Global Catalog Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
In this section
Global Catalog Tools
Global Catalog Registry Entries
Global Catalog Group Policy Settings
Network Ports Used by Global Catalog Servers
Related Information
Global Catalog Tools
Tools that are associated with a global catalog server are the same tools that you use to manage any domain controller.
The following tools have commands that are specific to managing global catalog servers.
Adsiedit.msc: ADSI Edit
Category
A Microsoft Management Console (MMC) snap-in that is available in Windows Support Tools in Windows Server® 2003 and Microsoft Windows® 2000 Server. It is built into Windows Server 2008 R2 and Windows Server 2008 and available if you have the Active Directory® Domain Services (AD DS) or the Active Directory Lightweight Directory Services (AD LDS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).
Note
In Windows Server 2003 and Windows 2000 Server, the directory service is named Active Directory. In Windows Server 2008 R2 and Windows Server 2008, the directory service is named Active Directory Domain Services. The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
ADSI Edit is an MMC snap-in that you can use to view and modify attributes of directory objects as well as the root DSA-specific entry (DSE) (rootDSE) attributes for the domain controller.
To find more information about ADSI Edit, see “Support Tools Help” in Tools and Settings Collection.
Dssite.msc: Active Directory Sites and Services
Category
Administrative Tools, MMC snap-in
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Active Directory Sites and Services to create, modify, and delete site configuration objects in Active Directory, including sites, subnets, connection objects, and site links. You can also use Active Directory Sites and Services to create the intersite topology, including mapping subnet addresses to sites, creating and configuring site links, creating manual connection objects, forcing replication over a connection, setting a domain controller to be a global catalog server, and selecting preferred bridgehead servers.
Repadmin.exe: Repadmin
Category
Windows Support Tools, command-line
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Repadmin is used to view the replication information on domain controllers. You can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication topology. You can use Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a site.
Repadmin is extended in Windows Server 2003 to enable commands to target sets of domain controllers. For example, you can target all domain controllers in a site or domain, or all domain controllers that are global catalog servers. In Windows 2000 Server, Repadmin can report information about only one domain controller at a time.
For more information about Repadmin, see “Support Tools Help” in Tools and Settings Collection.
Ldp.exe: Ldp
Category
Windows Support Tools, GUI
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Ldp is a Lightweight Directory Access Protocol (LDAP) graphical user interface (GUI) tool that you can use to perform operations such as connect, bind, search, modify, add, and delete against any LDAP-compatible directory, such as AD DS. You can also use Ldp to view objects that are stored in AD DS, along with their metadata, for example, security descriptors and replication metadata.
You can use Ldp to view and edit the updateCachedMemberships operational attribute on the rootDSE.
For more information about Ldp, see “Support Tools Help” in Tools and Settings Collection.
Global Catalog Registry Entries
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
The following registry entries are associated with the global catalog.
NTDS Parameters
The following registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters control or contain information about the configuration of the global catalog.
Global Catalog Promotion Complete
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2003:
Used for Install From Media. This entry is set in conjunction with the domain controller setting its rootDSE attribute isGlobalCatalogReady to TRUE, the Net Logon service on the domain controller registering SRV resource records that specifically advertise the global catalog in DNS, and the domain controller beginning to listen on port 3268.
Global Catalog Partition Occupancy
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003:
The requirement for read-only replicas that must be added (replication partner established) or synchronized (replication completed), or both, on the global catalog server before the server is advertised in DNS. Lower occupancy levels specify varying levels of replication completeness, including advertising in DNS when all read-only replicas of only those domains represented in the domain controller’s site are synchronized.
Version
Windows 2000 Server with SP3 and later:
The occupancy level requires full synchronization of all read-only replicas.
Version
Windows 2000 Server with Service Pack (SP) 2 and earlier:
The occupancy level requires only the replicas of domains in the site.
Global Catalog Delay Advertisement
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server
Overrides the requirements set in Global Catalog Partition Occupancy entry and allows global catalog advertisement without requiring full synchronization of all read-only replicas. If you do not set this value, checking for synchronized read-only partitions continues to occur at 30-minute intervals until the requirements are met.
Cached Membership Site Stickiness (minutes)
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003
The maximum time during which an account’s cached membership can be refreshed automatically without the account having to log on in this site. The default value is one-half the value of the account’s site affinity setting, which is 180 days by default. If the account has not logged on in more than 90 days, the account’s group membership cache expires and must be reinstated at the next logon by contacting a global catalog server.
Cached Membership Staleness (minutes)
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003
The maximum staleness to tolerate when using a cached group membership. The default value is one week. If the cached membership age is greater than this interval and no global catalog server is available, the logon fails. If no value is present, the default value is used.
Cached Membership Refresh Interval (minutes)
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003
The frequency of automatic cache refresh. The default value is eight hours. If no value is present, the default value is used.
Cached Membership Refresh Limit
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003
The maximum number of user and computer accounts that are refreshed during a group membership cache refresh.
SamNoGcLogonEnforceKerberosIpCheck
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003
By default, allows site affinity to be tracked for Kerberos logons that originate outside the site. This setting only applies to Kerberos logons; it will not affect site affinity caching for NTLM logons from different sites.
SamNoGcLogonEnforceNTLMCheck
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003
A value of 1 configures Security Accounts Manager (SAM) to not give site affinity to NTLM logon requests that are network logon requests; it may not prevent caching for other logon types.
NTDS Diagnostics
The following registry entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics control the logging level for the component or process that is specified in the entry name.
Global Catalog
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server
The logging level for the global catalog on the domain controller. The value is set to an integer from 0 (no logging) through 5 (most verbose logging).
20 Group Caching
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003
The logging level for Universal Group Membership Caching on a domain controller in a site where this feature is enabled. The value is set to an integer from 0 (no logging) through 5 (most verbose logging). Significant events are reported at logging level 2. with many additional events reported at logging level 5.
Global Catalog Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with global catalog servers.
Group Policy Settings Associated with the Global Catalog
| Group Policy Setting | Description |
|---|---|
Automated Site Coverage by the DC Locator DNS SRV Records |
Determines whether domain controllers will dynamically register DC Locator site-specific SRV resource records for the closest sites where no domain controller for the same domain exists (or no global catalog server for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate domain controllers. |
Sites Covered by the GC Locator DNS SRV Records |
Specifies the sites for which the global catalog servers should register the site-specific GC Locator SRV resource records in DNS. These records are registered in addition to the site-specific SRV resource records registered for the site where the global catalog server resides and, if the global catalog server is appropriately configured, for the sites without a global catalog server in the same forest for which this global catalog server is the closest global catalog server. These records are registered by Net Logon service. If this policy is not configured, then it is not applied to any global catalog servers and global catalog servers use their local configuration. |
Network Ports Used by Global Catalog Servers
The following table shows the network ports that are used by global catalog servers.
Port Assignments for Global Catalog Servers
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
|
3268 (global catalog) |
LDAP |
|
3269 (global catalog Secure Sockets Layer [SSL]) |
LDAP |
389 |
389 |
LDAP |
|
636 (SSL) |
RPC/REPL |
|
135 (endpoint mapper) |
Kerberos |
88 |
88 |
DNS |
53 |
53 |
SMB over IP |
445 |
445 |
Related Information
The following resources contain additional information that is relevant to this section.