In addition to the 5 FSMO roles in Active Directory, there is the sixth (unofficial) domain controller role — Global Catalog (GC). Unlike FSMO roles, any controller in a domain can host a Global Catalog role. This role doesn’t need to be unique within an Active Directory domain or forest. However, the Global Catalog is the most important DC role from a practical point of view.
Table of Contents
What is the Global Catalog?
A Global Catalog server is a domain controller that stores copies of all Active Directory objects in the forest. It stores a complete copy of all objects in the directory of your domain and a partial copy of all objects of all other forest domains. Global catalogs allow users and applications to find objects in any domain of the current forest by searching for attributes included in GC. For instance, user principal name resolution requires global catalog servers for UPN logons to be successful.
A typical domain controller stores a complete replica of objects in its own domain, but not for other domains in the forest.
The Global Catalog contains a basic (but incomplete) set of attributes for each forest object in each domain (Partial Attribute Set, PAT). The GC receives data from all the domain directory partitions in the forest, they are copied using a standard AD replication service. The set of attributes that are copied to the Global Catalog is defined in the AD schema. If necessary, you can configure additional attributes that will be replicated to the GC using the Active Directory Schema mmc snap-in.
Imagine a workstation requesting information about an object from another domain in the current AD forest. The computer contacts the nearest GC with a request to provide it with information about this object. The GC server can perform one of the following things:
- Immediately return the necessary information to the workstation (if this information is stored on the GC server);
- Redirect the query to the correct Domain Controller, where this information will definitely be located. Use GC search to understand which domain controller to redirect the request to.
Select Replicate This Attribute to the Global catalog to add an attribute to the GC. As a result, the value of the isMemberOfPartialAttributeSet attribute parameter is set to True.
You can use PowerShell to find domain controllers with GC roles in the domain. First, import the PowerShell Active Directory module into your current sessions:
Import-Module ActiveDirectory
To find the list of DCs that contains the Global Catalog role in the current forest, run the command:
Get-ADForest |select -ExpandProperty GlobalCatalogs |Format-Table
You can check if the current DC you are logged on has the global catalog role enabled:
Get-ADDomainController | ft Name,IsGlobalCatalog
Or to check GC role in all DC across AD site links:
Get-ADDomainController-Filter {Site -eq 'New-York'}} | FT Name,IsGlobalCatalog
Or use the dsquery command-line tool. To list all GC servers in the current Active Directory forest:
dsquery server -forest –isgc
Finding GC servers in a specific forest domain:
dsquery server –domain theitbros.com –isgc
The first GC server was automatically created on the first domain controller in the forest when you promote DC during installing the Active Directory Domain Services role. In the case of a single Active Directory site, even if it contains multiple domains, a single Global Catalog server is usually sufficient to process Active Directory requests. In a multi-site environment (in order to optimize network traffic and reduce service delays) consider adding GC servers to ensure a quick response to search queries and fast logon. Also, at least one GC server must be present on each AD site where Exchange is supposed to be installed.
You can assign additional domain controllers as GC by selecting the Global Catalog option in the “Active Directory Sites and Services” snap-in (dssite.msc).
The global catalog server is used for the following purposes:
- Object search — if a user searches for an object by specifying All directory parameter in the query, this LDAP query is redirected to the port TCP/3268 (or TCP/3269 for LDAP over SSL) and sent to the nearest GC server. If for any reason there is no GC server in the domain, users and applications won’t be able to perform searches across the AD forest;
- Authentication — the GC server is the source of authentication at the time the user logs on to the domain. The global catalog server resolves the user name if the authenticating domain controller does not have information about the user’s account (the UserPrincipalName attribute is used in this case);
- Verifying universal group membership in a multi-domain environment — in the verification process, the domain controller verifies the authenticity of the user, after which the user receives authorization data to access the resources. To provide this information, the domain controller retrieves the security identifiers (SIDs) for all Active Directory groups that the user is a member of and adds these identifiers to the user’s access token. Because universal groups can contain user accounts and groups from any domain in the forest, the group membership in them can only be resolved by the GC Server that has catalog information at the forest level;
- Checking references to objects within the forest — Domain controllers use a Global Catalog to validate references to objects in other domains in the forest. That’s why if the domain controller contains an object with an attribute, that contains a reference to an object in another domain — the domain controller checks the link by establishing a connection to the Global Catalog server;
- Exchange Address Book Search — when users want to find a person within the organization in Outlook, they usually search through the Global Address List (GAL). The GAL is a list that is created by Exchange as a result of an LDAP query to search for all mail-enabled objects — users, contacts, and distribution groups. When a user tries to open an address book in Microsoft Outlook, or writes an email and enters a name or recipient address in the To field, Outlook uses the GC Server specified by the Exchange server. Exchange mail servers use Active Directory and DNS to locate Global Catalog servers.
How to Optimize Global Catalog Server Placement?
For resiliency purposes, it is important to keep at least a few domain controllers with the Global Catalog role. It will be better if each domain has a minimum of one GC. However, it is better to make all DCs in the forest as Global catalog servers. This will also have a positive effect on load balancing. Also, it is important to notice that from now you won’t have to worry about the Infrastructure master role.
If you can’t make all DCs the Global Catalog, then make sure the infrastructure master FSMO role do not host on the GC Server. Otherwise, it will stop its functioning (phantom records will not be created/changed) and as a consequence — you will get irrelevant data in AD.
