Security Center supports synchronizing universal groups that belong to a global catalog. Users from different domains in an AD forest can access Security Center using one Active Directory role connected to one domain controller (global catalog). There are some things that you should know before synchronizing a universal group that belongs to a global catalog.
Benefits of using a global catalog
A global catalog stores a copy of all AD objects in a forest, which provides many benefits:
- The need to query multiple domains for information is eliminated since everything is stored in the global catalog.
- Less time to process information.
- Less bandwidth used.
- Less replication of information.
- Requires only a single Active Directory role connection. All users can access Security Center using the global catalog.
Requirements
Before importing a universal group that belongs to a global catalog, note the following requirements:
- There must be a trust relationship configured between all domains in the AD forest.
- Primary groups are not supported.
- To retrieve the directories within a forest, the Active Directory role user must be able to read the CN=Partitions, CN=Configuration, DC=ROOTDOMAIN, DC=COM folder.
- If you are importing a universal group that does not belong to a global catalog:
- The Active Directory role contacts several Active Directory services. The Active Directory role user must have the necessary permissions to access the different Active Directory services within a forest.
- The default port used to contact the AD is 389. If you are using a different port, you must append it to the AD server name defined in the Active Directory field on the Properties page, for example: ADServer.Genetec.com:3393.
- If you are importing a universal group that belongs to a global catalog:
- All groups and subgroups belonging to a global catalog must be universal groups. Otherwise, the Active Directory role might connect to multiple domains to download the necessary information.
- The global catalog must be updated to include the attributes required for Security Center user and cardholder information. For the list of required attributes, see Global catalog attributes.
- The default port used to contact the AD is 3268. If you are using a different port, you must append it to the AD server name defined in the Active Directory field on the Properties page. The name and port number must be separated by a colon, for example: ADServer.Genetec.com:3295.