A Global Catalog in a Microsoft Active
Directory installation with the product is a single Lightweight Directory
Access Protocol (LDAP) repository that contains a subset of user information
from all the domains in the forest. This information includes user
IDs, authentication information, and groups, but not all the group
information.
You can use the Global Catalog on any domain controller
in the forest, even in subdomains. The Global Catalog is a solution
to the WebSphere® Application
Server limitation of a "single registry". There are limitations to
the Global Catalog. Users from the local domain controller contain
group "memberOf" information. Users from a foreign domain controller
contain limited "memberOf" information because the global group
information is not replicated to every domain controller.
Nested global groups in universal groups
This
is a typical structure of group membership and consists of the following
characteristics:
- Users are distributed across domain controllers in a forest containing
multiple domain controllers.
- Users are defined in global groups within their own local domain
controller.
- A universal group contains the global groups, which reflects a Java Platform Enterprise Edition
(Java EE) role that maps to
a set of users spread across multiple domain controllers.
The following figure illustrates nested global groups
in universal groups.
Figure 1. Nested global groups in universal
groups .
This is an illustration of nested global groups
in universal groups
It is a challenge to develop methods of configuring WebSphere Application Server
to be able to find users and their group memberships when the information
is spread across multiple domain controllers. One method requires
that WebSphere Application
Server follow LDAP referrals to find the home domain controller for
each user and that WebSphere Application
Server perform nested group queries.
Avoid trouble: This
approach does not use the Global Catalog.
gotcha
Another
method and the simplest approach has universal groups that contain
users and uses a Global Catalog, which requires using referrals. The
figure that follows illustrates this method.
Figure 2. Locating group memberships.
This figure illustrates
the process of locating group memberships.

A variation
on this method is to
not use universal groups. You can use
this approach when universal groups are not available, which is normally
the case when you use Microsoft Windows
® 2000 mixed domain functional
level. In this case, the WebSphere Application
Server administrator binds Java Platform,
Enterprise Edition (Java EE)
roles to a set of global groups spread across multiple domain controllers.
Avoid trouble: This approach does not use the Global
Catalog.
gotcha
You might consider using the Microsoft Active Directory Global Catalog
as the WebSphere Application
Server registry. There are three scenarios. The first two scenarios
demonstrate how failures occur.
- If you configure WebSphere Application
Server to use Global Catalog as its LDAP registry and follow referrals,
then individual users are visible in each domain controller. Because
a user must exist only once in the registry, all logins fail.
- If you configure WebSphere Application
Server to use Global Catalog as its LDAP registry and do not follow
referrals and the individual users are within global groups, then
group membership is incomplete. See the following figure, which illustrates
this limitation.
Figure 3. Global catalog (without using referrals).
An illustration of a Global Catalog without using referrals

- When you configure WebSphere Application
Server to use Global Catalog as its LDAP registry, do not follow referrals,
and users are directly contained within universal global groups, then
group membership is complete.
Avoid trouble: When you select any of
these scenarios, consult appropriate Microsoft Active Directory information
to completely understand any implications the scenarios might have
on your configuation planning.
gotcha