Choosing Search Scope Active Directory

search scope active directoryThis article born from my need; I had a requirement to create an application which does user search with input of  User Id or Email Id. So I have analyzed about choosing search scope active directory for my requirement.

The decision of whether to searching the Global Catalog (GC) or Domain:

  • When the search scope is the domain or an organizational unit, the query can be resolved within the domain partition by using LDAP search
  • When the search scope is the forest, the query can be resolved within any partition by using Global Catalog

What is Global Catalog [GC]?

The Global Catalog (GC) is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest.  It enables searching for Active Directory objects in any domain in the forest without the need for subordinate referrals.  You can find objects of interest quickly without having to know which domain holding the object.

Global Catalog most commonly used for following aspect Forest-wide searches and User logon. Let’s see the default port numbers.

Global Catalog Servers using LDAP Service

Service NameTCP Port # (Default)
LDAP3268
LDAP3269 [SSL]

Domain Search using LDAP Service

Service NameTCP Port # (Default)
LDAP389
LDAP636 [SSL]

Port 3268

This port is used for queries that are specifically targeted for the global catalog.  LDAP requests sent to port 3268 can be used to search objects in the entire forest.  However, only the attributes marked for replication to the global catalog can be returned.

For e.g.: A auditing department could not be returned using port 3268 since this attribute is not replicated to the GC.

Port 389

This port is used for requesting information from the Domain Controller.  LDAP requests sent to port 389 can be used to search objects only within the global catalog’s home domain.  However, the application can possible to obtain all of the attributes searched objects.

For e.g.: A request to port 389 could be used to obtain a Auditing department.


Characteristics of Global Catalog Search from standard LDAP Search

  • Global Catalog queries are directed to port 3268, which explicitly indicates that Global Catalog semantics are required.  By default, ordinary LDAP searches are received through port 389.  If you bind to port 389, even if you bind to a Global Catalog server, your search includes a single domain directory partition.  If you bind to port 3268, your search includes all directory partitions in the forest
  • Global Catalog search can specify a non-instantiated search base, indicated as “com” or ” ” (blank search base)
  • Global Catalog search cross directory partition boundaries.  The extent of the LDAP search is the directory partition
  • Global Catalog search do not return subordinate referrals.  If you use port 3268 to request an attribute that is not in the GC, you do not receive a referral to it. Subordinate referrals are an LDAP response; when you query over port 3268, you receive Global Catalog responses, which are based solely on the contents of the Global Catalog. If you query the same server by using port 389, you receive referrals for objects that are in the forest but whose attributes are not referenced in the Global Catalog

Conclusion

Now you have data points from this article to search scope active directory, perhaps think over once again about your requirement and then choose appropriately!