How to Configure the Global Catalog on Windows Server 2012 R2

The Global Catalog (GC) is a partial replica of all objects in the Active Directory forest stored on designated domain controllers called Global Catalog servers. Unlike a regular domain controller that holds a full replica of only its own domain, a GC server holds a searchable, read-only subset of attributes for all objects in every domain in the forest. The GC is queried during authentication (for universal group membership) and by directory-aware applications such as Exchange Server and SharePoint for cross-domain object lookups. This guide covers configuring Global Catalog servers, managing the partial attribute set, and planning GC placement on Windows Server 2012 R2.

Prerequisites

You need Domain Admin or Enterprise Admin rights to configure Global Catalog settings. GC configuration is performed through Active Directory Sites and Services or PowerShell. The server being designated as a GC must be a domain controller. Network bandwidth and disk capacity should be considered as the GC database is larger than a standard domain partition.

Import-Module ActiveDirectory

Understanding the Global Catalog Role

The GC serves several critical functions in an AD forest:

Universal group membership lookup: During Kerberos authentication in a multi-domain forest, the authenticating DC must query a GC to retrieve the user’s universal group memberships, which are required to build the Kerberos PAC (Privilege Attribute Certificate). If no GC is reachable, authentication fails (unless the domain controller is configured with Universal Group Membership Caching). Object searches: Applications like Exchange query the GC on port 3268 to find objects in any domain. UPN suffix resolution: When a user logs on with their UPN ([email protected]), a GC is queried to resolve the UPN suffix to the correct domain. The first DC promoted in a forest is automatically designated as a GC server.

Designating a Domain Controller as a Global Catalog Server

Use Active Directory Sites and Services or PowerShell to designate a DC as a GC server:

# Enable Global Catalog on a domain controller
Set-ADObject -Identity (Get-ADDomainController -Identity "DC-LON-02").NTDSSettingsObjectDN `
    -Replace @{options = 1}

# Alternative: Use the Sites and Services console
# Navigate to Sites > [SiteName] > Servers > [DC Name] > NTDS Settings
# Right-click NTDS Settings > Properties > Check "Global Catalog"

# Verify GC status via PowerShell
Get-ADDomainController -Identity "DC-LON-02" |
    Select-Object HostName, IsGlobalCatalog, Site

# List all GC servers in the forest
Get-ADDomainController -Filter {IsGlobalCatalog -eq $true} |
    Select-Object HostName, Site, IsGlobalCatalog, IPv4Address |
    Sort-Object Site

Removing the Global Catalog Designation

Before removing the GC role from a DC, ensure at least one other GC server exists in the same site, or configure Universal Group Membership Caching. Removing the only GC from a site will cause authentication failures in multi-domain forests:

# Remove Global Catalog designation
Set-ADObject -Identity (Get-ADDomainController -Identity "DC-LON-02").NTDSSettingsObjectDN `
    -Replace @{options = 0}

# Verify removal
Get-ADDomainController -Identity "DC-LON-02" | Select-Object HostName, IsGlobalCatalog

Universal Group Membership Caching

In branch office sites without a GC server, Universal Group Membership Caching (UGMC) allows the local DC to cache universal group memberships after the first logon. Subsequent logons use the cache instead of querying a GC across the WAN link. UGMC is configured in Active Directory Sites and Services on the NTDS Site Settings object for each site:

# Enable UGMC for a site
$siteSettings = Get-ADObject `
    -Identity "CN=NTDS Site Settings,CN=Branch-Office-01,CN=Sites,CN=Configuration,DC=contoso,DC=com" `
    -Properties options

# options value 1 = Enable Universal Group Membership Caching
Set-ADObject -Identity $siteSettings.DistinguishedName `
    -Replace @{options = 1}

# Optionally specify a preferred GC to refresh the cache from
# This is configured via the GUI in Sites and Services > Site > NTDS Site Settings
# Properties > "Enable Universal Group Caching" and select preferred GC server

GC Placement Planning

Guidelines for GC server placement:

In single-domain forests: every domain controller should be a GC server because there is no additional replication overhead — the GC holds the same data as the domain partition. In multi-domain forests: at least one GC server should exist in every site that has users. Exchange Server requires a GC server in every Active Directory site that has Exchange servers. Applications using LDAP port 3268 (GC port) require a GC server nearby. The ratio of GC servers to regular DCs should be at least 1:1 in each site for redundancy.

# Audit GC coverage by site
$sites = Get-ADReplicationSite -Filter *
foreach ($site in $sites) {
    $dcsInSite = Get-ADDomainController -Filter {Site -eq $site.Name}
    $gcInSite = $dcsInSite | Where-Object {$_.IsGlobalCatalog}
    [PSCustomObject]@{
        Site = $site.Name
        TotalDCs = $dcsInSite.Count
        GCServers = $gcInSite.Count
        GCHostnames = ($gcInSite | Select-Object -ExpandProperty HostName) -join ", "
        HasGC = ($gcInSite.Count -gt 0)
    }
} | Format-Table -AutoSize

Monitoring GC Replication and Performance

# Check GC replication status
repadmin /showrepl DC-LON-02 /partition:GC

# Monitor GC queries using Performance Monitor
Get-Counter -Counter @(
    "NTDSGC searches/sec",
    "NTDSGC full searches/sec",
    "NTDSGlobal Catalog repls received/sec"
) -SampleInterval 10 -MaxSamples 6

Testing Global Catalog Connectivity

# Test GC port connectivity
Test-NetConnection -ComputerName "DC-LON-02.contoso.com" -Port 3268  # GC LDAP
Test-NetConnection -ComputerName "DC-LON-02.contoso.com" -Port 3269  # GC LDAPS

# Query the GC using a .NET LDAP connection
$gc = New-Object System.DirectoryServices.DirectoryEntry(
    "GC://DC=contoso,DC=com"
)
$searcher = New-Object System.DirectoryServices.DirectorySearcher($gc)
$searcher.Filter = "(sAMAccountName=Administrator)"
$searcher.PropertiesToLoad.Add("distinguishedName") | Out-Null
$result = $searcher.FindOne()
Write-Host "GC query successful: $($result.Properties['distinguishedname'][0])"

Managing the Partial Attribute Set

The Partial Attribute Set (PAS) defines which attributes are replicated to GC servers. By default, a carefully selected set of commonly queried attributes is included. To add a custom attribute to the PAS, the Schema Admin must set the isMemberOfPartialAttributeSet attribute on the attributeSchema object:

# Add a custom attribute to the GC partial attribute set
Set-ADObject -Identity "CN=customDepartmentCode,CN=Schema,CN=Configuration,DC=contoso,DC=com" `
    -Replace @{isMemberOfPartialAttributeSet = $true}

# Trigger GC replication to propagate the new attribute
repadmin /syncall /AdeP

Summary

The Global Catalog on Windows Server 2012 R2 is a critical component for multi-domain authentication and directory-aware applications. Every site with users should have at least one GC server for both performance and resiliency. In single-domain forests, all domain controllers should be GC servers at no additional cost. Universal Group Membership Caching provides a practical alternative for small branch offices. Monitor GC replication and query performance regularly, and test GC connectivity during any infrastructure change. The partial attribute set can be extended to include custom attributes when application lookups require them, though schema admin access is required for this operation.