Isolate a DC - Part 5: Disable Global Catalog
This is Part 5 of a series on Active Directory Forest recovery which requires brining up restored DCs in their own network; bring them up with good manners and we all benefit.
Disable Global Catalog
Now this step is strictly for Multi-Domain Forest recoveries. If your domains replicate cross domain boundaries, they’ll start complaining about their USNs and nobody wants that. If you’ve got yourself a nice simple single Domain environment, don’t sweat it and move on your Global Catalog can merrily sing into the night air without anybody noticing.
I mentioned in Part 3: Activate Administrator Account that only the Administrator could login with the Global Catalog missing, that isn’t strictly true. This function will disable the GC on the local server, but also configure IgnoreGCFailures
which conveniently allows anyone to login without a GC! Hurrah for workarounds, just be aware that your login will not include any Universal Group SIDS (because they are in the Global Catalog) which means that
function Disable-GC {
[CmdletBinding(
SupportsShouldProcess = $true,
ConfirmImpact = 'High')]param()
if ($pscmdlet.ShouldProcess($(&hostname))){
Write-verbose "Disabling Global Catalog on local server"
repadmin.exe /options $(&hostname) –IS_GC
Write-Verbose "Setting IgnoreGCFailures so that normal user accounts can login without GC"
Write-Warning "With IgnoreGCFailures enabled, permissions granted using Universal Groups including deny permissions will not be honoured"
set-itemproperty -path "HKLM:SYSTEM\CurrentControlSet\Control\Lsa" -Name IgnoreGCFailures -Value 1
}
}
Disable-GC
All the other parts of this series are available here
- Part 1: Configure the Network
- Part 2: Reset SYSVOL Sync State
- Part 3: Activate Administrator Account
- Part 4: Reset DSRM Password
- Part 5: Disable Global Catalog
- Part 6: Raise RID Pools
- Part 7: Seize all FSMO roles
- Part 8: Metadata cleanup all other DCs
- Part 9: Reset Intra-Forest trust passwords
- Part 10: Reset KrbTGT password twice