Active Directory Forest Recovery - Add the GC

• Gäller för:

  ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016

Use the following procedure to add the global catalog to a DC.

Add the global catalog

1. Select Start, point to All Programs, point to Administrative Tools, and then select Active Directory Sites and Services.
2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.
3. Expand the Servers container, and then expand the server object for the DC to which you want to add the global catalog.
4. Right-click NTDS Settings, and then select Properties.
5. Select the Global Catalog check box.

Add the global catalog using repadmin

• Open an elevated command prompt, type the following command, and press ENTER:

  repadmin.exe /options DC_NAME +IS_GC
  

The following are ways to speed up the process of adding the global catalog to the DC in the root domain:

• Ideally, the DC in the root domain should be a replication partner of the restored DCs in the nonroot domains. If so, confirm that the Knowledge Consistency Checker (KCC) has created the corresponding repsFrom object for the source DC and partition in the root DC. You can confirm this by running the repadmin /showreps /v command.

• If there's no repsFrom object created, create this object for the configuration partition. This way, the DC in the root domain can determine which DCs in the nonroot domain have been deleted. You can do this with the following commands:

  repadmin /add ConfigurationNamingContext DestinationDomainController SourceDomainControllerCNAME
  

  repadmin /options DSA -Disable_NTDSCONN_XLATE
  

  The format for the SourceDomainControllerCNAME is:

  sourceDCGuid._msdcs.root domain
  

  For example, the repadmin /add command for the configuration partition of the contoso.com domain could be:

  repadmin /add cn=configuration,DC=contoso,DC=com DC01 937ef930-7356-43c8-88dc-8baaaa781cf6._msdcs.dDSP17A22.contoso.com
  

• If the repsFrom object is present, try to sync the DC in the root domain with the DC in the nonroot domain as follows:

  repadmin /sync DomainNamingContext DestinationDomainController SourceDomainControllerGUID
  

  Where DestinationDomainController is the DC in the root domain and SourceDomainController is the restored DC in the nonroot domain.

• The root domain DNS server should have the alias (CNAME) resource records for the source DC. Ensure that the parent DNS zone contains delegation resource records (name server (NS) and host (A) resource records) for the correct DCs (the DCs that have been restored from backup) in the child zone.

• Make sure that the DC in the root domain is contacting the correct Key Distribution Center (KDC) in the nonroot domain. To test this, at the command prompt, type the following command, and then press ENTER:

  nltest /dsgetdc:nonroot domain name /KDC /Force
  

Next steps

• AD Forest Recovery - Prerequisites
• AD Forest Recovery - Devise a custom forest recovery plan
• AD Forest Recovery - Steps to restore the forest
• AD Forest Recovery - Identify the problem
• AD Forest Recovery - Determine how to recover
• AD Forest Recovery - Perform initial recovery
• AD Forest Recovery - Procedures
• AD Forest Recovery - Frequently Asked Questions (FAQ)
• AD Forest Recovery - Recover a single domain within a multidomain forest
• AD Forest Recovery - Redeploy remaining DCs
• AD Forest Recovery - Virtualization
• AD Forest Recovery - Cleanup