FSMO Role: Infrastructure Master

We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role Infrastructure Master. As been said previously, the Infrastructure Master role is a domain-level role, i.e. in every AD domain there can be only one domain controller that is the owner of this role. In the AD forest, there may be multiple infrastructure master DCs (depending on the number of domains).

A server with Infrastructure Master role is needed to successfully perform the adprep/domainprep command (should be run exactly on the DC holder of this FSMO role). It is responsible for updating security identifiers (GUIDs, SIDs) and distinguished object names in cross-domain object references.

A bit of theory

Each AD domain controller stores complete information about all objects within its domain. However, the hierarchy of the forest can’t be limited to one single domain, but consists of many others. All this does not affect to the AD operation in any way until the security objects of one domain are used in others.

In practice, there are a few examples where the domains of one forest isolated from each other. Very often, when groups of one domain contain users from other domains. The Infrastructure Master role owner is responsible for such schemes in every of the domains.

For example, in domain B, there is a security group in which you want to add a user from domain A. Once the user is added to the group, the following occurs:

  1. The Infrastructure Master of a domain B accesses the global catalog server (GC Global Catalog) to retrieve information about the user of domain A. Because the Global Catalog stores information about objects in all forest domains, it returns the necessary data;
  2. The Infrastructure Master of  domain B creates a phantom object for the user of domain A. This entry is a special type of AD object and can’t be viewed through LDAP or any snap-ins (adsiedit.msc, AD Users and Computers, etc.). Phantom records contain a minimum of information, including the following parameters: Distinguished name, object GUID and SID.
  3. The Infrastructure Master periodically compares (by default once every 2 days) all phantom objects with global catalog data. If there has been any change with user A (user renamed, moved to another domain or container, deleted): the infrastructure master makes the appropriate changes with phantom object.

The best practices for placing the FSMO Infrastructure Master

The Global Catalog server keeps a full replica of its domain data, as well as a partial replica of each domain in a forest. A partial replica includes object data contains GUID, SID and Distinguished object name. That is, it stores all the same data as the phantom records of the Infrastructure Master. Thus, if the Infrastructure Master is located on the Global Catalog server, then new phantom objects will not be created/modified/deleted since the GC already stores such records itself. As a result, there will be irrelevant information about cross-domain objects from other controllers of this domain, because they are still referring to the infrastructure master for obtaining information about objects of other domains. From this follows one conclusion:

Do not place the Infrastructure Master role on a Global Catalog server in case not all of DCs in the forest are global catalog servers.

In that case, when all domain controllers in the forest are Global Catalogs (each domain controller contains the most up-to-date information about all objects in forest), or there are only one domain in the forest, the need for the Infrastructure Master role disappears completely.

Note. By the way, today this is the configuration recommended by Microsoft.

How to Transfer Infrastructure Master Role?

By default, the role of the infrastructure master receives the first domain controller installed in a forest. You can move this role at any time by using the Active Directory Users and Computers snap-in or using the Ntdsutil.exe utility. The infrastructure master is identified by the value of the fSMORoleOwner attribute in the Infrastructure container in the Domain section.

To find out which DC is the owner of the domain infrastructure role, you must run the Active Directory Users and Computers snap-in, right-click on the domain, and select Operation Masters.

operations manager infrastructure master

Click the “Infrastructure” tab, which specifies the domain controller that performs this role in the domain.

operations master fsmo

To transfer this role to another domain controller, click the Change button and select DC.

If you need to transfer IM role from failed DC follow the instructions How to transfer FSMO Roles From a Failed Domain Controller.

You may also like:

Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Fix Trust relationship failed issue without domain... In this article, we will discuss the causes of Trust relationship failed error and some solutions on how to restore secure channel between the worksta...
  1. Posted by Sara
    • Posted by The IT Bros

Add Your Comment