In addition to the 5 FSMO roles in Active Directory, there is the sixth (unofficial) domain controller role —
Global Catalog
(GC). Unlike FSMO roles, any controller in a domain tin host a Global Catalog role. This role doesn’t need to exist unique within an Active Directory domain or forest. However, the Global Catalog is the most important DC part from a practical point of view.

What is the Global Catalog?

A Global Catalog server is a domain controller that stores copies of
all Active Directory objects in the forest. It stores a complete copy of all objects in the directory of your domain and a partial copy of all objects of all other forest domains. Thus, the Global Itemize allows users and applications to find objects in whatever domain of the electric current woods by searching for attributes included in GC.

A typical domain controller stores a complete replica of objects in its own domain, but non for other domains in the wood.

The Global Itemize contains a basic (but incomplete) prepare of attributes for each forest object in each domain (Partial Attribute Set, PAT). The GC receives data from all the domain directory partitions in the wood, they are copied using a standard Advert replication service. The fix of attributes that are copied to the Global Catalog is divers in the Advert schema. If necessary, you tin configure additional attributes that will be replicated to the GC using the Active Directory Schema mmc snap-in.

Imagine that a workstation has requested information about an object from another domain in the current AD forest. The reckoner contacts the nearest GC with a asking to provide it with information virtually this object. The GC server can perform one of the following things:

  • Immediately return the necessary data to the workstation (if this information is stored on the GC server);
  • Redirect the query to the correct Domain Controller, where this data will definitely be located. Use GC search to understand which domain controller to redirect the asking to.

To add an attribute to the GC, you lot must select the option
Replicate This Aspect to the Global itemize. Equally a result, the value of the
isMemberOfPartialAttributeSet
aspect parameter is set to
True.

Yous can use PowerShell to find domain controllers with GC roles in the domain. Beginning, import the Windows PowerShell Agile Directory Module into your electric current sessions:

Import-Module ActiveDirectory

To find the listing of DCs that contains the Global Catalog role in the current forest, run the control:

Go-ADForest |select -ExpandProperty GlobalCatalogs |Format-Table

active directory global catalog

Yous can cheque if the current DC you are logged on has the global catalog function enabled:

Get-ADDomainController | ft Name,IsGlobalCatalog

Or to check GC role in all DC in an Advertisement site:

Get-ADDomainController-Filter {Site -eq 'New-York'}} | FT Name,IsGlobalCatalog

Or use the dsquery command-line tool. To list all GC servers in the electric current Active Directory wood:

dsquery server -forest –isgc

Finding GC servers in a specific forest domain:

dsquery server –domain theitbros.com –isgc

The first GC server was automatically created on the starting time domain controller in the forest when y’all promote DC during installing the Active Directory Domain Services function. In the case of a unmarried Advertizement site, even if it contains multiple domains, a single Global Catalog server is unremarkably sufficient to process Agile Directory requests. In a multi-site environment (in guild to optimize network traffic and reduce service delays) consider adding GC servers to ensure a quick response to search queries and fast logon. As well, at least one GC server must be nowadays on each Advert site where Exchange is supposed to be installed.

Popular:   Difference Between Ringworm and Athlete’s Foot

Yous can assign additional domain controllers as GC by selecting the
Global Catalog
choice in the “Active Directory Sites and Services” snap-in (dssite.msc).

The global catalog server is used for the following purposes:

  • Object search
    — if a user searches for an object past specifying
    All directory
    parameter in the query, this LDAP query is redirected to the port TCP/3268 (or TCP/3269 for LDAP over SSL) and sent to the nearest GC server. If for any reason there is no GC server in the domain, users and applications won’t be able to perform searches across the Advert forest;
  • Authentication
    — the GC server is the source of authentication at the fourth dimension the user logs on to the domain. The global catalog server resolves the user proper name if the authenticating domain controller does not have information nigh the user’south account (the UserPrincipalName attribute is used in this case);
  • Verifying membership in universal groups in a multi-domain environment
    — in the verification procedure, the domain controller verifies the actuality of the user, afterwards which the user receives authorization data to access the resources. To provide this data, the domain controller retrieves the security identifiers (SIDs) for all security groups that the user is a member of and adds these identifiers to the user’due south access token. Because universal groups can comprise user accounts and groups from any domain in the forest, the grouping membership in them can only be resolved by the GC Server that has catalog information at the woods level;
  • Checking references to objects within the wood
    — Domain controllers use a Global Catalog to validate references to objects in other domains in the wood. That’south why if the domain controller contains an object with an attribute, that contains a reference to an object in another domain — the domain controller checks the link by establishing a connection to the Global Itemize server;
  • Substitution Address Book Search
    — when users want to notice a person within the organization in Outlook, they ordinarily search through the global address list (GAL). The GAL is a list that is created past Exchange as a effect of an LDAP query to search for all mail-enabled objects — users, contacts, and distribution groups. When a user tries to open up an address book in Microsoft Outlook, or writes an electronic mail and enters a name or recipient address in the
    To
    field, Outlook uses the GC Server specified by the Commutation server. Exchange mail servers employ Active Directory and DNS to locate Global Catalog servers.
Popular:   How to Setup Nginx as Mail Proxy on Ubuntu Server

How to Optimize Global Catalog Server Placement?

