How to search AD Global Caalogue rather than Domain Controller?

I have some c# code that successfully searches a domain 开发者_StackOverflowhowever our customer is saying that it needs to search the global catalogue. How easy is this? Does it make any sense?

AD Global Catalog (GC) can be on any Domain Controller (usually it is on all of them) and changes done to Active Directory replicate to all domain controllers every few minutes. There are however some settings in AD that are not replicated and can be only found on this particular domain controller that's why it's often necessary to search the value on all domain controllers then just ask one.

So to answer your question you most likely are doing good job (can't say for sure without source code) querying one domain controller and this is exactly what your customer is requiring you to do. But you may need to add option to scan other domain controllers for additional information (this could be Last Logon Times for users if i remember good that is stored per domain controller and is not replicated).

Unless there's more to it then you are telling us in the question :-)

Firs of all Global Catalog is a Directory. Programaticaly, it can be queried exactly in the same way as Active-Directory.

You just have to find the GCs adresses and ports. It can be easily done, querying the DNS of you client domain for service (SRV) entries _gc._tcp.DNSDomain. The entries will give you the DNS adress and the port (generally 3268) of the global catalogs present.

Here is the Nslookup example :

> set type=srv
> _gc._tcp.societe.fr
Serveur :  srventr2.societe.fr
Address:  192.168.183.138

_gc._tcp.societe.fr     SRV service location:
          priority       = 0
          weight         = 100
          port           = 3268
          svr hostname   = srventr2.societe.fr
srventr2.societe.fr     internet address = 192.168.183.138

After that, you can search the Global Catalog exactly in the same way as a normal directory. As you can read in comments it's only interresting if you've got multiple domains in your forest. This is because all the objects of all domains of the forest can be found in the GC, but be carefull for each object all the attributes are not present (as specified in the SCHEMA).

The answer to this was pretty simple all I did was change the url from...

GC://<url> to LDAP://<ur>