Active Directory Domain Services (AD DS)
Lesson 11

Understanding Gc and Kerberos Authentication

By Sai Kurada
September 14, 2023
Global Catalog (GC):

The Global Catalog is a crucial component in an Active Directory (AD) environment. It's a distributed data repository that contains a subset of attributes for all objects in a forest.

Here are the key points about the Global Catalog:

Subset of Attributes: Unlike a regular domain controller, which holds a full copy of the AD database for its domain, a Global Catalog server stores a partial replica with a specific set of attributes for all objects in the forest.
Universal Query Capability: It allows for forest-wide searches. This means that you can search for an object in any domain within the forest without needing to know which specific domain contains the object.
Crucial for User Authentication and Authorization:
  • The Global Catalog is used in the authentication process, especially when a user logs in with their user principal name (UPN) or searches for users in a multidomain environment.
  • It helps determine which domain contains the user account and provides the necessary information for authentication.
Port 3268/3269: Global Catalog services use specific ports (TCP 3268 for LDAP and TCP 3269 for LDAPS) for queries. These ports should be open in the firewall to allow Global Catalog queries.
Universal Group Membership Caching (UGMC):
  • In situations where a domain controller is not available, Global Catalog servers with UGMC enabled can cache Universal group memberships for logon requests.
Preventing "Single Point of Failure":
  • To ensure high availability, it's recommended to have multiple Global Catalog servers in a network. If one goes down, others can continue to handle queries.

Kerberos Authentication:

Kerberos is a widely used network authentication protocol that provides secure authentication over a non-secure network, like the internet. It was developed at MIT and is now an open standard.

Here are the key points about Kerberos Authentication:

Ticket-based Authentication:
  • Kerberos relies on a system of tickets to authenticate users. When a user logs in, they request a ticket from the Key Distribution Center (KDC) server.
Principals and Realms:
  • Users and services are identified by their principals, which are typically in the format user@REALM. The realm is the Kerberos domain, often corresponding to the DNS domain.
Key Distribution Center (KDC):
  • The KDC is a crucial component in the Kerberos authentication process. It consists of two parts:
  • Authentication Server (AS): Handles initial authentication requests and issues Ticket Granting Tickets (TGTs).
  • Ticket Granting Server (TGS): Accepts TGTs and issues service tickets.
Ticket Lifetime:
  • Tickets have a limited validity period. Once issued, they can be used until they expire. This helps mitigate security risks in case a ticket is intercepted.
Mutual Authentication:
  • Kerberos provides mutual authentication, meaning both the client and server authenticate each other. This helps prevent "man-in-the-middle" attacks.
Single Sign-On (SSO):
  • Once authenticated, users can access various network resources without needing to re-enter their credentials. This is known as Single Sign-On.
Delegation of Tickets:
  • In constrained delegation scenarios, a service can be granted permission to use a user's authentication ticket to access other services on behalf of the user.


Global Catalog provides a searchable, forest-wide directory service, while Kerberos Authentication is a secure, ticket-based authentication protocol used in Windows environments. Together, they play vital roles in ensuring secure and efficient network operations in an Active Directory environment.