Tuesday, September 25, 2007

Domain-level role absence on a Global Catalog server



Here is great information straight from TechNet, explaining why Infrastructure master should not be hosts as global catalog server on the same Domain Controller.

Do not host the infrastructure master on a domain controller that is acting as a global catalog server. The infrastructure master updates the names of security principals for any domain-named linked attributes.

For example:

If a user from one domain is a member of a group in a second domain and the user's name is changed in the first domain, then the second domain is not notified that the user's name must be updated in the group's membership list.

Because domain controllers in one domain do not replicate security principals to domain controllers in another domain, the second domain never becomes aware of the change. The infrastructure master constantly monitors group memberships, looking for security principals from other domains. If it finds one, it checks with the security principal's domain to verify that the information is updated. If the information is out of date, the infrastructure master performs the update and then replicates the change to the other domain controllers in its domain.

Two exceptions apply to this rule.

First:

If all the domain controllers are global catalog servers, the domain controller that hosts the infrastructure master role is insignificant because global catalogs do replicate the updated information regardless of the domain to which they belong.

Second:

If the forest has only one domain, the domain controller that hosts the infrastructure master role is not needed because security principals from other domains do not exist, because it is best to keep the three domain-level roles together, avoid putting any of them on a global catalog server.

TechNet


Best,

Oz ozugurlu

No comments: