Domain Controller Global Catalog Best Practice

Because every domain controller stores the only domain directory partition in the forest configuring each domain controller as a global catalog server does not require any additional disk space usage cpu usage or replication traffic.

Domain controller global catalog best practice. Avoid direct login to domain controllers for day to day work. If every domain controller in a given domain that is located in a multidomain forest does not host the global catalog the infrastructure master must be placed on a domain controller that does not host the global catalog. There s a rule of trust with trees when a new domain joins a tree it s immediately trusted by the other domains in the group.

Restrict membership of critical groups like administrators schema admins enterprise admins domain admins. The best practice is to add the gc in each domain controller of your infrastructure but in most cases it s better to avoid this. In a single domain forest configure all domain controllers as global catalog servers.

In practical terms most administrators host the global catalog on every domain controller in the forest. They share a network configuration schema and global catalog. The predefined attributes that are copied into a global catalog are known as the partial attribute set.

It stores a complete copy of all objects in the directory of your domain and a partial copy of all objects of all other forest domains. A global catalog server is a domain controller that stores copies of all active directory objects in the forest. Promoting a domain controller to be a global catalog is a simple change that initiates replication of the partial attribute set for each domain in the forest other than the domain controller s domain.

To make a domain controller a global catalog start by launching the active directory sites and services mmc snap in. By default the attributes that are stored in the global catalog are those that are most frequently used in queries such as a user s first name last name and logon name. You can configure additional domain controllers to be global catalog servers to balance the logon authentication traffic and query traffic.

Users are allowed to add or delete the attributes stored in a global catalog and thus change the database schema. There should be a global catalog server at each site. There is a sixth unofficial fsmo domain controller role in ad called the global catalog.