How to Configure Windows Server 2016 Global Catalog
The Global Catalog (GC) is a distributed data repository in Windows Server 2016 Active Directory that contains a partial replica of all objects from every domain in the forest. Unlike regular domain controllers that store a full replica only for their own domain, a Global Catalog server stores a read-only copy of select attributes for all objects across the entire forest. This enables forest-wide searches, universal group membership resolution, and user principal name (UPN) authentication to function efficiently without requiring cross-domain referrals for every query.
Every Active Directory forest must have at least one Global Catalog server. By default, the first domain controller promoted in a forest is designated as a Global Catalog server. For larger environments and branch office deployments, additional Global Catalog servers improve performance and resiliency.
Step 1: Understand the Global Catalog Role
The Global Catalog serves several critical functions in a Windows Server 2016 forest:
1. Universal group membership resolution - Required for logon in multi-domain forests
2. UPN authentication - Authenticates users who log on using UPN format ([email protected])
3. Forest-wide object searches - Enables searches across all domains from a single query
4. Exchange recipient lookup - Microsoft Exchange requires GC for address book queries
5. Application partition searches - Applications can query the GC for forest-wide dataStep 2: Identify Current Global Catalog Servers
Use PowerShell or the Sites and Services console to identify which domain controllers are currently designated as Global Catalog servers:
Get-ADDomainController -Filter * |
Select-Object Name, Site, IsGlobalCatalog, OperatingSystem |
Format-Table -AutoSizeAlternatively, use the nltest utility:
nltest /dclist:yourdomain.comStep 3: Designate a Domain Controller as a Global Catalog Server
To designate an existing domain controller as a Global Catalog server, use Active Directory Sites and Services. Navigate to Sites > SiteName > Servers > DCName > NTDS Settings. Right-click NTDS Settings, select Properties, and check the Global Catalog checkbox.
Using PowerShell to enable the Global Catalog on a specific domain controller:
Set-ADObject -Identity "CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=yourdomain,DC=com" `
-Replace @{options='1'}Alternatively, use the dcpromo process or the following command targeting the DC’s NTDS settings object in Sites and Services:
repadmin /options DC02 +IS_GCStep 4: Verify Global Catalog Replication
After enabling the Global Catalog on a domain controller, it must synchronize the partial attribute set from all domains in the forest. This initial replication can take time in large forests. Monitor the progress:
repadmin /showrepl DC02 /errorsonlyVerify that the Global Catalog is fully populated and ready to serve queries:
repadmin /showattr DC02 "CN=Partitions,CN=Configuration,DC=yourdomain,DC=com" /atts:msDS-NCReplCursorsThe Global Catalog is ready when the DC is listening on port 3268:
Test-NetConnection -ComputerName DC02 -Port 3268
Test-NetConnection -ComputerName DC02 -Port 3269Step 5: Configure Global Catalog Placement per Site
In multi-site environments, place a Global Catalog server in each site that has a significant number of users. Without a local GC, logon authentication and application queries must travel across slow WAN links. Use Active Directory Sites and Services to verify GC placement:
Get-ADDomainController -Filter * |
Where-Object { $_.IsGlobalCatalog -eq $true } |
Select-Object Name, Site, IPv4Address | Format-Table -AutoSizeStep 6: Modify the Global Catalog Partial Attribute Set
The Global Catalog replicates a subset of attributes for each object class. This Partial Attribute Set (PAS) is defined in the schema. To add an attribute to the PAS so it is replicated to all GC servers, modify the attribute’s isMemberOfPartialAttributeSet property in the schema.
First, identify the attribute to add:
Get-ADObject -SearchBase "CN=Schema,CN=Configuration,DC=yourdomain,DC=com" `
-Filter {lDAPDisplayName -eq "department"} `
-Properties isMemberOfPartialAttributeSet | Select-Object lDAPDisplayName, isMemberOfPartialAttributeSetAdd the attribute to the partial attribute set (requires Schema Admin membership):
$attr = Get-ADObject -SearchBase "CN=Schema,CN=Configuration,DC=yourdomain,DC=com" `
-Filter {lDAPDisplayName -eq "department"}
Set-ADObject -Identity $attr -Replace @{isMemberOfPartialAttributeSet=$true}Step 7: Remove Global Catalog Designation
To remove the Global Catalog role from a domain controller, ensure at least one other GC server exists in the same site first. Then remove the designation using repadmin:
repadmin /options DC02 -IS_GCStep 8: Query the Global Catalog
Applications and scripts can query the Global Catalog directly using port 3268 for LDAP or port 3269 for LDAPS. Use PowerShell to run a forest-wide search via the Global Catalog:
$root = New-Object System.DirectoryServices.DirectoryEntry("GC://yourdomain.com")
$searcher = New-Object System.DirectoryServices.DirectorySearcher($root)
$searcher.Filter = "(&(objectClass=user)(objectCategory=person)(mail=*))"
$searcher.PropertiesToLoad.AddRange(@("samAccountName","displayName","mail","department"))
$results = $searcher.FindAll()
foreach ($r in $results) {
[PSCustomObject]@{
Username = $r.Properties["samaccountname"][0]
DisplayName = $r.Properties["displayname"][0]
Email = $r.Properties["mail"][0]
Department = $r.Properties["department"][0]
}
} | Export-Csv -Path "C:ReportsAllForestUsers.csv" -NoTypeInformationStep 9: Monitor Global Catalog Health
Regularly monitor Global Catalog server health using built-in diagnostic tools:
dcdiag /test:MachineAccount /s:DC02
dcdiag /test:NetLogons /s:DC02
dcdiag /test:Replications /s:DC02Check the Directory Service event log for Global Catalog-related events:
Get-WinEvent -LogName "Directory Service" |
Where-Object { $_.Message -like "*Global Catalog*" } |
Select-Object TimeCreated, Id, LevelDisplayName, Message |
Select-Object -First 20 | Format-ListThe Global Catalog is the backbone of forest-wide Active Directory operations in Windows Server 2016. Proper placement, regular health monitoring, and thoughtful management of the partial attribute set ensure that authentication, directory searches, and application lookups function efficiently across your entire forest infrastructure.
