Problem solve Get help with specific problems with your technologies, process and projects.

Placing global catalog servers in Active Directory

The global catalog is the master index of objects within an Active Directory forest. This tip explains how to properly place them in your environment.

When designing and implementing an Active Directory domain, you need to think about the placement of your global catalog servers. The global catalog is the master index of objects within an Active Directory forest. The global catalog serves as a quick search tool to locate objects within a forest. Every domain must have at least one global catalog server. The first domain controller (DC) installed into a domain automatically serves as that domain's global catalog server by default. As the size of your forest grows, there may become a need to configure additional global catalog servers throughout the forest (i.e., in each domain).

There are two main issues to consider when placing global catalog servers into a domain. The first is the traffic levels and the second is the location of infrastructure FSMO (flexible single master operations) servers.

As the forest gets larger, so does the global catalog. As the global catalog expands, the amount of replication traffic it generates increases. Global catalog servers replicate with each other. This is separate replication traffic from that used to support Active Directory itself. From an overall perspective of the forest, when fewer global catalog servers are deployed in a forest, there will be less replication traffic, but it will cause more query traffic. Conversely, deploying more global catalog servers in a forest will cause more replication traffic, but reduce query traffic. Replication traffic can also be managed through the use of sites by placing at least one global catalog server in each site.

The second issue is the selection of a domain controller to act as the host for the global catalog. Domain controllers can serve numerous roles in a domain and/or forest; global catalog server is but one of them.

A very important infrastructure design issue to consider is where the infrastructure FSMO role is assigned. Whenever possible, the global catalog server and the infrastructure FSMO server should be separate domain controllers. By default, the first domain controller installed into a forest has all of the possible server roles assigned to it. Thus, the first domain controller in a forest hosts both the infrastructure FSMO role and the global catalog. Immediately after installing a second domain controller in the forest, move one of these roles to the new DC. The reason for this is that the infrastructure FSMO server is responsible for cleaning up stale references in between objects in the forest. Objects that have been moved, renamed or deleted often leave stale (i.e., invalid) references. Stale references are located by checking each object against the global catalog server. If these two DC roles are on the same box, the verification process fails to recognize invalid references, and thus cleanup doesn't take place.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Dig Deeper on Microsoft Active Directory Design and Administration