forest by searching for attributes included in GC. Important to note that the GC only has a partial (incomplete) set of attributes for each forest object in each domain (Partial Attribute Set, PAT). The GC receives data from all the domain directory partitions in the forest, they are copied using a standard AD replication service. For each object that is not in the domain for which the global catalog server is authoritative as a domain controller, a limited set of attributes is stored in a partial replica of a corresponding domain. The partial replicas on a global catalog server are not writable — you cannot update an object in a partial replica on a global catalog server, but only on a domain controller that stores a full replica.
What is copied?
The set of attributes that are copied to the Global Catalog is defined in the AD schema.
More information about the schema can be seen in ADSI Edit.
- Once open click Action > Connect to...
- Then a small window named "Connection settings" will pop-up
- Click "Select a well known Naming Context" and on the down arrow click Schema
How to see what schema version?
In powershell (Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion).objectVersion
Example of practical function of a Global Catalog (GC)
As an example of why a GC is important and it's function: This is from theitbros website (https://theitbros.com/global-catalog-active-directory/)
Imagine a workstation requesting information about an object from another domain in the current AD forest. The computer contacts the nearest GC with a request to provide it with information about this object. The GC server can perform one of the following things:
- Immediately return the necessary information to the workstation (if this information is stored on the GC server);
- Redirect the query to the correct Domain Controller, where this information will definitely be located. Use GC search to understand which domain controller to redirect the request to.
Note: Your first DC you promote will be the first GC on the domain in the forest.
You can assign additional domain controllers as GC by selecting the Global Catalog option in the “Active Directory Sites and Services” snap-in (dssite.msc).
Global Catalog Server functions
Object search
- If a user searched for an object (user, computer, ou, shared folder) and using a LDAP query has by specifying All directory parameter/(searches from start menu) it would be to the port TCP/3268 (or TCP/3269 for LDAP over SSL) and sent to the nearest GC server. If for any reason there is no GC server in the domain, users and applications won’t be able to perform searches across the AD forest.
Below is an example of a ldap query with two wildcards using powershell.
(Get-ADObject -LdapFilter "(&(objectCategory=)(objectClass=))")
A LDAP query can also be done from "Active Directory Users and Computers MMC snap-in). https://theitbros.com/ldap-query-examples-active-directory/ More information about using queries can be found on that link
Authentication
- When a user logs on the domain the GC server resolves principal name (UPN) IF the authenticating domain controller has no knowledge of the user account.
For example:
If a user's account is located at cat1.sleepypaw.com
The user logs on with UPN [email protected] from a PC located in cat2.sleepypaw.com
The DC (domain controller) in cat2.sleepypaw.com is not able to find the user account
It must contact the GC (Global catalog server) to complete the authentication
Validates object references within a forest
Domain controllers use a Global Catalog to validate references to objects in other domains in the forest.
If a DC holds a directory object (Object Class: Computer)
with an attribute (operatingSystem)
That’s why if the domain controller contains an object with an attribute, that contains a reference to an object in another domain — the domain controller checks the link by establishing a connection to the Global Catalog server
Supplies universal group membership information in a multiple-domain environment
The process summarized we verification process which the DC checks the the authenticity of the user. The user then gets authorization data to access the resources.
How does the DC provide this information?
The DC gets the security identifiers (SIDs) for all Active Directory groups that the user is a member of and adds these identifiers to the user’s access token. A universal group can have members in different domain. Why is this important to note? DC can always find domain local group and Global group memberships for any user in it's domain; the membership of these groups (whose in the group) is not copied/replicated to the Global Catalog. In a single-domain forest, a domain controller can also always discover universal group memberships. This is why the member attribute of universal groups, which contains the list of members in the group, is replicated to the global catalog. Therefore the group membership in them can only be resolved by the GC Server that has catalog information at the forest level
If a global catalog server is not available when a user logs on to a domain where universal groups are available, the user's client computer can use cached credentials to log on if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can log on only to the local computer.
Exchange Address Book Search
When a user in a organization wants to look up someone in Outlook this is normally done through Global Address List (GAL). This list is created by Exchange from information from a LDAP query searching for all all mail-enabled objects — users, contacts, and distribution groups. For example:
- If an user opens the address book in Microsoft Outlook
- write an email, enters a name or uses the To field; Outlook uses the GC Server specified by the Exchange server
- Exchange mail servers use Active Directory and DNS to locate Global Catalog servers
Without a functioning GC, the Exchange Server can’t send and receive emails.
source:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780036(v=ws.10)?redirectedfrom=MSDN
- https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/howto-troubleshoot-upn-changes
- https://www.varonis.com/blog/active-directory-forest
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/find-current-schema-version
- https://theitbros.com/global-catalog-active-directory/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730749(v=ws.11)?redirectedfrom=MSDN
- https://theitbros.com/check-active-directory-group-membership/
- https://theitbros.com/global-address-list-in-exchange/
- https://theitbros.com/how-to-create-dynamic-distribution-groups-in-microsoft-office-365/