Global Catalog Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In this section

  • Global Catalog Tools

  • Global Catalog Registry Entries

  • Global Catalog Group Policy Settings

  • Network Ports Used by Global Catalog Servers

  • Related Information

Global Catalog Tools

Tools that are associated with a global catalog server are the same tools that you use to manage any domain controller.

The following tools have commands that are specific to managing global catalog servers.

Adsiedit.msc: ADSI Edit

Category

A Microsoft Management Console (MMC) snap-in that is available in Windows Support Tools in Windows Server® 2003 and Microsoft Windows® 2000 Server. It is built into Windows Server 2008 R2 and Windows Server 2008 and available if you have the Active Directory® Domain Services (AD DS) or the Active Directory Lightweight Directory Services (AD LDS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

Note

In Windows Server 2003 and Windows 2000 Server, the directory service is named Active Directory. In Windows Server 2008 R2 and Windows Server 2008, the directory service is named Active Directory Domain Services. The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows 7 with Remote Server Administration Tools (RSAT) installed.

  • Windows XP Professional

  • Windows Vista with Remote Server Administration Tools (RSAT) installed.

Domain controllers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

ADSI Edit is an MMC snap-in that you can use to view and modify attributes of directory objects as well as the root DSA-specific entry (DSE) (rootDSE) attributes for the domain controller.

To find more information about ADSI Edit, see “Support Tools Help” in Tools and Settings Collection.

Dssite.msc: Active Directory Sites and Services

Category

Administrative Tools, MMC snap-in

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows 7 with Remote Server Administration Tools (RSAT) installed.

  • Windows Vista with Remote Server Administration Tools (RSAT) installed.

  • Windows XP Professional with Adminpak.msi installed

Domain controllers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Active Directory Sites and Services to create, modify, and delete site configuration objects in Active Directory, including sites, subnets, connection objects, and site links. You can also use Active Directory Sites and Services to create the intersite topology, including mapping subnet addresses to sites, creating and configuring site links, creating manual connection objects, forcing replication over a connection, setting a domain controller to be a global catalog server, and selecting preferred bridgehead servers.

Repadmin.exe: Repadmin

Category

Windows Support Tools, command-line

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows 7 with Remote Server Administration Tools (RSAT) installed.

  • Windows Vista with Remote Server Administration Tools (RSAT) installed.

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Repadmin is used to view the replication information on domain controllers. You can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication topology. You can use Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a site.

Repadmin is extended in Windows Server 2003 to enable commands to target sets of domain controllers. For example, you can target all domain controllers in a site or domain, or all domain controllers that are global catalog servers. In Windows 2000 Server, Repadmin can report information about only one domain controller at a time.

For more information about Repadmin, see “Support Tools Help” in Tools and Settings Collection.

Ldp.exe: Ldp

Category

Windows Support Tools, GUI

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows 7 with Remote Server Administration Tools (RSAT) installed.

  • Windows Vista with Remote Server Administration Tools (RSAT) installed.

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Ldp is a Lightweight Directory Access Protocol (LDAP) graphical user interface (GUI) tool that you can use to perform operations such as connect, bind, search, modify, add, and delete against any LDAP-compatible directory, such as AD DS. You can also use Ldp to view objects that are stored in AD DS, along with their metadata, for example, security descriptors and replication metadata.

You can use Ldp to view and edit the updateCachedMemberships operational attribute on the rootDSE.

For more information about Ldp, see “Support Tools Help” in Tools and Settings Collection.

Global Catalog Registry Entries

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

The following registry entries are associated with the global catalog.

NTDS Parameters

The following registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters control or contain information about the configuration of the global catalog.

Global Catalog Promotion Complete

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2003:

Used for Install From Media. This entry is set in conjunction with the domain controller setting its rootDSE attribute isGlobalCatalogReady to TRUE, the Net Logon service on the domain controller registering SRV resource records that specifically advertise the global catalog in DNS, and the domain controller beginning to listen on port 3268.

