1. Ports
  2. Port 3268

Port 3268: Global Catalog — The Forest's Memory

Port 3268 carries the Global Catalog, the distributed directory service that gives Active Directory its power to scale. When you sit down at a computer in one office and log in with credentials managed in another domain, across another building, in another country, port 3268 is how the system finds you.

What Port 3268 Does

Port 3268 provides LDAP access to the Global Catalog, a specialized read-only database that contains a partial replica of every object in an Active Directory forest. The key word is partial. The Global Catalog doesn't store everything about everyone. It stores enough about everyone to find them.

When you connect to a domain controller on port 389 (standard LDAP), you search only that domain. When you connect on port 3268, you search the entire forest. The port number itself is a semantic signal: "I need to look across all domains."

The Global Catalog stores the attributes people search for most often: usernames, email addresses, group memberships, display names. It deliberately excludes rarely-searched attributes like a user's department or office number. This tradeoff, partial data about everything versus complete data about one domain, is what makes forest-wide searches fast.1

How the Global Catalog Works

The Global Catalog solves a fundamental problem in distributed systems: how do you find something when you don't know where it is?

In a single-domain environment, there's one directory. Ask a domain controller, get an answer. But enterprises don't stay small. They acquire companies. They span continents. They build organizational structures that map to different Active Directory domains. Suddenly you have a forest: multiple domains that trust each other but maintain separate directories.

Without a Global Catalog, finding a user in a foreign domain would require querying every domain controller in the forest, waiting for referrals, chasing pointers. The Global Catalog collapses that into a single query. It maintains a partial attribute set (PAS) for every object in every domain, automatically replicated by the Knowledge Consistency Checker.2

The architecture is elegant in its constraints:

  • Read-only: You cannot write to the Global Catalog. Modifications must go to the authoritative domain controller through port 389 or 636.
  • Partial: Only attributes marked with isMemberOfPartialAttributeSet = TRUE in the schema get replicated to the Global Catalog.
  • Forest-wide: A Global Catalog server knows about objects in every domain, not just its own.

If you query port 3268 for an attribute that isn't in the Global Catalog, you don't get a referral. You get nothing. The Global Catalog is not a proxy. It's a snapshot.3

The History: From Cairo to Active Directory

The story of port 3268 begins with Jim Allchin and a cancelled project.

Allchin had spent the late 1980s at Banyan Systems, where he created the VINES distributed operating system and its directory service, StreetTalk. He was known as the "Father of StreetTalk." Bill Gates spent a year recruiting him, and Allchin finally joined Microsoft in 1990.4

In early 1991, Allchin took over the LanMan group and immediately cancelled LAN Manager 3.0 and its directory service. In its place, he created the Cairo project, an ambitious next-generation operating system with a completely new directory service. Cairo's directory lived as part of OFS, the Cairo file system.5

Cairo never shipped. Around late 1995, the project was cancelled, leaving the Windows 2000 team with an urgent need for a directory service and no plans to build one.

The week after Exchange 4.0 shipped, two developers from the Exchange directory service team copied the DS sources and moved to the Windows group. The code was rechristened "Active Directory." Despite Allchin's history with StreetTalk, Active Directory shares no code or license with Banyan. It is a direct descendant of the Exchange 4.0 directory.5

Meanwhile, the protocol underneath was LDAP, created by Tim Howes at the University of Michigan in 1993. Howes and his collaborators designed LDAP as a lightweight alternative to the complex X.500 directory access protocol. By 1997, LDAPv3 (RFC 2251) had matured into a robust standard.6 Microsoft adopted LDAP as the query protocol for Active Directory.

Windows 2000 Server launched on February 17, 2000, with Active Directory as its flagship feature. The Global Catalog was part of the initial release, running on ports 3268 (LDAP) and 3269 (LDAPS).7

Why the Global Catalog Matters for Authentication

The Global Catalog isn't just a search optimization. It's required for authentication in multi-domain forests.

When a user logs in with a User Principal Name (username@domain.com), the domain controller must resolve that UPN to a distinguished name. But the user might exist in any domain in the forest. The Global Catalog is searched to find the match.8

Universal groups add another dependency. Universal groups can contain members from any domain in the forest. When a user logs in, their access token must include memberships in all universal groups. Since universal group membership can span domains, only the Global Catalog has the complete picture. The domain controller contacts the Global Catalog to enumerate these memberships.9

In a single-domain forest, this is invisible. Every domain controller can act as a Global Catalog server with no additional overhead. In multi-domain forests, without a reachable Global Catalog server, logins fail or degrade. Microsoft recommends at least one Global Catalog server per site to avoid authentication traffic crossing slow WAN links.10

Security Considerations

Port 3268 is a high-value target. It provides read access to a partial view of every object in the forest.

Enumeration Attacks

Attackers who gain access to port 3268 can enumerate users, groups, computers, and organizational units across the entire forest. This reconnaissance is often the first step in privilege escalation attacks. Tools like windapsearch automate this enumeration.11

Anonymous Bind Risks

Historically, LDAP allowed anonymous binds, where unauthenticated users could query the directory. Windows Server 2003 changed the default to require authentication, but legacy configurations or misconfigured applications may still allow anonymous access, exposing the Global Catalog to unauthenticated queries.11

Cleartext Exposure

Port 3268 is unencrypted LDAP. Credentials and query results traverse the network in cleartext. Attackers on the network can capture this traffic. Port 3269 provides LDAP over TLS, but many environments still use 3268 for internal traffic.12

Known Vulnerabilities

  • CVE-2009-1928 (MS09-066): A denial-of-service vulnerability caused by stack exhaustion during certain LDAP requests. Affected Windows 2000, Server 2003, and Server 2008.13
  • MS09-018: A critical remote code execution vulnerability in Active Directory's LDAP implementation.14
  • CVE-2008-5112: A username enumeration weakness that allowed attackers to discover valid usernames through timing analysis.15

Mitigation

Use port 3269 (LDAPS) for all Global Catalog traffic. Restrict access to ports 3268 and 3269 to internal networks. Audit Global Catalog queries for reconnaissance patterns. Keep domain controllers patched.

Related Ports

PortProtocolDescription
389LDAPStandard LDAP, single-domain queries
636LDAPSLDAP over TLS, single-domain queries
3268GC-LDAPGlobal Catalog LDAP, forest-wide queries
3269GC-LDAPSGlobal Catalog LDAP over TLS
88KerberosAuthentication protocol used with AD
53DNSDomain Name System, required for AD locator

Frequently Asked Questions

Previous

Port 3128: Squid HTTP Proxy — The Cache That Let the World Share Bandwidth

Next

Port 3269: Global Catalog SSL — The Encrypted Index of Everything

Was this page helpful?

😔
🤨
😃