Re: IFM and Universal Security Groups

---

• From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
• Date: Thu, 12 Oct 2006 14:53:14 +0100

---

In that case would be IM ;)
- The Infrastructure master role: Ensures cross-domain object references are
handled properly, such as when objects in one domain are referenced by
objects in a different domain.

- The domain controller assigned the infrastructure master role is
responsible for updating the group-to-user references whenever the members
of groups are renamed or changed. At any time, there can be only one domain
controller acting as the infrastructure master in each domain.
When you rename or move a member of a group (and the member resides in a
different domain from the group), the group might temporarily appear not to
contain that member. The infrastructure master of the group's domain is
responsible for updating the group so it knows the new name or location of
the member. The infrastructure master distributes the update via multimaster
replication.

- The IM is responsible for updating cross-domain object references each DC
in the Domain, to do that it needs to check for changes on an available GC,
then compares its information with the information that the GC has, if any
changes, then updates its local information, and updates cross-domain object
references each DC in the Domain.- The Problem is that If the IM is also a
GC, when is going to check for changes he asks for a GC and because the IM
is also a GC it "thinks" that it has all information updated and there's no
need to update the DCs on its domain causing others DCs ending up with
nonupdated information, remember DCs in a domain only know everything about
their domain, because the domain partition is replicated between
them.Example - 2 Domains:

- Domain1
- Domain2- You create a Universal Security group on Domain1, and add it a
user from Domain2.
- All GCs in the forest now that UNG on domain1 has a user from Domain2, and
all DCs in the Domain1 also know that, but DCs (non-GCs) in Domain2 don't
know anything about it, the IM in their Domain is responsible for update
that information and replica it to the DCs in their domain.So in conclusion:

- If you have only 1 Domain you don't have cross-domain object references,
so there isn't job for the IM.

- If you have only 1 DC in a domain, doesn't matter if it is a GC or not
because that DC holds all roles for its domain, and it doesn't need to
update no other DC in its domain, so in this scenario doesn't matter if it
is a GC or not.

- If in your Domain only some DCs are GCs then we DON'T place the IM in a
GC, because the other non-GCs in the domain will end up with missing
information about cross-domain object references.

- If all DCs in the Domain are GCs, them that's ok to put Infrastructure
master in a GC, because all DCs will be updated.

FSMO placement and optimization on Active Directory domain controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;223346
Phantoms, tombstones and the infrastructure master
http://support.microsoft.com/?id=24804


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
"Nick" <me@xxxxxxxxxxx> wrote in message
news:Ow6YuTg7GHA.3836@xxxxxxxxxxxxxxxxxxxxxxx

No Jorge, Infrastructure Master.

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:O578dDg7GHA.4708@xxxxxxxxxxxxxxxxxxxxxxx

Hi
are you talking about Install From Media?

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
"Nick" <me@xxxxxxxxxxx> wrote in message
news:ei1FsTe7GHA.1012@xxxxxxxxxxxxxxxxxxxxxxx

What role does the IFM play in updating the membership of Universal
Groups in its domain, with changes to objects from another domain?

If I rename a user in another domain who is a member of the group what
does the IFM do?

I suspect nothing since the UGs are defined in the GC, but can anyone
confirm or deny this please?

TIA

Nick

.

---

• Follow-Ups:
  • Re: IFM and Universal Security Groups
    • From: Nick

• References:
  • IFM and Universal Security Groups
    • From: Nick
  • Re: IFM and Universal Security Groups
    • From: Jorge Silva
  • Re: IFM and Universal Security Groups
    • From: Nick

• Prev by Date: Re: How to Restore AD after tombstone 60 Days?
• Next by Date: Re: Removing a DC
• Previous by thread: Re: IFM and Universal Security Groups
• Next by thread: Re: IFM and Universal Security Groups
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Why should the infrastructure master for each domain not host the global catalog????. ... The Infrastructure master role: ... The IM is responsible for updating cross-domain object references each DC ... domain causing others DCs ending up with nonupdated information, ... (microsoft.public.windows.server.active_directory) Re: no logon server to service your request problem ... Ensures cross-domain object references are ... The domain controller assigned the infrastructure master role is responsible ... global catalog in the forest, ... (microsoft.public.windows.server.active_directory) Re: Active Directory FSMO, GC and Exchange Proper Setup ... changes, then updates its local information, and updates cross-domain object ... domain causing others DCs ending up with nonupdated information, ... If you have only 1 Domain you don't have cross-domain object references, ... All my app servers, exchange servers and users reside on DomainB. ... (microsoft.public.windows.server.active_directory) Re: Global Catalog and RID Master ... changes, then updates its local information, and updates cross-domain object ... domain causing others DCs ending up with nonupdated information, ... If you have only 1 Domain you don't have cross-domain object references, ... servers with active directory integrated zones. ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)