Event ID 1126 — Global catalog verification

Applies To: Windows Server 2008

Domain controllers on a network must contact global catalog servers to perform certain functions. For example, if an administrator adds a user from another domain in the forest to a domain local group in the local domain, a global catalog server is used to obtain the appropriate information to be added for the user. If the local domain controller is not a global catalog server, it locates another domain controller that is hosting the global catalog to obtain the appropriate information.

Event Details

Product: Windows Operating System
ID: 1126
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_GCVERIFY_ERROR
Message: Unable to establish connection with global catalog. (Internal DSID %1).

Resolve

Ensure that the domain controller can connect to a global catalog server

The domain controller that is reporting the error is not able to establish a connection to a global catalog server. To resolve this problem, ensure that the domain controller that is reporting the error is able to communicate with a global catalog server. There are several procedures that you can use to ensure that the local domain controller can communicate with a global catalog server:

  • Check the network connection of the domain controller that is reporting the error.
  • Test connectivity from the domain controller that is reporting the error to the global catalog server.
  • Ensure that there is at least one global catalog that is configured for the forest.
  • Ensure that a global catalog server's local network connection is operational.
  • Ensure that the NTDS service is running on the global catalog server.
  • Test connectivity from the domain controller that is reporting the error to the global catalog server by using the global catalog services port.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

Check the network connection of the domain controller that is reporting the error

To check the network connection of the domain controller that is reporting the error:

  1. On the domain controller that is reporting the error, open Network Connections. To open Network Connections, click Start. In Start Search, type ncpa.cpl, and then press ENTER. If the User Account Control dialog box appears, confirm that the action that it displays is what you want, and then click Continue.
  2. Locate the network connection icon that represents this computer's connection to the network and other domain controllers. If the adapter is disabled, you see the command Enable in the menu. If that command appears, click Enable. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. Otherwise, click Status, and then ensure that the network is connected. Resolve any issues that you see with the network connectivity.
  3. Click Close when you are done confirming that the adapter is connected.

Test connectivity from the domain controller that is reporting the error to the global catalog server

To test connectivity from a domain controller that is reporting the error to the global catalog server:

  1. On the domain controller that is reporting the error, open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type **nltest /server:**serverName **/dsgetdc:**domainName /gc /force, and then press ENTER. Substitute the name of the domain controller that you want to connect to the global catalog server for serverName, and substitute the actual name of the domain for domainName.

If the domain controller is able to contact the global catalog, the command output indicates the name of a domain controller that is configured as a global catalog server and the issue is resolved. However, if the domain controller is not able to contact the global catalog server for any reason, you receive an error message, such as "Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN." If the domain controller is not able to contact the global catalog server at this point ensure that at least one global catalog server is configured and available in the forest.

Ensure that there is at least one global catalog that is configured for the forest

To ensure that there is at least one global catalog server that is configured for the forest:

  1. On any domain controller in the forest, open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start. In Start Search, type dssite.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action that it displays is what you want, and then click Continue.
  2. Expand the Sites object for the site at which you expect a domain controller to be hosting the global catalog. If you are not sure which site has a global catalog server, expand all the potential sites that may have a domain controller hosting a global catalog.
  3. In the site or sites that you expect to have global catalog servers, expand the Servers object.
  4. Expand the server or servers that you expect to host the global catalog.
  5. Under each server object that should host the global catalog, right-click the NTDS Settings object, and then click Properties.
  6. Ensure that the Global Catalog check box is selected in NTDS Settings Properties dialog box for each server that is expected to host the global catalog. Ensure that at least one domain controller in the forest is configured to host the global catalog. You can configure any domain controller to host the global catalog. However, unless you are making all domain controllers in the domain global catalog servers, you should not make a domain controller that hosts the infrastructure operations master role (also known as flexible single master operations or FSMO) a global catalog server. The user interface (UI) warns you about this issue if the infrastructure master role is detected on the domain controller when the Global Catalog check box is selected.
  7. If you made any configuration changes, click OK. Otherwise, click Cancel.
  8. Close Active Directory Sites and Services when all the appropriate domain controllers are configured to host the global catalog.

