AD DS: The infrastructure master for this domain should be held by a domain controller that is not a global catalog server

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Error

Category

Configuration

Issue

The infrastructure master operations master role (also known as flexible single master operations (FSMO) role) and the global catalog are held by the same domain controller.

This issue does not affect forests that have a single domain.

Impact

Group-to-user references in this domain will not be updated when members of a group are renamed or changed within a domain.

The infrastructure master is responsible for updating the group-to-user references when the members of a group are renamed or changed within a domain.

For example, suppose that you use the Active Directory Users and Computers snap-in to add a user to a group within a single domain. While you are still connected to the same domain controller, you can view the group’s membership and see the user that you just added. If you rename the user object and then display the group membership, you instantly see the user’s new name in the list of group members. However, when the user and the group are in different domains, there is a lag between the time when you rename the user object and when the group that contains that user displays the user’s new name.

The domain controller that holds the infrastructure master role for the group’s domain is responsible for updating the cross-domain group-to-user reference to reflect the user’s name change. Periodically, the infrastructure master scans its database for group members from other domains. For each member from a foreign domain that the infrastructure master finds, it compares the name and the security identifier (SID) of the member against a global catalog. If the name or the SID does not match, the local reference is updated with the values in the global catalog. For example, if a user account is moved to a new domain, the infrastructure master updates the local reference’s name and SID because they do not match the values in the global catalog. After the infrastructure master updates these references locally, it uses replication to update all other replicas of the domain. If the infrastructure master is not available, these updates are delayed.

Because a global catalog maintains a partial copy of every object from every domain in the forest, the requirement to maintain any cross-domain references is eliminated. Therefore, if the infrastructure master is running on a global catalog server, it never finds any cross-domain references in its local database. Consequently, the infrastructure master is not able to determine which cross-domain references are stale, and it will not provide updates to any other domain controllers in its domain. For this reason, the infrastructure master should not run on a global catalog server in a forest that contains multiple domains. The following exceptions apply:

  • If every domain controller in a domain is a global catalog server, no cross-domain references exist, and the problem in the impact statement will not appear.

  • If a given domain in a multidomain forest contains only one domain controller, the domain controller is the infrastructure master itself, or a global catalog. Therefore, the issue is not relevant.

Resolution

Transfer the infrastructure master role to a different domain controller that is not a global catalog server or remove the global catalog from this domain controller. If this domain controller is the only global catalog server in the site, add the global catalog to another domain controller in the site.

Use the following procedures to transfer the infrastructure master role to a domain controller that is not a global catalog server. As an alternative, you can move the global catalog to another server in the same site.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To transfer the infrastructure master role

  1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. At the top of the console tree, right-click Active Directory Users and Computers, and then click Change Domain Controller.

  3. In the Name column, click the name of the domain controller to which you want to transfer the role, and then click OK.

  4. In the console tree, right-click Active Directory Users and Computers, click All Tasks, and then click Operations Masters.

  5. Click the Infrastructure tab. The name of the current infrastructure operations master role holder appears in the Operations master box. The name of the domain controller to which you want to transfer the role appears in the lower box.

  6. Verify the computer names that appear, and then click Change. Click Yes to transfer the role, click OK, and then click Close.

If you do not want to transfer the infrastructure master role to a domain controller that is not a global catalog server, you can instead remove the global catalog from the infrastructure master. If you are removing the only global catalog server in the site, add the global catalog to another domain controller in the same site before you remove it from the infrastructure master. This ensures that at least one global catalog server is always available in the site.

To add or remove the global catalog from a domain controller

  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, expand the Sites container, and then expand the site in which you are adding or removing a global catalog server.

  3. Expand the Servers container, and then expand the Server object for the domain controller for which you are adding or removing a global catalog server.

  4. Right-click the NTDS Settings object for the target server, and then click Properties.

  5. Select the Global Catalog check box to add the global catalog, or clear the check box to remove it, and then click OK.

Additional references

For more information, see the following: