FSMO Role: Infrastructure Master


We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role Infrastructure Master. As been said previously, the Infrastructure Master role is a domain-level role, i.e. in every AD domain there can be only one domain controller that is the owner of this role. In the AD forest, there may be multiple infrastructure master DCs (depending on the number of domains).

A server with Infrastructure Master role is needed to successfully perform the adprep/domainprep command (should be run exactly on the DC holder of this FSMO role). It is responsible for updating security identifiers (GUIDs, SIDs) and distinguished object names in cross-domain object references.

A bit of theory

Each AD domain controller stores complete information about all objects within its domain. However, the hierarchy of the forest can’t be limited to one single domain, but consists of many others. All this does not affect to the AD operation in any way until the security objects of one domain are used in others.

In practice, there are a few examples where the domains of one forest isolated from each other. Very often, when groups of one domain contain users from other domains. The Infrastructure Master role owner is responsible for such schemes in every of the domains.

READ ALSO  How to hide specific OU in Active Directory

For example, in domain B, there is a security group in which you want to add a user from domain A. Once the user is added to the group, the following occurs:

  1. The Infrastructure Master of a domain B accesses the global catalog server (GC Global Catalog) to retrieve information about the user of domain A. Because the Global Catalog stores information about objects in all forest domains, it returns the necessary data;
  2. The Infrastructure Master of  domain B creates a phantom object for the user of domain A. This entry is a special type of AD object and can’t be viewed through LDAP or any snap-ins (adsiedit.msc, AD Users and Computers, etc.). Phantom records contain a minimum of information, including the following parameters: Distinguished name, object GUID and SID.
  3. The Infrastructure Master periodically compares (by default once every 2 days) all phantom objects with global catalog data. If there has been any change with user A (user renamed, moved to another domain or container, deleted): the infrastructure master makes the appropriate changes with phantom object.

The best practices for placing the FSMO Infrastructure Master

The Global Catalog server keeps a full replica of its domain data, as well as a partial replica of each domain in a forest. A partial replica includes object data contains GUID, SID and Distinguished object name. That is, it stores all the same data as the phantom records of the Infrastructure Master. Thus, if the Infrastructure Master is located on the Global Catalog server, then new phantom objects will not be created/modified/deleted since the GC already stores such records itself. As a result, there will be irrelevant information about cross-domain objects from other controllers of this domain, because they are still referring to the infrastructure master for obtaining information about objects of other domains. From this follows one conclusion:

READ ALSO  Removing Old and Unused Drivers from Driver Store using Powershell

Do not place the Infrastructure Master role on a Global Catalog server in case not all of DCs in the forest are global catalog servers.

In that case, when all domain controllers in the forest are Global Catalogs (each domain controller contains the most up-to-date information about all objects in forest), or there are only one domain in the forest, the need for the Infrastructure Master role disappears completely.

Note. By the way, today this is the configuration recommended by Microsoft.

How to Transfer Infrastructure Master Role

By default, the role of the infrastructure master receives the first domain controller installed in a forest. You can move this role at any time by using the Active Directory Users and Computers snap-in or using the Ntdsutil.exe utility. The infrastructure master is identified by the value of the fSMORoleOwner attribute in the Infrastructure container in the Domain section.

To find out which DC is the owner of the domain infrastructure role, you must run the Active Directory Users and Computers snap-in, right-click on the domain, and select Operation Masters.

operations manager infrastructure master

Click the “Infrastructure” tab, which specifies the domain controller that performs this role in the domain.

operations master fsmo

To transfer this role to another domain controller, click the Change button and select DC.

READ ALSO  Microsoft Dynamics CRM 4.0 Open Windows in a New Tab

If you need to transfer IM role from failed DC follow the instructions How to transfer FSMO Roles From a Failed Domain Controller.


You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...