Directory Services/Active Directory

Ulf B. Simon-Weidner's Blog
Global Catalog vs. Infrastructure Master
There's a common question in the Newsgroups, which I'd like to clarify:
 
Q: Is the Infrastructure Master allowed to run on a Domain Controller which also holds the Global Catalog Server?
 
A:
One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording.

The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the
infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if
you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything).

So the following infrastructure is a valid configuration:

One domain:
R-DC1 (GC + IM)
R-DC2 (GC)
R-DC3-x (must be GC)

Other domain:
O-DC1 (GC)
O-DC2 (IM)
O-DC3-x (might or might not be GC, does not matter)

The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs.

The following KB states that correctly:
http://support.microsoft.com/kb/223346/EN-US/
 
So to be short:
The Infrastructure Master is not allowed to run on a Global Catalog Server if either
  • there are multiple Domains in the Forest
  • there are Domain Controllers in the same Domain which are not Global Catalog Servers
 
The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either
  • there's only one Domain in the Forest
  • every Domain Controller in the Domain in question is Global Catalog Server
Update: Tatjana provided some related links - thank you Tatjana:
 
248047 Phantoms, Tombstones and the Infrastructure Master
 
Details about the Active Directory EventId 1419
 

Published Tuesday, March 08, 2005 12:46 PM by Ulf B. Simon-Weidner

Comments

# re: Global Catalog vs. Infrastructure Master@ Wednesday, April 20, 2005 8:04 PM

OK, I'm not allowed to run the IM on my GC server because I have DCs in my domain which are not GCs.

I AM allowed to run the IM on my GC server because there's only one domain in my forest.

If both of these statements are true (and they describe my environment), which takes precedence?

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Friday, April 22, 2005 7:42 AM

Hello John,

the second one. In your scenario you do not need the IM, there are no other domains where he'd need to check for consistency.

Ulf

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Saturday, April 23, 2005 12:41 PM

Hi Ulf,

I would like to comment and suggest to include following references in your details for complete reference & clarification:

http://support.microsoft.com/?id=248047 and
http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Active+Directory&EvtID=1419&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0

Thanks, & have a nice weekend,
Tatjana Aggoussi

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Saturday, April 23, 2005 5:52 PM

Thank you Tatjana - i've updated it. Enjoy your weekend and the nice weather.

Ulf

Ulf B. Simon-Weidner

# Viewing Phantom Objects@ Monday, July 18, 2005 11:19 AM

I will soon publish on my blog how to view Phantom objects; Viewing deleted objects is easy enough. In order to view Phantom objects, one needs to backup AD and access it offline using LDP.

http://spaces.msn.com/members/mvleriche/

Best regards,

MV

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Monday, July 18, 2005 11:25 AM

... Because the reason a GC cannot be an IM are Phantom objects...

Cheers

MV

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Sunday, July 31, 2005 6:09 PM

Hello Michel-Vincent,

> I will soon publish on my blog how to view Phantom
> objects; Viewing deleted objects is easy enough. In
> order to view Phantom objects, one needs to backup
> AD and access it offline using LDP.

Can you specify what you mean? You can view phantom-objects online, and AFAIK there's no way to open AD offline with LDP - LDP is a LDAP-Browser and you can't access the DB directly.

> ... Because the reason a GC cannot be an IM are
> Phantom objects...

The GC can be a IM - as stated in my blog - but the IM will never be able to detect which phantom objects are required if it run's on the GC. However this is not necessary if either every DC in that domain is also a GC, or if it's a single domain (because there won't be external users in groups and therefor no need to create phantoms).

Ulf

Ulf B. Simon-Weidner