The way I came to remember it is if it is the only domain in the forest the IM is irrelevant & if all DCs are GCs, the IM is irrelevant.
The documentation is a lot better than it used to be- Requirements for infrastructure master placement The infrastructure master updates the names of security principals from other domains that are added to groups in its own domain. For example, if a user from one domain is a member of a group in a second domain and the user's name is changed in the first domain, the second domain is not notified that the user's name must be updated in the group's membership list. Because domain controllers in one domain do not replicate security principals to domain controllers in another domain, the second domain never becomes aware of the change in the absence of the infrastructure master. The infrastructure master constantly monitors group memberships, looking for security principals from other domains. If it finds one, it checks with the security principal's domain to verify that the information is updated. If the information is out of date, the infrastructure master performs the update and then replicates the change to the other domain controllers in its domain. Two exceptions apply to this rule. First, if all domain controllers are global catalog servers, the domain controller that hosts the infrastructure master role is insignificant because global catalogs replicate the updated information regardless of the domain to which they belong. Second, if the forest has only one domain, the domain controller that hosts the infrastructure master role is insignificant because security principals from other domains do not exist. From: Jon Harris [mailto:[email protected]] Sent: Friday, September 04, 2009 6:19 AM To: NT System Admin Issues Subject: Re: change operatins master Now that is much clearer than the Microsoft documentation for 2000 and NOW I truly understand what was being said. Thank you. Jon On Fri, Sep 4, 2009 at 8:03 AM, Ken Schaefer <[email protected]> wrote: Client numbers are irrelevant. Infrastructure Master works by comparing what it has in its database with what a GC has in its. If you make the IM a GC, then when it compares its db with another GC there are no differences. And the IM then doesn't do anything. If you only have a single domain, then GCs don't store anything more than regular DCs. If all the DCs in the domain are also GCs, then there's nothing for the IM to do anyway. But if you have >1 domain, and not all DCs are GCs, then you need the IM to do things. And that means the IM can not be on a GC. Cheers Ken From: Jon Harris [mailto:[email protected]] Sent: Friday, 4 September 2009 5:42 AM To: NT System Admin Issues Subject: Re: change operatins master That warning does not apply to a single (small) domain model if I remember correctly. You would have issues if this were a multi-domain, large number of clients type of setting. Jon On Thu, Sep 3, 2009 at 5:30 PM, James Kerr <[email protected]> wrote: ok it seems I will be ok transferring this role to a single DC since this is a single forest single domain setup. Thanks for the help Erik. James ----- Original Message ----- From: James Kerr <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Thursday, September 03, 2009 5:27 PM Subject: Re: change operatins master Thanks, going from ADUC on the 2003 DC did the trick. Now I'm reminded of something. Getting a popup stating that infrastructure master role should not be transferred to a GC server. Argh, its going to be the only server at that site. Do I have really need to have two DCs at a small site? What may happen if I hit yes to transfer the role? ----- Original Message ----- From: Erik Goldoff <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Thursday, September 03, 2009 5:16 PM Subject: RE: change operatins master but no other servers in the list ??? Does the new server show up in Domain Controllers' container in ADUC ? ok, in ADUC, right click on the domain.local and you should have an option to connect to another server, pick the one you want to house the role .... then click on Operations master and click the CHANGE button OR, if you did this from the 2008 server, the change should already be set with the old server holding the role, and the new server in the second position to Change to ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
