Global Catalog vs. Infrastructure Master

There’s a common question in the Newsgroups, which I’d like to clarify:

 

Q: Is the Infrastructure Master allowed to run on a Domain Controller which also holds the Global Catalog Server?

 

A:

One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording.

The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won’t ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the
infrastructure master won’t do anything in its domain. However if every DC in the Domain is also global catalog server there’s no job for the IM since the GC already knows about the objects of other domains. So if
you look at the job the IM has to do, it’s pretty clear that it may reside on a GC if it’s a single domain forest (no need to pull updates from other domains). It’s also pretty clear that it may reside on a GC if it’s in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything).

So the following infrastructure is a valid configuration:

One domain:
R-DC1 (GC + IM)
R-DC2 (GC)

R-DC3-x (must be GC)

Other domain:
O-DC1 (GC)
O-DC2 (IM)
O-DC3-x (might or might not be GC, does not matter)

The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs.

The following KB states that correctly:
http://support.microsoft.com/kb/223346/EN-US/

 

So to be short:

The Infrastructure Master is not allowed to run on a Global Catalog Server if both of the following conditions apply:

  • there are multiple Domains in the Forest
  • there are Domain Controllers in the same Domain which are not Global Catalog Servers

 

The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either

  • there’s only one Domain in the Forest
  • every Domain Controller in a Domain where the Infrastructure runs on a GC is also Global Catalog Server (there is no none-GC-DC in the domain)



Update: Tatjana provided some related links – thank you Tatjana:

 

248047 Phantoms, Tombstones and the Infrastructure Master

http://support.microsoft.com/?id=248047

 

Details about the Active Directory EventId 1419

http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Active+Directory&EvtID=1419&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0

 


7 Responses to “Global Catalog vs. Infrastructure Master”

  1.   John Boots Says:

    OK, I’m not allowed to run the IM on my GC server because I have DCs in my domain which are not GCs.

    I AM allowed to run the IM on my GC server because there’s only one domain in my forest.

    If both of these statements are true (and they describe my environment), which takes precedence?

    Reply

  2.   Ulf B. Simon-Weidner Says:

    Hello John,

    the second one. In your scenario you do not need the IM, there are no other domains where he’d need to check for consistency.

    Ulf

    Reply

  3.   Tatjana Aggoussi Says:

    Hi Ulf,

    I would like to comment and suggest to include following references in your details for complete reference & clarification:

    http://support.microsoft.com/?id=248047 and

    http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Active+Directory&EvtID=1419&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0

    Thanks, & have a nice weekend,

    Tatjana Aggoussi

    Reply

  4.   Ulf B. Simon-Weidner Says:

    Thank you Tatjana – i’ve updated it. Enjoy your weekend and the nice weather.

    Ulf

    Reply

  5.   Leriche Michel-Vincent Says:

    I will soon publish on my blog how to view Phantom objects; Viewing deleted objects is easy enough. In order to view Phantom objects, one needs to backup AD and access it offline using LDP.

    http://spaces.msn.com/members/mvleriche/

    Best regards,

    MV

    Reply

  6.   Leriche Michel-Vincent Says:

    … Because the reason a GC cannot be an IM are Phantom objects…

    Cheers

    MV

    Reply

  7.   Ulf B. Simon-Weidner Says:

    Hello Michel-Vincent,

    > I will soon publish on my blog how to view Phantom

    > objects; Viewing deleted objects is easy enough. In

    > order to view Phantom objects, one needs to backup

    > AD and access it offline using LDP.

    Can you specify what you mean? You can view phantom-objects online, and AFAIK there’s no way to open AD offline with LDP – LDP is a LDAP-Browser and you can’t access the DB directly.

    > … Because the reason a GC cannot be an IM are

    > Phantom objects…

    The GC can be a IM – as stated in my blog – but the IM will never be able to detect which phantom objects are required if it run’s on the GC. However this is not necessary if either every DC in that domain is also a GC, or if it’s a single domain (because there won’t be external users in groups and therefor no need to create phantoms).

    Ulf

    Reply

Leave a Reply

*