You need to place global catalog servers carefully when your organization has more than one forest. The global catalog contains all objects in the forest, including a full copy of objects in the global catalog’s own domain and a read-only copy of objects for all other domains in the forest. A single-forest (and/or multi-domain) scenario should have the global catalog server located on all domain controllers. In a multi-forest scenario, place a global catalog server at the following locations:
- A location that has an application requiring a global catalog server
-A location with more than 100 users
- A site with unreliable connectivity and several roaming users
- A site with reliable connectivity but slow logon performance for roaming users
If none of these criteria are met, you should place a domain controller with universal groupmembership caching at the location.
Whereas any Active Directory domain controller can write most directory data, certain data can be written only by operations master role servers. Of the several operations master roles, the first three exist at the domain level and are known as flexible single master operations (FSMO) roles:
- Primary domain controller (PDC) emulator, which processes password updates
- Relative ID (RID) operations master, which maintains the global RID pool and allocates local RIDs to other domain controllers
- Infrastructure operations master, which maintains a list of security principals from other domains that are members of groups in the local domain
Two other roles exist at the forest level:
- Schema operations master, which controls schema changes
- Domain naming operations master, which controls changes to the directory partitions such as adding and removing domains from the forest.
You should place operations master role servers, especially those with PDC and RID responsibilities, in sites with reliable network connectivity. The operations master role is automatically assigned to the first domain controller in a forest. However, these roles can become a resource burden and, as a result, can be assigned to another domain controller.
Only one domain controller serves as the PDC emulator for each domain in the forest, so the PDC emulator role should be placed nearest the largest number of users. The infrastructure master monitors for changes to security principals from other domains added to groups in the local domain. Don’t place the infrastructure master on the same server as the global catalog server; otherwise, the infrastructure master won’t function. Only on multi-domain forests does the infrastructure server role become important, and then only when multiple servers are sharing the roles.