If there are no Global Catalog servers available, users can not log in, and the Exchange Server can’t send and receive emails. That’s why the Global Catalog is the most important role of the domain controller. Without GC role the functioning of Active Directory is almost impossible.
How to Enable/Disable the Global Catalog Role on a Domain Controller?
You can enable the Global Catalog role on a domain controller in several ways:
- Using the graphical Active Directory Sites and Services mmc console;
- Using PowerShell;
- Using the dsmod.exe tool.
Run the mmc snap-in “Active Directory Sites and Services” (Start > Windows Administrative Tools, or run the dssite.msc command).
Expand the Sites section and find the AD site that contains your domain controller. Expand it, right-click on NTDS Settings and then select Properties.
Set the Global Catalog checkbox on the General tab to enable the GC role, or uncheck it to disable it. Click OK to save your changes.
Once promoted to a GC server, an event with Event ID 1110 should appear in the Directory Service section of Event Viewer:
Event Source: NTDS General
Event Category: Replication
After successful installation of the role, Event ID 1119 will appear:
This domain controller is now a global catalog
In this case, the value of the Global Catalog Promotion Complete registry setting under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key registry should be 1.
You can make a read-only domain controller a Global Catalog server. A Global Catalog (GC) server is a read-only copy of a partial set of attributes of all domains in an AD forest, so you can use this role on a Read-Only Domain Controller (RODC). But some applications will not work correctly with a GC server running on an RODC. That’s why it’s important to make sure your apps support a GC server running on an RODC.
You can enable the Global Catalog role on a DC using the PowerShell command:
Set-ADObject -Identity (Get-ADDomainController DC03).ntdssettingsobjectdn -Replace @{options='1'}
To disable the GC role, use the command:
Set-ADObject -Identity (Get-ADDomainController DC02).ntdssettingsobjectdn -Replace @{options='0'}
Hint. Each Active Directory domain must have at least one DC with the Global Catalog role. Therefore, you won’t be able to disable the GC option if it’s the only domain controller with this role.
These commands can be used to move the global catalog server functionality from one domain controller to another.
You can also use the dsmod.exe command to enable the GC role. For example:
dsmod server "CN=dc03,OU=USA,DC=theitbros,DC=com" -isgc yes
The amount of time it takes to publish the Global Catalog in a forest depends on the replication topology. The domain controller doesn’t publish the DNS record that has become a global catalog server until it receives all partial domain directory partitions through AD replication.
You can check the registration of a Global Catalog server in DNS by using the dnsmgmt.msc snap-in. Make sure you have an SRV record named gc for your DC in the tcp forward lookup zone.
Note that the Active Directory DNS zone has a msdcs container that contains infrastructure AD DNS records. There is a separate gc.msdcs… entry in the AD root domain namespace for Global Catalog servers. This entry contains a list of all GCs in the forest. You can view the records of servers with the Global Catalog role in a domain using the built-in nslookup tool:
nslookup gc._msdcs.theitbros.com
Clients use these DNS records to look up Global Catalog servers in the Active Directory domain.
After activating the Global Catalog role on DC, you can check its readiness. For this, the ldp.exe utility is used. Run the tool, select Connection > Connect > specify the DC name and a 389 as a connection port. Click Ok.
Verify the isGlobalCatalogReady: TRUE value in the LDP window. This means that your GC is ready.
Also, you can check GC readiness from the command prompt:
nltest /server:dc01 /dsgetdc:test.com
Check for a GC value in the Flags field.
Frequently Asked Questions
What triggers the need for a Global Catalog server in an Active Directory environment?
The presence of a Global Catalog server is critical in an Active Directory environment for multiple reasons. These include object search across the AD forest, domain user authentication, verifying universal group membership, ensuring inter-domain object reference validity, and supporting Exchange Address Book searches.
Can the Global Catalog role be enabled on any domain controller?
Absolutely! The Global Catalog role can be enabled on any domain controller. The process can be executed using the Active Directory Sites and Services MMC console, PowerShell commands, or the dsmod.exe tool. However, remember to consider the Infrastructure Master FSMO role when configuring your Global Catalog servers.
How do you ascertain that a domain controller is ready after activating the Global Catalog role?
The readiness of a Global Catalog server post-activation can be checked with tools like LDP (Lightweight Directory Access Protocol) or the command prompt using specific commands. Checking for values like isGlobalCatalogReady: TRUE or GC in the flags field confirms the server’s readiness.
What is the correlation between the Global Catalog role and the Exchange Server?
The Global Catalog plays a key role in supporting Exchange Server functionalities. When users attempt to find a person within the organization in Outlook, the Exchange Server utilizes Active Directory and DNS to locate Global Catalog servers. Without a functioning GC, the Exchange Server can’t send and receive emails.
Why should I be concerned about the placement of Global Catalog servers?
Optimal placement of Global Catalog servers improves load balancing and ensures resilience in your network. Placing GC servers intelligently, especially in a multi-site environment, can optimize network traffic, reduce service delays, and provide quicker responses to search queries and logons.
Wrapping up
Understanding the role of the Global Catalog (GC) in an Active Directory environment is vital for the effective management of your network. It not only aids in Active Directory object searches across the forest but also plays a crucial role in user authentication, group membership verification, and even supporting Exchange Server functionalities.
While the ability to assign the GC role to any domain controller adds flexibility, it’s important to optimize the placement of these servers for better load balancing, improved network traffic management, and faster response times. Remember, a well-configured Global Catalog is pivotal for your network’s resilience and overall performance.
