The sequence of publications on FSMO roles in the Active Directory domain continues. This time, we’ll focus on the Infrastructure Master job in the FSMO. As previously stated, the Infrastructure Master role is a domain-level role, which means that only one domain controller can be the owner of this role in each AD domain. There may be numerous infrastructure master DCs in the AD forest (depending on the number of domains).
To run the adprep/domainprep command, you’ll need a server with the Infrastructure Master role (should be run exactly on the DC holder of this FSMO role). It’s in charge of keeping cross-domain object references up to date with security identifiers (GUIDs, SIDs), as well as differentiated object names.
Brief
Each AD domain controller stores complete information about all objects within its domain. However, the hierarchy of the forest can’t be limited to one single domain, but consists of many others. All this does not affect to the AD operation in any way until the security objects of one domain are used in others.
In practise, there have been a few instances where the domains of one forest have been separated. When groups of one domain contain users from different domains, it is very common. In each domain, the Infrastructure Master role owner is in charge of such schemes.
There is a security group in domain B, for example, to which you want to add a user from domain A. Following the user’s addition to the group, the following happens:
- To acquire information on domain A’s user, the Infrastructure Master of domain B connects to the global catalogue server (GC = Global Catalog). The Global Catalog returns the required data since it stores information about items in all forest domains.
- Domain B’s Infrastructure Master produces a phantom object for domain A’s user. This is a unique form of AD item that cannot be seen using LDAP or any snap-ins (adsiedit.msc, AD Users and Computers, etc.). Phantom records include only the bare minimum of data, such as the distinguished name, object GUID, and SID.
- The Infrastructure Master verifies all phantom items with global catalogue data on a daily basis (by default). If anything changes with user A (user renamed, relocated to another domain or container, or destroyed), the infrastructure master updates the phantom object accordingly.
If not all DCs in the forest are global catalogue servers, don’t put the Infrastructure Master role on a Global Catalog server.
When all domain controllers in the forest are Global Catalogs (each domain controller contains the most up-to-date information about all objects in the forest), or when the forest has only one domain, the Infrastructure Master role is no longer required.
By the way, this is the arrangement that Microsoft recommends today.
What is the procedure for transferring the Infrastructure Master Role?
The infrastructure master role is assigned to the first domain controller installed in a forest by default. Using the Active Directory Users and Computers snap-in or the Ntdsutil.exe application, you can transfer this role at any time. The value of the fSMORoleOwner attribute in the Infrastructure container in the Domain section identifies the infrastructure master.
Run the Active Directory Users and Computers snap-in, right-click on the domain, and select Operation Masters to see which DC owns the domain infrastructure role.
Click the “Infrastructure” tab, which specifies the domain controller that performs this role in the domain.
Click the Change button and select DC to transfer this position to another domain controller.
Follow the procedures if you need to transfer the IM role from a failed DC. Transferring FSMO Roles from a Failed Domain Controller
