Global Catalog Assistance

  • Last Post 20 October 2015
jeremy.stump posted this 20 October 2015

I have a vendor which needs to run searches in both of my domains at the same time using his PHP scripting. He says he can do the search of domain 1 and with global catalog services it can go to the other domain and pull back those users as well without him having to enter any information about domain 2 in his PHP scripts. I do not believe this is possible and in the past using Kerberos via linux we were able to reach into 2 domains with a service account that was a domain user so it had the ability to do searches for users. My 2 domains have a 2 way non transitive trust in between them, both 2003 level.   Jeremy Stump | System Admin III | Information Technology | BMHCC - CORPORATE
Phone: (901) 227-8205 | Jeremy.Stump@xxxxxxxxxxxxxxxx
Opinions expressed above are not necessarily those of Baptist.

This message and any files transmitted with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient of this message, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender of the error by reply email, disregard the foregoing messages, and delete it immediately.

P Please consider the environment before printing this email...

Order By: Standard | Newest | Votes
ZJORZ posted this 20 October 2015

If the attributes in the query and the required attributes are available in the GC, you can use the GC. If any of the 2 is not true, then you must either target every individual AD domain or you

target the top level domain and depend or chasing referrals. Referrals to other NCs are always given by the searched top level domain. However, it is the responsibility of the client to actually chase those referrals or not.

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto

E-Mail: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx

Tel.: +31-(0)6-

(+++Sent from my mobile device +++)

(Apologies for any typos)


gkirkpatrick posted this 20 October 2015

Hi Jeremy,


If the domains are part of the same AD forest, the entries for both domains will appear in each global catalog. Searching the GC doesn’t “go into” the other domain… the entries for

all of the domains are replicated into each GC so they can be searched with a single query. Not all attributes are replicated into the GC; that’s controlled by the schema.


The security descriptors are replicated along with the GC entries, so searching is restricted by the permissions applied to the objects in their respective domains. By default any authenticated

user in any domain can search the GC and see pretty much everything. The GC is read only, so you can’t update the entries in the GC directly; you have to update them in their own domain and the changes will replicate to the GC.


If the domains aren’t part of the same forest, then the GCs are separate and your vendor will have to do two separate searches.


This article explains the GC in some detail: