Learn AD in 15 Minutes a Week: Active Directory Single Masters of Operation Page 3

By ServerWatch Staff (Send Email)
Posted Jun 19, 2002



Best Practices dictate that the Infrastructure Master Domain Controller role should NOT be (it is allowed, but it should not be) on a Domain Controller that is also a Global Catalog Server. Because the global catalog server holds a partial replica of every object in the forest, the Infrastructure Master, in this example, will never perform any updates because it does not contain any references to objects that it does not hold. Remember, the job of the Infrastructure Master Domain Controller is to handle all of the cross-domain (between domains) data updates for users and groups and their memberships. If it does not "see" these changes due to the fact that it access all of the objects through the local copy of the Global Catalog (rather than replicated changes over the network), it will not perform its function.

There are exceptions to these best practices, as identified below.

In a forest that contains a single Active Directory domain the Infrastructure Master has no real work to do because there are no other domains. The Infrastructure Master may be placed on any domain controller in the domain.

In a forest that contains a single Active Directory domain and only a single domain controller, all of the FSMO roles are going to be on the single server by default. Since there are no other servers to migrate these roles to and also since there are no other domains to contend with, the Infrastructure Master may be placed on the single domain controller in the domain.

[NOTES FROM THE FIELD] - While this is possible in that there is nothing preventing you from running a domain via a single Domain Controller, is it HIGHLY unadvisable. No matter how small the domain and how few the users, there should always be a second DC to function as an alternate. In the scenario of a single DC and the loss of that DC, your users will not be able to access network resources, and if the backups of the DC should be bad or far out of date, it would be almost as much work as starting from scratch.

The other exception to the rule would be in a forest that contains multiple domains, where every domain controller in the forest holds a copy of the Global Catalog. In this case, the Infrastructure Master may be placed on any domain controller in the forest because there is no other option. Only a DC can be a FSMO server, and if they all have a copy of the Global Catalog, you are not left with any other option. There would be little update work for the Infrastructure Master to do at any rate, since all of the data from other domains would be contained in the local copy of the Global Catalog.

The image below shows a single forest structure with two domain trees. Each tree has a root domain and two child domains. There are SIX Relative ID Master Domain Controllers, SIX PDC Emulator Domain Controllers and SIX Infrastructure Master Domain Controllers in this forest. There are a total of six domains; therefore, there is a total of six of each of the three types of Domain Wide Operations Master Roles, one in each domain.




 

 

Well, that wraps up this section of Learn Active Directory Design and Administration in 15 Minutes a Week - Active Directory Single Masters of Operation Overview. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until then, best of luck in your studies and remember,


"The fact that the grass is greener on the other side of the fence is directly proportional to how much manure is being used on the property."


Jason Zandri
Jason@Zandri.net
www.2000trainers.com

Page 3 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.