We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role — Infrastructure Master. As been said previously, the Infrastructure Master role is a domain-level role, i.e. in every AD domain there can be only one domain controller that is the owner of this role. In the AD forest, there may be multiple infrastructure master DCs (depending on the number of domains).
A server with Infrastructure Master role is needed to successfully perform the adprep/domainprep command (should be run exactly on the DC holder of this FSMO role). It is responsible for updating security identifiers (GUIDs, SIDs) and distinguished object names in cross-domain object references.
A bit of theory
Each AD domain controller stores complete information about all objects within its domain. However, the hierarchy of the forest can’t be limited to one single domain, but consists of many others. All this does not affect to the AD operation in any way until the security objects of one domain are used in others.
In practice, there are a few examples where the domains of one forest isolated from each other. Very often, when groups of one domain contain users from other domains. The Infrastructure Master role owner is responsible for such schemes in every of the domains.
For example, in domain B, there is a security group in which you want to add a user from domain A. Once the user is added to the group, the following occurs:
- The Infrastructure Master of a domain B accesses the global catalog server (GC — Global Catalog) to retrieve information about the user of domain A. Because the Global Catalog stores information about objects in all forest domains, it returns the necessary data;
- The Infrastructure Master of domain B creates a phantom object for the user of domain A. This entry is a special type of AD object and can’t be viewed through LDAP or any snap-ins (adsiedit.msc, AD Users and Computers, etc.). Phantom records contain a minimum of information, including the following parameters: Distinguished name, object GUID and SID.
- The Infrastructure Master periodically compares (by default once every 2 days) all phantom objects with global catalog data. If there has been any change with user A (user renamed, moved to another domain or container, deleted): the infrastructure master makes the appropriate changes with phantom object.
The best practices for placing the FSMO Infrastructure Master
The Global Catalog server keeps a full replica of its domain data, as well as a partial replica of each domain in a forest. A partial replica includes object data contains GUID, SID and Distinguished object name. That is, it stores all the same data as the phantom records of the Infrastructure Master. Thus, if the Infrastructure Master is located on the Global Catalog server, then new phantom objects will not be created/modified/deleted since the GC already stores such records itself. As a result, there will be irrelevant information about cross-domain objects from other controllers of this domain, because they are still referring to the infrastructure master for obtaining information about objects of other domains. From this follows one conclusion:
Do not place the Infrastructure Master role on a Global Catalog server in case not all of DCs in the forest are global catalog servers.
In that case, when all domain controllers in the forest are Global Catalogs (each domain controller contains the most up-to-date information about all objects in forest), or there are only one domain in the forest, the need for the Infrastructure Master role disappears completely.
Note. By the way, today this is the configuration recommended by Microsoft.
How to Transfer Infrastructure Master Role
By default, the role of the infrastructure master receives the first domain controller installed in a forest. You can move this role at any time by using the Active Directory Users and Computers snap-in or using the Ntdsutil.exe utility. The infrastructure master is identified by the value of the fSMORoleOwner attribute in the Infrastructure container in the Domain section.
To find out which DC is the owner of the domain infrastructure role, you must run the Active Directory Users and Computers snap-in, right-click on the domain, and select Operation Masters.
Click the “Infrastructure” tab, which specifies the domain controller that performs this role in the domain.
To transfer this role to another domain controller, click the Change button and select DC.
If you need to transfer IM role from failed DC follow the instructions How to transfer FSMO Roles From a Failed Domain Controller.