Enable Global Catalog on a Domain Controller

Enabling Global Catalog service on a domain controller to make it keep a all partitions of all domains in the Active Directory forest. By default, the first domain controller in Active Directory forest is Global Catalog server. You could enable Global Catalog service on additional domain controllers to implement performance and fail-over capability.

Why performance?

If you Active Directory has multiple physical sites, then each site should have a domain controller with Global Catalog service enabled. Users login will use local site Global Catalog to login and search Active Directory object without searching all Active Directory database.

Active Directory Sites with Global Catalog

If the local site doesn’t have Global Catalog server, then clients will query the remote domain controller PLAINTUTDC01 at Dallas site over slow-speed WAN connection. Login times have big delays. Be very careful in this case because even though Houston site has a domain controller, but it doesn’t help users login because it doesn’t have Global Catalog service.

Why Fail-over capability?

Global Catalog is an important component that helps domain users to login and search for Active Directory objects. Global Catalog contains a list of common objects of all domains in the forest. If your forest has only 1 single domain, then Global Catalog has simple structure. In the big forest with multiple domains tree and child domains, Global Catalog contains read-only common information from all domains in the forest. This copy of Global Catalog is synchronized between Global Catalog server using TCP port 3268.

So, what happen if the only Global Catalog server in Active Directory forest went down? No users are able to logon. Please note that Administrators accounts are still able to logon without Global Catalog. Domain users will see the error message “Could not contact domain controller”. Domain users, however, could perform some logins with local cache for a few times before encounter the above problem.

In the following diagram, if PLAINTUTDC02 doesn’t have Global Catalog service, users at Houston site could not login to their computers or accessing shared folders when the 20Mbps Opteman connection between Houston-Dallas is down. Although Houston site has a domain controller PLAINTUTDC02, but it doesn’t have Global Catalog service to serve user logins.

Active Directory with no Global Catalog

And now, network administrators must enable Global Catalog service on multiple domain controllers to keep more than one copy of Global Catalog among the Active Directory forest.

Global Catalog of domains with trust relationship
Trusted domains from different forest maintain different copies of Global Catalog. Each Active Directory forest has its own unique Global Catalog partition.

Enable Global Catalog on a Domain Controller

These steps are performed on PLAINTUTDC02, which is a domain controller at Houston site. Dallas site has the first domain controller PLAINTUTDC01. PLAINTUTDC01 has Global Catalog service enabled by default since this is the first domain controller of the forest.

  • Login as Domain Admins on PLAINTUTDC02
  • Click Start Menu, RUN, and type DSSITE.MSC to open Active Directory Sites and Services. We will use this tool to enable Global Catalog service on this domain controller.
Remote Administration
You could login on any computer within your Active Directory with Domain Admins account, run dssite.msc and connect to any domain controller to execute these steps
  • Expand the site object, select site Houston Site
  • Expand Servers folder, select PLAINTUTDC02
  • Expand server object to see NTDS Settings
  • Right click on NTDS Settings, select Properties
NTDS Settings to enable Global Catalog
  • Make sure the check box Global Catalog is checked, check it if it’s unchecked.
Enable Global Catalog
  • Click OK

Wait for 30 minutes up to 2 hours for Global Catalog to replicate. If you have problems with Global Catalog replication, see my previous post Global Catalog is not replicating

About The Author

Hao Nguyen

Hao Nguyen

Hello! I'm Hao Nguyen and I'm currently working as a Network Engineer for a small firm in Houston. I enjoy writing technical documents and blog, such as PlanTutorials.com

Leave a Reply