Isolate a DC - Part 5: Disable Global Catalog

This is Part 5 of a series on Active Directory Forest recovery which requires brining up restored DCs in their own network; bring them up with good manners and we all benefit.

Disable Global Catalog

Now this step is strictly for Multi-Domain Forest recoveries. If your domains replicate cross domain boundaries, they’ll start complaining about their USNs and nobody wants that. If you’ve got yourself a nice simple single Domain environment, don’t sweat it and move on your Global Catalog can merrily sing into the night air without anybody noticing.

I mentioned in Part 3: Activate Administrator Account that only the Administrator could login with the Global Catalog missing, that isn’t strictly true. This function will disable the GC on the local server, but also configure IgnoreGCFailures which conveniently allows anyone to login without a GC! Hurrah for workarounds, just be aware that your login will not include any Universal Group SIDS (because they are in the Global Catalog) which means that there is a possible vulnerability for bypassing Deny permissions set on Universal Groups.

function Disable-GC {
    [CmdletBinding(
    SupportsShouldProcess = $true,
    ConfirmImpact = 'High')]param()
    if ($pscmdlet.ShouldProcess($(&hostname))){
        Write-verbose "Disabling Global Catalog on local server"    
        repadmin.exe /options $(&hostname) –IS_GC 
        Write-Verbose "Setting IgnoreGCFailures so that normal user accounts can login without GC"
        Write-Warning "With IgnoreGCFailures enabled, permissions granted using Universal Groups including deny permissions will not be honoured"
        set-itemproperty -path "HKLM:SYSTEM\CurrentControlSet\Control\Lsa" -Name IgnoreGCFailures -Value 1 
    }
}

Disable-GC

All the other parts of this series are available here