Windows Global Catalog Server and Powershell
December 28, 2021I’ve been working on the RHCSA, an Exchange migration and updating an Active Directory forest for the last few months, so I haven’t been writing as much as I’d like to. There’s quite a bit of new information I’ve picked up recently, but this was something I wanted to touch base on before (potentially) writing much longer articles.
I use Get-ADPrincipalGroupMembership constantly. Permissions are a cornerstone of security, and I’ve spent a lot of time redoing permissions to be group memberships–as opposed to NTFS style permissions or single user roles. Other cmdlets in the ActiveDirectory module; such as, get-aduser, get-addomain, add-adgroupmember work without a hitch every single time. Get-ADPrincipalGroupMembership would crap-out from time to time. Until recently, I didn’t know why.
When you add a domain controller to an existing environment (or create a new Forest/AD domain) it becomes a Global Catalog Server automatically. If you run:
Get-ADForest | select globalcatalogs
You can see which server(s) are GC servers in your environment.
When you run Active Directory cmdlets, almost all are querying the GC server. The interesting part is the Get-ADPrincipalGroupMembership cmdlet doesn’t look to another GC server in that list. If you have two GC servers and the first one in that list is down, it doesn’t proceed to the next one. So if you get a generic error or one that looks like this:
It’s more than likely due to the first GC server. Interestingly enough, other Active Directory commands don’t have this problem. If one Domain Controller is down, most commands will query the other domain controller.
So if you are decommissioning a Domain Controller or want to change their priority level, how do you do that? Head to Active Directory Sites and Services.
In Microsoft Management Console, click File > Add or Remove Snap-ins. Select Active Directory Sites and Services and click Add.
Drill down on AD Sites and Services > Sites > Default-First-Site-Name > Servers
Expand the server you want to change. I’m using a single DC in a test environment, so I’m selecting the only one I have.
Right click “NTDS Settings” under that server and select “Properties.” Under the General tab you should immediately see a checkbox for “Global Catalog.”
If you wanted to decommission this domain controller or change the priority to a different DC, you would want to uncheck the box, select ok and restart the server.
Hopefully you found this article helpful and Happy Holidays.