• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1089
  • Last Modified:

Transferring FSMO Rules to new server

Hello all...

My 'main' server is experiencing problems with its RAID drive.  We are taking it down this weekend to remedy.  To cover all of my bases, I have added a new server to the network, and made it an AD server with the Global Catalog installed.

I am now in the process of moving the roles to that server. I have transferred over:

RID Master, PDC Emulator, Domain Naming Master, Schema Master (all with no problem)

When I go to change the Infrastructure Master, I get a warning:

(this server) is a Global Catalog (GC) server.The infratructure operations master role should not be transferred to a GC server...please see help, etc.

Are you certain you want to transfer?

Should I transfer it?  The other server that it is currently on is a GC server.  Are there any consequences, etc. I should watch out for when I do?

Insight appreciated,


3 Solutions

In a multiple domain controller environment, the Infrastructure master should not be on a GC. If this is the only DC in this site, it should be okay however.



In every AD environment I've seen, Ive heard of this isuue... OK Let's see...

AD heavily relies on redundancy, which means at least two domains controllers. Let's say that only one of them holds the GC. If that DC fails, no more GC, which means only the domain admin has logon privileges... OK, so both DCs are now GC, but you have to do something about this damn infrastructure master ... OK Let's setup a third DC, not GC, whose role will be to safely host the infrastructure operations master role.... In a small organization, that would mean some money.

Would the conclusion be : Msft never thought about smaller companies when they developed AD ? Nah, I don't want to believe this. The point is I've seen many DCs host all FSMO roles flawlessy.

It's not considered a best practice, though, but if it's your only option, go ahead, it shouldn't hurt.

The other EE experts are right...but just in case you want MS' word

From here: http://technet2.microsoft.com/WindowsServer/en/Library/8a378df1-50b5-4a79-986c-364ce6e0cb071033.mspx

Domain-level role absence on a Global Catalog server

Do not host the infrastructure master on a domain controller that is acting as a global catalog server.

The infrastructure master updates the names of security principals for any domain-named linked attributes. For example, if a user from one domain is a member of a group in a second domain and the user’s name is changed in the first domain, then the second domain is not notified that the user’s name must be updated in the group’s membership list. Because domain controllers in one domain do not replicate security principals to domain controllers in another domain, the second domain never becomes aware of the change. The infrastructure master constantly monitors group memberships, looking for security principals from other domains. If it finds one, it checks with the security principal’s domain to verify that the information is updated. If the information is out of date, the infrastructure master performs the update and then replicates the change to the other domain controllers in its domain.

Two exceptions apply to this rule. *************First, if all the domain controllers are global catalog servers, the domain controller that hosts the infrastructure master role is insignificant because global catalogs do replicate the updated information regardless of the domain to which they belong. Second, if the forest has only one domain, the domain controller that hosts the infrastructure master role is not needed because security principals from other domains do not exist.*******************

Because it is best to keep the three domain-level roles together, avoid putting any of them on a global catalog server.

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

tnormanAuthor Commented:
Everyone...thanks for the feedback on this.  I get the impression that the Infrastructure Role is mostly for multi-domain companies, which this one is not.

Let's say that the gods are willing, and the problem with my 'main' server is simply a defective drive in the RAID and it comes back no problem (after being replaced).  I now have

- 4 roles on one server
- 1 role (Infra) on another server
- GC on both servers

If you only have two AD controllers, (as noted above), where's the redundancy of for the GC if I only have it in one place?  Is the role distribution more important than GC?

I already got this company to by a separate server for redundancy...they will really question why I would need two more.

I realize I am not asking any specific questions here, but am looking for 'best practices' in a W2K3 network environment with two servers that have AD.


tnormanAuthor Commented:
Did the reboot this am, and oddly enough, the server came back fully functional (i.e. no disk problems.)

However, good info above.  Thanks everyone for their input.

Thanks for the assist points, happy to help out.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now