Global Catalog and FSMO Infrastructure Master Relationship

Global Catalog and FSMO Infrastructure Master Relationship


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Publication: 10/1/2010


 


Overview


In a multi-domain forest, there are multiple factors that must be taken into account in the design from how to design the DNS resolving infrastructure (centralized or decentralized), to how to decide what to do with your Global Catalogs and the FSMO Role Infrastructure Master relationship. There are more factors, of course, but this blog focuses on the GC/IM relationship.


Because there are more than one domain in the forest, it is HIGHLY recommended to have a minimum two DCs in for each domain. The reason is two-fold, one because of redundancy, the other is because of the IM role conflict on a GC in a multidomain forest. If you are going to have a GC at the child domain, especially if it is in a remote location, just keep in mind of this required rule. On one of the DCs in each domain you will make one of the DCs a GC, and move the Infrastructure Master role from the GC to the non-GC. This is functional basics of domain design and FSMO role placement and the way this specific role works, or rather doesn’t work it is a GC.


 


Make All DCs GCs


Then again, it’s now commonly recommended to just make all DCs in a forest a GC, no matter how the DNS resolving infrastructure is designed. This way it alleviates issues with the IM/GC conflict. Many large installations have been using  this design successfully without issues. Matter of fact, Exchange likes it.


Global Catalog vs. Infrastructure Master:
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx


 




More info on the Infrastructure Master and Global Catalog relationship


As a whole, the IM updates references from other domains. What it basically does is updates “phantoms” in its own domain for the objects. The phantoms are actually “pointers” or references to the objects in the other domains. The phantoms are based on the following identities of the other domain’s objects of members in another domain’s objects. The reason why it doesn’t pull in attributes such as the MemberOf or MemberIs, is because it’s added work on the local domain’s DC. Therefore it uses the phantoms as a pointer to query a DC in the other domain during activity when you request the object from the other domain, such as when adding a user or group to a local group in the domain in question.


Distinguished name of the object
Object GUID
Object SID


So they are basically the values that ‘point’ to the reference, and not necessarily using a MemberOf or MemberIs attribute.



An example


1) User1 (DomainA) is a member of Group1 (DomainB)
This means that when viewing membership of Group1, you should be able to see User1 there.


2) User1 in DomainA gets renamed to User2


3) This change gets replicated to all GCs across the forest


4) IM in DomainB detects that its phantom for User1 is out of date, updates it, and replicates the update to all other DCs in DomainB


This means that when viewing membership of Group1, you should be able to see User2. Without the IM, Group1 would still list User1 as its member.


 


 


Active Directory Sites


Also with the multiple locations, I suggest to create AD sites that correspond to each subnet. To do that, follow this article’s steps:


Step-by-Step Guide to Active Directory Sites and Services
http://www.activewin.com/win2000/step_by_step/active_directory/adsites.shtml


[DOC] Step-by-Step Guide to Active Directory Sites and ServicesFile Format: Microsoft Word – View as HTML
Creating a site link between two or more sites is a way to influence replication topology. By creating a site link, you provide Active Directory with …
http://filedb.experts-exchange.com/incoming/2008/08_w35/53729/Active-Directory-Sites-and-Servi.doc


 


 


DNS SRV AD Site Registration


Once you create your sites, to push the DCs to register them sooner then waiting for the default time.


On the child DC, delete the system32\config\netlogon.dns and netlogon.bak files. Then  run:


ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon


Make sure the DC’s A record, the LdapIpAddress record, which is the “same as parent” record that should show the child DC’s IP,  and the SRV data is showing up in the nl.linakorg.local zone. Check the Sites configuration to make sure the respective DCs in the child domain show up correctly. Check in the _gc._msdc.linakorg.local zone that the respective IPs of the DCs that you made GCs show up.


 


Summary


It’s now commonly recommended to simply make all DCs GCs so you don’t have to worry about the GC-IM conflict.


 


Related Links


In the meantime, please read the following links for more info. The first link explains what I summarized in more detail, which hopefully will give you a better understanding.


Phantoms, tombstones and the infrastructure master role conflict with a global catalog
http://support.microsoft.com/kb/248047


Infrastructure Education:
http://social.answers.microsoft.com/Forums/en-US/winservergen/thread/d238de68-3423-40cd-9bf1-8416bd1d4591


Global Catalog vs. Infrastructure Master
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx


Phantoms, tombstones and the infrastructure master role conflict with a global catalog in a multi-domain forest, however in a single domain forest, all DCs are recommended to be GCs.
http://support.microsoft.com/kb/248047


FSMO placement and optimization on Active Directory domain controllers:
http://support.microsoft.com/kb/223346


Infrastructure Master Education:
“Global catalog and infrastructure master role conflicts only when there are more than one Domain in the Frost. We don’t need to worry about single Domain situation.” – Mervyn Zhang, MSFT
http://social.answers.microsoft.com/Forums/en-US/winservergen/thread/d238de68-3423-40cd-9bf1-8416bd1d4591


Windows 2000 Active Directory FSMO roles (Similar to 2003 & 2008):
http://support.microsoft.com/kb/197132


 


Ace Fekay


Any comments or corrections are welcome

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>