There is a sixth (unofficial) domain controller role in Active Directory, in addition to the five FSMO roles (GC). A Global Catalog role can be assigned to any controller in a domain, unlike FSMO roles. Within an Active Directory domain or forest, this role does not have to be unique. However, from a practical standpoint, the Global Catalog is the most essential DC job.
What is the Global Catalog?
A domain controller that holds copies of all Active Directory objects in the forest is known as a Global Catalog server. It keeps a complete copy of all items in your domain’s directory and a partial copy of all objects in all other forest domains’ directories. As a result, by searching for attributes included in the Global Catalog, users and apps can find objects in any domain of the current forest.
A typical domain controller keeps a complete copy of objects in its own domain, but not in the forest’s other domains.
For each forest item in each domain, the Global Catalog contains a basic (but incomplete) set of properties (Partial Attribute Set, PAT). The GC receives data from all of the forest’s domain directory partitions, which it copies via conventional AD replication. The AD schema specifies the attributes that are copied to the Global Catalog. The Active Directory Schema mmc snap-in can be used to set additional properties that will be copied to the GC if necessary.
Select the option Replicate This Attribute to the Global Catalog to add an attribute to the GC. As a result, the value of the attribute parameter isMemberOfPartialAttributeSet is set to true.
To find the list of DC’s that contains the Global Catalog role in the current forest, run the command in the PowerShell console:
Get-ADForest |select -ExpandProperty GlobalCatalogs |Format-Table
You can check that the current DC you are on has the global catalog role enabled:
Get-ADDomainController | ft Name,IsGlobalCatalogOr to check GC role in all DC in an AD site:
Get-ADDomainController-Filter {Site -eq 'New-York'}} | FT Name,IsGlobalCatalogOr use the dsquery command:
dsquery server -forest –isgcWhen you promote DC during the Active Directory Domain Services role installation, the first GC server is automatically built on the first domain controller in the forest. A single Global Catalog server is usually adequate to execute Active Directory queries in the case of a single AD site, even if it contains many domains. Consider adding GC servers to a multi-site infrastructure (to improve network performance) to provide a quick response to search requests and fast logon. In addition, each AD site where Exchange is to be installed must have at least one GC server.
Select the Global Catalog option in the “Active Directory Sites and Services” snap-in to allocate additional domain controllers as GC.
Item search – if a user searches for an object using the All directory argument in the query, the request is forwarded to the GC server on port TCP/3268. Users and programmes will be unable to search across the AD forest if there is no GC server in the domain for whatever reason.
Authentication — when a user logs in to the domain, the GC server is the source of authentication. If the authenticating domain controller does not have information about the user’s account, the global catalogue server resolves the user name (the UserPrincipalName property is used in this case).
In a multi-domain context, verifying membership in universal groups — the domain controller checks the user’s identity, after which the user obtains authorization data to access the resources. The domain controller obtains the security identifiers (SIDs) for all security groups in which the user is a member and adds these identifiers to the user’s access token to deliver this information. Because universal groups can contain user accounts and groups from any domain in the forest, the GC Server, which has catalogue information at the forest level, can only resolve group membership in them.
Exchange Address Book Search When users want to find someone within the organisation in Outlook, they commonly search the global address list (GAL). The GAL is a list created by Exchange as a consequence of an LDAP query that looks for all mail-enabled objects, such as users, contacts, and distribution groups. When a user opens an address book in Microsoft Outlook or composes a message with a name or address in the To field, Outlook uses the GC Server defined by the Exchange server. To find Global Catalog servers, Exchange mail servers use Active Directory and DNS.
Checking references to objects within the forest Domain controllers use a Global Catalog to check references to items in other domains in the forest. As a result, if a domain controller has an object with an attribute containing a reference to an object in another domain, the domain controller examines the link by connecting to the Global Catalog server.
How to Optimize Global Catalog Server Placement?
It’s critical to have at least a few domain controllers with the Global Catalog role for resiliency. It is preferable if each domain has at least one GC. However, it is preferable to set up Global catalogue servers on all DCs in the forest. Load balancing will also benefit as a result of this. It’s also worth noting that you won’t have to worry about the infrastructure master FSMO position any longer (for more details read this article).
If you are unable to make all DCs Global Catalogs, ensure that the infrastructure master FSMO role is not hosted on the GC Server. Otherwise, it will cease working (no phantom records will be created or updated) and you will end up with useless data in AD.
If there are no Global Catalog servers available, users can not log in, and the Exchange mail server can’t send and receive e-mail items. That’s why the Global Catalog is the most important role of the domain controller. Without GC role the functioning of Active Directory is almost impossible.
How to Enable/Disable the Global Catalog Role on a Domain Controller?
You can enable the Global Catalog role on a domain controller in several ways:
- Using the graphical Active Directory Sites and Services mmc console;
- Using PowerShell;
- Using the dsmod.exe tool;
Run the mmc snap-in “Active Directory Sites and Services” (Start > Windows Administrative Tools, or run the dssite.msc command).
Locate the AD site that contains your domain controller under the Sites section. Expand it, then right-click on NTDS Settings and choose Properties from the menu.
On the General tab, select or uncheck the Global Catalog checkbox to enable or disable the GC role. To save your changes, click OK.
You can enable the Global Catalog role on a DC using the PowerShell command:
Set-ADObject -Identity (Get-ADDomainController DC03).ntdssettingsobjectdn -Replace @{options='1'}To disable the GC role, use the command:
Set-ADObject -Identity (Get-ADDomainController DC02).ntdssettingsobjectdn -Replace @{options='0'}These commands can be used to move the global catalog server functionality from one domain controller to another.
You can also use the dsmod.exe command to enable the GC role. For example:
dsmod server "CN=dc03,OU=USA,DC=solutionviews,DC=com" -isgc yesThe replication topology determines how long it takes to publish the Global Catalog in a forest. The domain controller waits until it receives all partial domain directory partitions through AD replication before publishing the DNS record stating it has become a global catalogue server.
The dnsmgmt.msc snap-in can be used to examine the registration of a global catalogue server in DNS. In the _tcp forward lookup zone, make sure your DC has an SRV record named _gc.
After activating the Global Catalog role on DC, you can check its readiness. For this, the ldp.exe utility is used. Run the utility, select Connection > Connect > specify the DC name and a 389 as a connection port. Click Ok.
Verify the isGlobalCatalogReady: TRUE value in the LDP window. This means that your GC is ready.
Also, you can check GC readiness from the command prompt:
nltest /server:dc01 /dsgetdc:test.com
