Best Practices dictate that the Infrastructure Master
Domain Controller role should NOT be (it is allowed,
but it should not be) on a Domain Controller that is also a
Global Catalog Server. Because the global catalog server
holds a partial replica of every object in the forest, the
Infrastructure Master, in this example, will never perform
any updates because it does not contain any references to
objects that it does not hold. Remember, the job of the
Infrastructure Master Domain Controller is to handle all of
the cross-domain (between domains) data updates for users
and groups and their memberships. If it does not “see” these
changes due to the fact that it access all of the objects
through the local copy of the Global Catalog (rather than
replicated changes over the network), it will not perform its
function.
There are exceptions to these best practices, as identified below.
In a forest that contains a single Active Directory
domain the Infrastructure Master has no real work to do
because there are no other domains. The Infrastructure
Master may be placed on any domain controller in the domain.
In a forest that contains a single Active Directory
domain and only a single domain controller, all of the FSMO
roles are going to be on the single server by default. Since
there are no other servers to migrate these roles to and
also since there are no other domains to contend with, the
Infrastructure Master may be placed on the single domain
controller in the domain.
[NOTES FROM THE FIELD] – While this is possible
in that there is nothing preventing you from running a
domain via a single Domain Controller, is it HIGHLY
unadvisable. No matter how small the domain and how few the
users, there should always be a second DC to function as an
alternate. In the scenario of a single DC and the loss of
that DC, your users will not be able to access network
resources, and if the backups of the DC should be bad or far
out of date, it would be almost as much work as starting from
scratch.
The other exception to the rule would be in a forest that
contains multiple domains, where every domain controller in
the forest holds a copy of the Global Catalog. In this case, the
Infrastructure Master may be placed on any domain controller
in the forest because there is no other option. Only a DC
can be a FSMO server, and if they all have a copy of the
Global Catalog, you are not left with any other option. There
would be little update work for the Infrastructure Master to
do at any rate, since all of the data from other domains
would be contained in the local copy of the Global Catalog.
The image below shows a single forest structure with two
domain trees. Each tree has a root domain and two child
domains. There are SIX Relative ID Master Domain
Controllers, SIX PDC Emulator Domain Controllers and
SIX Infrastructure Master Domain Controllers in this forest.
There are a total of six domains; therefore, there is a
total of six of each of the three types of Domain Wide
Operations Master Roles, one in each domain.
Well, that wraps up this section
of Learn Active Directory Design and Administration in 15
Minutes a Week – Active
Directory Single Masters of Operation Overview. I hope
you found it informative and will return for the next
installment.
If you have any questions, comments or
even constructive criticism, please feel free to drop me a
note.
I want to write good, solid technical
articles that appeal to a large range of readers and skill
levels and I can only be sure of that through your feedback.
Until then, best of luck in your
studies and remember,
“The fact
that the grass is greener on the other side of the fence is
directly proportional to how much manure is being used on
the property.”
Jason Zandri
Jason@Zandri.net
www.2000trainers.com