I was talking with a good friend this evening and he asked a question which I would normally consider trivial but the way he put it made me go, oh wow, put that way, that is kind of interesting… It should work the way you would intuit it to work…
The question was, how do I make another Domain Controller a Global Catalog??? Of course everyone who uses AD is like, well just go to dssite.msc (oh ok you probably said go to Sites and Services) and drill down to the DC in question and then go down one more level to NTDS Settings and then right click and select properties and then select the Global Catalog check box…
As I went to say that I thought about it, the guy asking is very good with computers, it has been his business for as long as I have been alive so was a little slow to respond and then he said something that made me go… yeah, that is how it should be… Basically he said, I went to ADUC and looked in the Domain Controllers OU and opened the properties for the Domain Controller and expected to see something that told me it was a GC or not and I could select it to be one… I then said, oh it isn’t there but I can see why you would think it should be… because it probably should be… Why isn’t it there? Just because that info is kept in the config doesn’t mean it shouldn’t be exposed in ADUC for the domain controller properties. ADUC isn’t a raw LDAP editor, it is a tool used to manage the environment and if DCs are going to be exposed in it, it should allow you to view/manipulate the GC status from there as well. I never thought about it before because I always think of AD as an LDAP Server and then visualize the tools as LDAP tools… But ADUC shouldn’t be an LDAP tool… it is a domain/forest management tool. So why doesn’t it allow you to get the full details on a DC and set/clear the fact that a specific DC is a GC. Be a lot better than fishing around in dssite.msc…
Again this guy is a very good computer guy, he is a fellow DEC PDP-11 lover like myself. Very smart. He just doesn’t work in large environments where turning on GCs or making DCs isn’t a real regular occurrence. In fact the last couple of years he spent a lot of time learning Java and making a parametric search engine for the company he works for product search tools. Today he was hooking up a UPS system to a PBX and all of the supporting equipment. Next week he could be working on their Exchange server or one of their Linux servers or their think client solution… Sort of a normal small company IT guy, not an AD specific person and I think he made a great point.