Tips and Concepts

Infrastructure Master and Global Catalog

Let review the functions of Infrastructure master and the Global Catalog

Infrastructure Master: The infrastructure master responsibility is updating the group-to-user references from another domain whenever the members of groups are renamed or changed within its domain. Another world, an infrastructure master for a given domain maintains a list of the security principals from other domains that are members of groups within its domain.

Global Catalog: The global catalog is a database that contains a searchable, partial representation of every object in every AD domain in a AD forest. The global catalog provides the ability to locate objects from any domain in a given site without having to know the domain name.

How do they work with each other?
In a multi-domain forest, The DC that holds the infrastructure master role for its domain is responsible for updating the cross-domain group-to-user reference to reflect the objects add, change, remove or group membership. Periodically, the infrastructure master scans its database for group members from other domains and compares the name and the security identifier (SID) of the member against a global catalog. If the name or the SID does not match, the local reference is updated with the values in the global catalog and update to all other DC in its domain.
Global catalogs database receive updates for objects in all domains through replication and will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain.

If both infrastructure master and global catalog services are on the same domain controller, any changes in AD object reflect both infrastructure master and the catalog server database. The infrastructure master will never find data that is out of date, and it will not provide updates to any other domain controllers in its domain. Note: The following problem does not affect single domain in single forest.

  1.   Again, if you only have a single domain in single forest, you don't have to worry about this problem.
  2.   If every domain controllers running Global catalogs services then you don't have to worry because all GCs replicate to each other.  However, your network is replicating like crazy.
  3.   If a given domain in a multi-domain forest contains only one domain controller, the domain controller is the infrastructure master itself, or a global catalog. Therefore, the issue is not relevant.

Transfer the infrastructure master role to a different domain controller that is not a global catalog server or remove the global catalog from this domain controller. If this domain controller is the only global catalog server in the site, add the global catalog to another domain controller in the site.