Why Global Catalog and Infrastructure master role not placed in same dc ?

  • 122 Views
  • Last Post 4 weeks ago
Atula posted this 21 February 2017

The most confusing for me and not clear yet , this question is mostly asked in interviews.

lots have posted this question on internet but there is not single answer for this can anyone help with proper example ?

-Atul

Order By: Standard | Newest | Votes
daemonr00t posted this 21 February 2017

Couple of things there… if all DCs are GC or if you have AD Recycle Bin enabled then don’t worry.

 

Now… remember that when you add a foreign security principal (based on domain B ) to a security group on your domain (domain A) what’s really created is a reference to that foreign object.

 

There’s a story of backlink attributes you might want to read about too.

 

If you move the foreign object the distinguishedName will change… now on the other side (your domain) someone has to go update that reference. That’s what the Infrastructure Master does.

 

So if your server is a GC then it already has a copy of domain’s B naming context… so there’s no need to update those references as “I already have that info”…



 

 

Another thing I consider worth to mention is that back in the old days we used to be very careful in regards to GC placing due to the network bandwidth limitations which at this point of time are less common.

 

Hope this gives you a better picture.

 

 

~danny CS


Sent from Mail for Windows 10

 

show

Milo posted this 21 February 2017

Hi Atul,



This article explains it well: https://technet.microsoft.com/en-us/library/ff646933(v=ws.10).aspx



Here is the important bit from the article:


The infrastructure master is responsible for updating the group-to-user references when the members of a group are renamed or changed within a domain.



For example, suppose that you use the Active Directory Users and Computers snap-in to add a user to a group within a single domain. While you are still connected to the same domain controller, you can view the group’s membership and see the user that you just

added. If you rename the user object and then display the group membership, you instantly see the user’s new name in the list of group members. However, when the user and the group are in different domains, there is a lag between the time when you rename the

user object and when the group that contains that user displays the user’s new name.



The domain controller that holds the infrastructure master role for the group’s domain is responsible for updating the cross-domain group-to-user reference to reflect the user’s name change. Periodically, the infrastructure master scans its database for group

members from other domains. For each member from a foreign domain that the infrastructure master finds, it compares the name and the security identifier (SID) of the member against a global catalog. If the name or the SID does not match, the local reference

is updated with the values in the global catalog. For example, if a user account is moved to a new domain, the infrastructure master updates the local reference’s name and SID because they do not match the values in the global catalog. After the infrastructure

master updates these references locally, it uses replication to update all other replicas of the domain. If the infrastructure master is not available, these updates are delayed.



Because a global catalog maintains a partial copy of every object from every domain in the forest, the requirement to maintain any cross-domain references is eliminated. Therefore, if the infrastructure master is running on a global catalog server, it never

finds any cross-domain references in its local database. Consequently, the infrastructure master is not able to determine which cross-domain references are stale, and it will not provide updates to any other domain controllers in its domain. For this reason,

the infrastructure master should not run on a global catalog server in a forest that contains multiple domains.



There are notable exceptions:


(1) In a single domain forest environment there are no considerations around the Infrastructure Master, since there are no cross-domain objects to keep track of.


(2) In a multiple domain forest environment if all DCs are Global Catalog servers there are no considerations around the Infrastructure Master.


(3) In a forest where the AD DS Recycle Bin has been enabled all DCs become responsible for updating their own cross-domain object references in the event the referenced object is moved, renamed, or deleted. This means there are no longer any tasks associated

with the Infrastructure Master role, and it is not important which DC owns it, since each DC is fulfilling this function.


Thanks




Milo










show

DonH posted this 21 February 2017

Because the Infrastructure master figures out which external references need to be updated by comparing its local reference name data (which might be out of date) to the data on a GC (which has up-to-date names from all domains).  If the IM is a GC then its references will already be up-to-date (via GC replication) and it won’t have a discrepancy to notice. The IM is solving a problem (out of date cross-domain references) that only exists on non-GC DCs.  We could have had each non-GC DC solve the problem on its own by separately querying GCs,  but that seemed like a lot of redundant work (typically the references are up-to-date and doing the GC comparison causes more network traffic and database activity than do the rare resulting updates).  Instead we got fancy and made one DC (the IM) do the work on behalf of all the non-GC DCs in the domain. If you put the IM role on a GC it will notice that it’s misconfigured and will figure out if there are any non-GC DCs in the domain and will put a message in the event log telling you to move the IM role to one of those machines, even offering a suggestion.  I wanted to go the further step of automatically moving the IM role to an appropriate DC in that case, but customers were totally terrified at the prospect of a FSMO role moving on its own, and so we left it at just the event log message. (Bonus trivia: customer fear of self-moving roles is what made us change the original name of Floating Single Master Operation to Flexible Single Master Operation late in the dev cycle.  Lucky for us the schema names all just used “FSMO”, and so all we had to do was come up with a new more soothing word that the letter “F” could stand for.) Don Hacherl  

show

kebabfest posted this 5 weeks ago

Generally now all domain controllers are global catalog. It is only recommended to put the infrastructure role on a DC without the GC role if there are DCs without GC roles. A real chicken and egg scenario.If for some reason you have a DC without a GC role and you put the infrastructure role on a DC with the GC role then if memory serves when you make username or group name changes they won't replicate properly throughout the estate. 


show

Atula posted this 4 weeks ago

how to answer this question if asked in technical interview ?
-Atul


show

daemonr00t posted this 4 weeks ago

Dear Atul,

 

This kind of resources are meant to share the knowledge and help out the communities driven by solidarity and team-player spirits… your latter question I think deviates a bit from that.

 

Let me tell your that as somehow that has led teams in the past I appreciate honesty over all other matters; knowing what you don’t know is good, there’s no reason to be afraid of stepping forward and saying “I don’t know”. There’s no recruiter

or hiring manager that would expect to find someone that knows it all. And one can also tell when someone is just quoting something.

 

I encourage you to check the product documentation, read a good AD book and play around with your lab environment if you are aiming to an AD position.

 

Best regards,

 

~danny CS


Sent from Mail for Windows 10

 

show

g4ugm posted this 4 weeks ago

If all DC’s are GCs then the role is not required, as all GC’s have access to all the required information locally https://support.microsoft.com/en-gb/help/197132/active-directory-fsmo-roles-in-windows Dave 

show

kebabfest posted this 4 weeks ago

Danny makes a very good point. I actually think it is a great question as it makes the interviewee think. Also I appreciate when people respond with honestly I don't know. One question I like to ask is to ask can you explain how sid history works. If somebody doesn't know , but can ask pertinent questions then I am happy. The wafflers and bsers are unlikely to give me a straight answer when there are serious problems on a project. An interview is just as much about getting the measure of a person as their technical ability. 


show

Atula posted this 4 weeks ago

Dear Danny
I would like to apologize for the same.It was a mistake which had no negative motivation behind it and I assure you that I will not show such carelessness again.
-Atul


show

daemonr00t posted this 4 weeks ago

No need to apologize mate. This is our sandbox, a place to experiment and learn.


Have a great week!







~dannyCS


Sent from my mobile







show

Close