For resiliency purposes, information technology is important to go along at least a few domain controllers with the Global Catalog role. It will be better if each domain has a minimum of one GC. Withal,
it is better to make all DCs in the woods as Global itemize servers
. This volition also have a positive upshot on load balancing. Also, it is important to notice that from now you won’t take to worry nearly the infrastructure chief FSMO part.

If yous tin’t make all DCs the Global Catalog, then make certain the infrastructure principal FSMO role practise non host on the GC Server. Otherwise, it volition stop its functioning (phantom records will not be created/changed) and as a consequence — you will get irrelevant data in Advertizing.

If there are no Global Catalog servers bachelor, users can not log in, and the Exchange Server can’t send and receive emails. That’southward why the Global Catalog is the most important role of the domain controller. Without GC function the functioning of Agile Directory is nearly impossible.

How to Enable/Disable the Global Catalog Office on a Domain Controller?

Yous tin enable the Global Catalog function on a domain controller in several ways:

  • Using the graphical Active Directory Sites and Services mmc console;
  • Using PowerShell;
  • Using the dsmod.exe tool.

Run the mmc snap-in “Active Directory Sites and Services” (Get-go > Windows Authoritative Tools, or run the dssite.msc command).

global catalog

Aggrandize the
Sites
department and detect the Advertizing site that contains your domain controller. Expand it, right-click on
NTDS Settings
and then select
Properties.

Set the
Global Catalog
checkbox on the
General
tab to enable the GC function, or uncheck it to disable information technology. Click OK to salve your changes.

global catalog active directory

Once promoted to a GC server, an event with Event ID 1110 should appear in the Directory Service section of Event Viewer:

Event Source: NTDS Full general

Effect Category: Replication

Subsequently successful installation of the role, Issue ID 1119 will appear:

This domain controller is now a global catalog

In this case, the value of the
Global Catalog Promotion Complete
registry setting under the HKEY_LOCAL_MACHINE\Organization\CurrentControlSet\Services\NTDS\Parameters key registry should exist
i.

ad global catalog

You can make a read-only domain controller a Global Catalog server. A Global Catalog (GC) server is a read-only copy of a partial set of attributes of all domains in an Advertising woods, and so you lot tin can utilise this role on a
Read-Only Domain Controller (RODC). Just some applications will not work correctly with a GC server running on an RODC. That’s why it’s important to make sure your apps back up a GC server running on an RODC.

Popular:   Difference Between Virtual Private Gateway and Transit Gateway

You can enable the Global Catalog role on a DC using the PowerShell command:

Prepare-ADObject -Identity (Get-ADDomainController DC03).ntdssettingsobjectdn -Replace @{options='1'}

To disable the GC part, employ the command:

Set-ADObject -Identity (Get-ADDomainController DC02).ntdssettingsobjectdn -Replace @{options=''}

Hint. Each Active Directory domain must have at least one DC with the Global Catalog office. Therefore, you won’t be able to disable the GC selection if it’due south the only domain controller with this role.

These commands tin be used to motion the global catalog server functionality from one domain controller to another.

You tin also use the dsmod.exe command to enable the GC role. For example:

dsmod server "CN=dc03,OU=Us,DC=theitbros,DC=com" -isgc yeah

The amount of time it takes to publish the Global Catalog in a woods depends on the replication topology. The domain controller doesn’t publish the DNS record that has become a global catalog server until it receives all fractional domain directory partitions through Advertizement replication.

Y’all can check the registration of a Global Itemize server in DNS by using the dnsmgmt.msc snap-in. Make sure you have an SRV record named
_gc
for your DC in the
_tcp
frontward lookup zone.

global catalog role

Note that the Active Directory DNS zone has a
_msdcs
container that contains infrastructure Ad DNS records. There is a separate
gc._msdcs…
entry in the Ad root domain namespace for Global Catalog servers. This entry contains a list of all GCs in the forest. You lot can view the records of servers with the Global Itemize role in a domain using the born nslookup tool:

nslookup gc._msdcs.theitbros.com

Clients use these DNS records to look up Global Itemize servers in the Active Directory domain.

After activating the Global Itemize role on DC, you can check its readiness. For this, the ldp.exe utility is used. Run the tool, select Connection > Connect > specify the
DC name
and a
389
equally a connexion port. Click
Ok.

global catalog ad

Verify the
isGlobalCatalogReady: TRUE
value in the LDP window. This means that your GC is ready.

Also, you can check GC readiness from the command prompt:

nltest /server:dc01 /dsgetdc:examination.com

dc global catalog

Check for a
GC
value in the Flags field.

  • Author
  • Recent Posts

Cyril Kardashevsky

I enjoy technology and developing websites. Since 2012 I’m running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

Cyril Kardashevsky