Active Directory Forest Recovery - Add the GC
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2
Use the following procedure to add the global catalog to a DC.
Add the global catalog
- Select Start, point to All Programs, point to Administrative Tools, and then select Active Directory Sites and Services.
- In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.
- Expand the Servers container, and then expand the server object for the DC to which you want to add the global catalog.
- Right-click NTDS Settings, and then select Properties.
- Select the Global Catalog check box.
Add the global catalog using repadmin
Open an elevated command prompt, type the following command, and press ENTER:
repadmin.exe /options DC_NAME +IS_GC
The following are ways to speed up the process of adding the global catalog to the DC in the root domain:
Ideally, the DC in the root domain should be a replication partner of the restored DCs in the nonroot domains. If so, confirm that the Knowledge Consistency Checker (KCC) has created the corresponding repsFrom object for the source DC and partition in the root DC. You can confirm this by running the
repadmin /showreps /vcommand.If there's no repsFrom object created, create this object for the configuration partition. This way, the DC in the root domain can determine which DCs in the nonroot domain have been deleted. You can do this with the following commands:
repadmin /add ConfigurationNamingContext DestinationDomainController SourceDomainControllerCNAMErepadmin /options DSA -Disable_NTDSCONN_XLATEThe format for the SourceDomainControllerCNAME is:
sourceDCGuid._msdcs.root domainFor example, the repadmin /add command for the configuration partition of the contoso.com domain could be:
repadmin /add cn=configuration,DC=contoso,DC=com DC01 937ef930-7356-43c8-88dc-8baaaa781cf6._msdcs.dDSP17A22.contoso.comIf the repsFrom object is present, try to sync the DC in the root domain with the DC in the nonroot domain as follows:
repadmin /sync DomainNamingContext DestinationDomainController SourceDomainControllerGUIDWhere DestinationDomainController is the DC in the root domain and SourceDomainController is the restored DC in the nonroot domain.
The root domain DNS server should have the alias (CNAME) resource records for the source DC. Ensure that the parent DNS zone contains delegation resource records (name server (NS) and host (A) resource records) for the correct DCs (the DCs that have been restored from backup) in the child zone.
Make sure that the DC in the root domain is contacting the correct Key Distribution Center (KDC) in the nonroot domain. To test this, at the command prompt, type the following command, and then press ENTER:
nltest /dsgetdc:nonroot domain name /KDC /Force
Next steps
- AD Forest Recovery - Prerequisites
- AD Forest Recovery - Devise a custom forest recovery plan
- AD Forest Recovery - Steps to restore the forest
- AD Forest Recovery - Identify the problem
- AD Forest Recovery - Determine how to recover
- AD Forest Recovery - Perform initial recovery
- AD Forest Recovery - Procedures
- AD Forest Recovery - Frequently Asked Questions (FAQ)
- AD Forest Recovery - Recover a single domain within a multidomain forest
- AD Forest Recovery - Redeploy remaining DCs
- AD Forest Recovery - Virtualization
- AD Forest Recovery - Cleanup
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for