Skip to main content

Articles in this section

See more
Print

Unable to sign in after Forest Recovery due to missing Global Catalog

Unable to sign in after Forest Recovery due to missing Global Catalog

Summary

After starting a recovered domain controller (DC), you may be unable to sign in with any account except the built-in Administrator and be unable to create new Active Directory objects. This can occur when the recovered environment does not include at least one reachable DC from another domain in the forest, preventing Global Catalog (GC) replication from completing. A DC will not advertise the GC role until required forest-wide replication completes.

Symptoms

  1. Sign-in symptoms

    1. You can sign in only with the built-in Administrator account (DOMAIN\Administrator).

    2. Other administrative accounts (including members of Domain Admins) may fail to sign in.

      NOTE: The exact sign-in error can vary and may require reproduction to capture the message for searchability.

  1. Object creation symptoms

    When creating a user/group (or performing other operations that require GC), you may see: Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: The server is not operational.

Root cause

In a multi-domain forest, the Global Catalog must replicate required data from all domain partitions before it can advertise itself as a GC. If a necessary source DC (for example, a DC in a child domain) is offline or not reachable (often due to DNS/service record issues), GC replication cannot complete and the GC role may not be advertised.

Immediate workaround

Sign in using the built-in Administrator account: DOMAIN\Administrator.

Resolution

Ensure your recovery plan includes at least one DC per domain. Your recovery plan must include at least one recovered DC from each domain in the forest.

RECOMMENDED: In most real recovery scenarios for a multi-domain forest, do not ignore this warning—include at least one DC for each domain you expect to function.

  1. If you already recovered a root-domain DC and hit this issue:

    1. Start (power on) at least one recovered DC for each child/tree domain.

    2. Wait for replication to complete sufficiently for GC to advertise.

  1. On a recovered DC, validate that GC is being advertised:

    • Run the DCDIAG advertising test:
      • dcdiag /v
      • Review results related to advertising / Global Catalog.
    • Run NLTEST and confirm output includes GC in Flags:
      • nltest /dsgetdc:<Domain_Name> /server:<Server_Name>
      • Verify Flags: includes GC.

You can also review the Directory Service event logs. GC will not be advertised until the required replication completes.

NOTE: If you intentionally recover only a subset of a multi-domain forest (for example, only the root domain DCs), some functionality is expected to break because GC depends on forest-wide replication and integrity. A DC may not advertise GC until the other domains’ partitions are reachable and replicated.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Comments

0 comments

Please sign in to leave a comment.