About universal groups and global catalogs - Security Center 5.11

Active Directory Integration Guide 5.11

Security Center
Content type
Guides > Integration guides
Last updated

Security Center supports synchronizing universal groups that belong to a global catalog. Users from different domains in an AD forest can access Security Center using one Active Directory role connected to one domain controller (global catalog). There are some things you should know before synchronizing a universal group that belongs to a global catalog.

Benefits of using a global catalog

A global catalog stores a copy of all AD objects in a forest which provides many benefits:
  • The need to query multiple domains for information is eliminated since everything is stored in the global catalog.
  • Less time to process information.
  • Less bandwidth used.
  • Less replication of information.
  • Requires only a single Active Directory role connection. All users can access Security Center using the global catalog.


Before importing a universal group that belongs to a global catalog, note the following requirements:

  • There must be a trust relationship configured between all domains in the AD forest.
  • Primary groups are not supported.
  • In order to retrieve the directories within a forest, the Active Directory role user must be able to read the CN=Partitions, CN=Configuration, DC=ROOTDOMAIN, DC=COM folder.
  • If you are importing a universal group that does not belong to a global catalog:
    • The Active Directory role contacts several ADs. The Active Directory role user must have the necessary permissions to access the different ADs within a forest.
    • The default port used to contact the AD is 389. If you are using a different port, you must append it to the AD server name defined in the Active Directory field on the Properties page, for example: ADServer.Genetec.com:3393.
  • If you are importing a universal group that belongs to a global catalog:
    • All groups and subgroups belonging to a global catalog must be universal groups. Otherwise, the Active Directory role might connect to multiple domains to download the necessary information.
    • The global catalog must be updated to include the attributes required for Security Center user and cardholder information. For the list of required attributes, see Global catalog attributes.
    • The default port used to contact the AD is 3268. If you are using a different port, you must append it to the AD server name defined in the Active Directory field on the Properties page. The name and port number must be separated by a colon, for example: ADServer.Genetec.com:3295.