Behind the Scenes with Active Directory

Recently, I've written several articles discussing various aspects of working with Active Directory. However, while working on those articles, I realized that although I knew quite a bit about working with Active Directory, I knew very little about how Active Directory actually works with Windows 2000. Needless to say, I did some research. In this article, I'll discuss the global catalog and the issue of replication between Active Directory servers.

Global Catalog

If you have ever managed a Windows NT network, you're familiar with the concept of domains. In Windows NT, the first domain controller (DC) you initially brought online became your primary domain controller (PDC). It held the master copy of all the Windows NT security accounts. If you brought additional DCs online within the domain, they received a copy or replica of the information held by the PDC. If any changes were made to the security information, only the copy on the PDC would be changed. The PDC would alert the backup DCs of the change, and they would request the update when they had time to do so.

Right now, you're probably wondering what my little crash course in Windows NT could possible have to do with Active Directory. However, because Active Directory functions similarly in some aspects to the Windows NT domain model, it seems appropriate to compare it to something that most of us are familiar with.

In Windows NT, the PDC was the central repository of all security account information. In Windows 2000, this role is played by the global catalog. The global catalog is created automatically when you bring the first DC online. The global catalog is actually nothing more than a database; it contains a full copy of every directory service object from the global catalog's host domain. It also contains a partial copy of every directory service object from every domain within the forest. This partial copy attempts to conserve space by copying only the most commonly searched attributes of each object, such as a users login name or first or last name.

In Windows NT, the PDC was responsible for validating security information and for authenticating logins. However, this isn't the case with the global catalog. As I mentioned earlier, the global catalog is only a database--it doesn't validate logins. Logins are still authenticated by a DC. However, when a DC receives a login request, it checks with a global catalog server for the user's global group information.

Basically, the global catalog has two main functions: It aids network logins by providing universal group information to DCs during the login process, and it allows users to search for directory service objects in a quick and efficient manner regardless of where the objects are located at within the forest.

As you can see, the global catalog plays an important part in Windows 2000. If the global catalog server goes down, only users of the Domain Admins group can log in to the network. Fortunately, any DC can be designated as a global catalog server. Therefore, it's possible to protect yourself by having more than one global catalog server.

Replication

Now that you know something about how the global catalog works, let's discuss how information stored in the global catalog is replicated among servers within the domain. As I mentioned earlier, in Windows NT, changes to the security information could only be made to the PDC. Backup DCs had to obtain updates from the PDC. In Windows 2000, this isn't the case. Windows 2000 uses a multimaster domain model. This means that any DC can accept updates and is responsible for replicating those updates to other DCs.