A failure to discover a global catalog can occur for a number of reasons, especially if it is a Microsoft® Exchange server that is failing to locate a global catalog. However, there are several tests that can be performed to verify if a global catalog is unavailable or if the problem client is just not receiving the advertisement.
Method 1:
Run the following command to attempt to locate a global catalog server:
nltest /dsgetdc:<fully qualified name of the domain> /gc /force
Method 2:
Attempt to login from client with User Principal Name (UPN) name, i.e. someone@microsoft.com
Method 3:
Click Start, select Run, type WAB and click OK. In the Windows Address Book, select Find People. Then select Active Directory from the Look In box. Type in a user name (i.e. John Doe), and click Find Now.
If all the above tests fail, check the following:
Verify that there is a global catalog configured in the client’s site. This can be verified by opening the Active Directory Sites and Services and checking the properties of the NTDS Settings object on the each domain controller in the site.
Check the directory service event log for events such as 1559, 1578, 1110, 1126, or 1119. If there is an Event ID 1119 stating the domain controller was successfully promoted to a global catalog server, and it was a recently logged event, then it is possible it started advertising before it fully synchronized all domain partitions. By default, any Windows 2000 domain controller with Service Pack 2 (SP2) or lower will only check to ensure that all domain partitions hosted in its own site have successfully replicated. If there is a domain context in the forest that does not have a domain controller in the server’s local site or another global catalog in the site containing that partition, the domain controller will still advertise as a global catalog even though the partitions may not have synchronized yet. This behavior is enforced by the following registry value:
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters
Value Name: Global Catalog Partition Occupancy
Value Type: REG_DWORD
Default Value: 4
The default value of 4 means all partitions in the site are synchronized fully. This is also the maximum value if the domain controller is at SP2 or lower. With the installation of SP3, the value can now be set to 6, which requires that all partitions in the forest be synchronized before advertising as a global catalog. For issues involving Microsoft® Exchange Server, reference KB article 304403. To expedite the process, attempt to force replication by creating a connection object from the appropriate domain controller hosting the missing domain partition and forcing replication. To do this, perform the following steps:
- Open Active Directory Sites and Services, expand the problem server's site, and select the server object of that domain controller.
- Right-click on its NTDS Settings object and select New Active Directory Connection.
- Locate a domain controller that hosts that missing domain partition, double-click it, and then click OK.
- Right-click the new connection object and select Replicate Now. Repadmin can also be used to force replication:
repadmin /sync DC=<MissingDomainName>,DC=<com> <ProblemServerName> <SourceServer_GUID, ie.0d67193c-8cb1-4c4c-bd7c-af98e11d6d67>
Note To obtain the GUID of the server, run repadmin /showreps \\<source_server> and copy ObjectGuid.
ii. If no Event ID 1119 exists in the directory service event log, or the domain controller is not advertising as a global catalog, then determine what partitions have not replicated yet. Focusing on any Knowledge Consistency Checker (KCC) errors, specifically Event ID 1265, will help determine what partitions it is having problems with. If no helpful events are logged, then enable diagnostic logging, as described in KB article 314980. The more important registry entries to focus on are the following:
Replication Events: set to 3.
Inter-Site Messaging: set to 2.
Internal Processing: set to 1.
Global Catalog: set to 4.
Note Remove these settings when finished troubleshooting, as they will continue to fill up the event log.
Once relevant events are identified, try to determine the reason for the replication failure, which is often listed at the bottom of the event description, generally referring to a “DNS lookup failure” or “Access is denied” error. After obtaining the error refer back to the troubleshooter and follow steps in the section pertaining to that error message.
After resolving all of the relevant errors, to verify the global catalog is advertising you can check the isGlobalCatalogReady value to ensure it is TRUE. To do this, start the Ldp tool included in the Windows 2000 Support Tools. On the Connection menu, click Connect. In the Server Name box, type the name for the global catalog server that is used for lookup. In the Port Number box, type 3268. Leave the Connectionless check box clear. In the right-most column, several lines of text are displayed. Towards the bottom of the output, look for the isGlobalCatalogReady value.
iii. If everything else appears to check out, make sure the domain controller/global catalog server is not experiencing performance issues. Take an inventory of the users accessing this domain controller/global catalog server and determine which applications may be running queries against it. For more information see the white paper Sizing Guidelines for Windows 2000 Domain Controller and Global Catalog Server.
If there are no relevant event log errors on the global catalog server, and it is sitting across a router or firewall, verify that it is responding on port 3268 from the failing client using Portqry.exe.
portqry -n <domain_controller> -p tcp -e 3268
Posts