If you have verified that there is at least one domain controller in the forest that is hosting the global catalog, but the local domain controller is still not able to connect to the global catalog, confirm that the global catalog server's local network connection is operational.

Ensure that a global catalog server's local network connection is operational

To ensure that the global catalog server's local network connection is operational:

  1. On the global catalog server or servers, open Network Connections. To open Network Connections, click Start. In Start Search, type ncpa.cpl, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Locate the network connection icon that represents this computer's connection to the network and other domain controllers. If the adapter is disabled, you see the command Enable in the menu. If that command appears, click Enable. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. Otherwise, click Status, and ensure that the network is connected. Resolve any issues that you see with network connectivity.
  3. When you are finished confirming that the adapter is connected, click Close.

Next, ensure that the NTDS service is running on the global catalog server or servers.

Ensure that the NTDS service is running on the global catalog server

To ensure that the NTDS service is running on the global catalog server:

  1. On the global catalog server or servers, open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type sc query ntds, and then press ENTER. In the STATE line of the command output, you see that the NTDS service is either running or stopped. The service should be running.
  3. If the NTDS service is stopped, start the NTDS service. To start the NTDS service, at a command prompt, type net start ntds, and then press ENTER. The NTDS service will not start if the global catalog server is running in Directory Services Restore Mode. If the server is running in Directory Services Restore Mode, an error stating that fact appears when you attempt to start the NTDS service.

There may still be a TCP/IP configuration issue that is preventing a connection between the domain controller and the global catalog server. For example, a firewall product (software or hardware) between the domain controller and the global catalog server may be preventing communication between the two computers. By default, global catalog services are available on TCP port 3268. You can test the connection between the domain controller and the global catalog server by using the Active Directory Users and Computers snap-in.

Test connectivity from the domain controller that is reporting the error to the global catalog server by using the global catalog services port

To test connectivity from the domain controller that is reporting the error to the global catalog server by using the global catalog services port:

  1. On the domain controller that is reporting the error, open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.
  2. In the console tree, right-click Active Directory Users and Computers, and then click Change Domain Controller. The Change Directory Server dialog box opens.
  3. In Change to, select This Domain Controller or AD LDS instance.
  4. In the box below, click the line <Type a Directory Server name[:port] here>. The line should be selected and ready for editing.
  5. Type the fully qualified domain name (FQDN) or IP address of a global catalog server, followed by a colon and the port to which you want to connect, and then press ENTER. For example, if the global catalog server FQDN is Server1.Contoso.Com with an IP address of 192.168.0.181 and offering global catalog services over the default port of 3268, type Server1.Contoso.Com:3268 or 192.168.0.181:3268, and then press ENTER.
  6. Watch the Status column, which should read Pending at first. If the connection is successful, the Status column reads Online. If the connection is not successful, the status column reads Unavailable. When you determine the status, click OK.
  7. Use the same technique to test connectivity between the domain controller that is reporting the error and any other global catalog servers in the network.

If the domain controller that is reporting the error can connect to the global catalog server over the global catalog services port, the connectivity issue is probably resolved. However, if the domain controller is not able to establish a connection to the global catalog server, a firewall might be blocking the global catalog services port between the domain controller and the global catalog server. In this case, you must examine the configuration of the firewall product to allow communication between the domain controller or controllers and the global catalog server or servers.

For information about configuring and troubleshooting TCP/IP, see Chapter 16 - Troubleshooting TCP/IP (https://go.microsoft.com/fwlink/?LinkId=109262) and Windows Server 2003 TCP/IP Troubleshooting (https://go.microsoft.com/fwlink/?LinkId=109264).

For more information about the global catalog, see Global Catalog Tools and Settings (https://go.microsoft.com/fwlink/?LinkId=99051).

Verify

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To test connectivity from a domain controller to the global catalog server:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type **nltest /server:**serverName **/dsgetdc:**domainName /gc /force, and then press ENTER. Substitute the name of the domain controller that you want to connect to the global catalog server for serverName, and substitute the name of the domain for domainName. If the domain controller is able to contact the global catalog, the command output indicates the name of a domain controller that is configured as the global catalog server.

Global catalog verification

Active Directory