Why Infrastructure Master should not be a Global Catalog server?

The most confusing question in Active Directory. Will try to explain this in a simpler way.

Infrastructure Master role is responsible for managing any cross domain references. When we discuss about cross domain references, its essential to discuss about Phantom objects.

An AD group is something which can hold members of its own domain and groups from other domain(Eg: Global group and Universal group). For a group in one domain to contain members from another domain, a pointer or cross-domain reference is required. This cross-domain reference is called a Phantom object.
The phantom object needs to be updated regularly. Each DC is responsible for updating its own phantom objects. For all DCs in the domain, this task is done by the DC holding the Infrastructure Master (IM) role. But except for DCs holding GC role as it doesn’t require the cross reference since it already holds a partial replica of all objects in the forest. Phantom object will have the GUID, Distinguished Name(DN) and SID of the object which is being referenced.

Process of updating Phantom objects

Suppose an object X in Domain A is referred in another Domain B. When a change is made to X, the below activities take place.

  • Change is made to X (say, it is changed to another OU in the same domain A)
  • GC of Domain A gets updated instantly
  • Since GC of domain B holds a partial replica of all other domains of the same forest, this update will be marked in the GC of domain B.
  • The Infrastructure Master (IM) always checks the Phantom objects in its own domain partition against the GC
  • Since GC of domain B is updated with the new change, the IM finds that the domain partition it holds is outdated and hence it updates its own domain partition and then updates the Phantom object
Now what happens if IM is on a GC ?
  • The domain partition of the IM will be always up to date since the server is a GC
  • Therefore the IM will not find any outdated objects in its own domain partition and thereby not updating the phantom object
  • No impact if there is only domain in the forest

An IM can be on a GC when:
  • All the DCs in the domain are global catalog servers
  • If there is only one domain in the forest


Post a Comment

Popular posts from this blog

VMware and Windows Interview Questions: Part 2

VMware and Windows Interview Questions: Part 3

VMware vMotion error at 14%