Global Catalog Partition Occupancy

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003:

The requirement for read-only replicas that must be added (replication partner established) or synchronized (replication completed), or both, on the global catalog server before the server is advertised in DNS. Lower occupancy levels specify varying levels of replication completeness, including advertising in DNS when all read-only replicas of only those domains represented in the domain controller’s site are synchronized.

Version

Windows 2000 Server with SP3 and later:

The occupancy level requires full synchronization of all read-only replicas.

Version

Windows 2000 Server with Service Pack (SP) 2 and earlier:

The occupancy level requires only the replicas of domains in the site.

Global Catalog Delay Advertisement

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server

Overrides the requirements set in Global Catalog Partition Occupancy entry and allows global catalog advertisement without requiring full synchronization of all read-only replicas. If you do not set this value, checking for synchronized read-only partitions continues to occur at 30-minute intervals until the requirements are met.

Cached Membership Site Stickiness (minutes)

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003

The maximum time during which an account’s cached membership can be refreshed automatically without the account having to log on in this site. The default value is one-half the value of the account’s site affinity setting, which is 180 days by default. If the account has not logged on in more than 90 days, the account’s group membership cache expires and must be reinstated at the next logon by contacting a global catalog server.

Cached Membership Staleness (minutes)

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003

The maximum staleness to tolerate when using a cached group membership. The default value is one week. If the cached membership age is greater than this interval and no global catalog server is available, the logon fails. If no value is present, the default value is used.

Cached Membership Refresh Interval (minutes)

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003

The frequency of automatic cache refresh. The default value is eight hours. If no value is present, the default value is used.

Cached Membership Refresh Limit

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003

The maximum number of user and computer accounts that are refreshed during a group membership cache refresh.

SamNoGcLogonEnforceKerberosIpCheck

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003

By default, allows site affinity to be tracked for Kerberos logons that originate outside the site. This setting only applies to Kerberos logons; it will not affect site affinity caching for NTLM logons from different sites.

SamNoGcLogonEnforceNTLMCheck

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003

A value of 1 configures Security Accounts Manager (SAM) to not give site affinity to NTLM logon requests that are network logon requests; it may not prevent caching for other logon types.

NTDS Diagnostics

The following registry entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics control the logging level for the component or process that is specified in the entry name.

Global Catalog

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server

The logging level for the global catalog on the domain controller. The value is set to an integer from 0 (no logging) through 5 (most verbose logging).

20 Group Caching

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003

The logging level for Universal Group Membership Caching on a domain controller in a site where this feature is enabled. The value is set to an integer from 0 (no logging) through 5 (most verbose logging). Significant events are reported at logging level 2. with many additional events reported at logging level 5.

Global Catalog Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with global catalog servers.

Group Policy Settings Associated with the Global Catalog

Group Policy Setting Description

Automated Site Coverage by the DC Locator DNS SRV Records

Determines whether domain controllers will dynamically register DC Locator site-specific SRV resource records for the closest sites where no domain controller for the same domain exists (or no global catalog server for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate domain controllers.

Sites Covered by the GC Locator DNS SRV Records

Specifies the sites for which the global catalog servers should register the site-specific GC Locator SRV resource records in DNS. These records are registered in addition to the site-specific SRV resource records registered for the site where the global catalog server resides and, if the global catalog server is appropriately configured, for the sites without a global catalog server in the same forest for which this global catalog server is the closest global catalog server. These records are registered by Net Logon service.

If this policy is not configured, then it is not applied to any global catalog servers and global catalog servers use their local configuration.

Network Ports Used by Global Catalog Servers

The following table shows the network ports that are used by global catalog servers.

Port Assignments for Global Catalog Servers

Service Name UDP TCP

LDAP

 

3268 (global catalog)

LDAP

 

3269 (global catalog Secure Sockets Layer [SSL])

LDAP

389

389

LDAP

 

636 (SSL)

RPC/REPL

 

135 (endpoint mapper)

Kerberos

88

88

DNS

53

53

SMB over IP

445

445

The following resources contain additional information that is relevant to this section.