Infrastructure Master FSMO Role


Infrastructure Master FSMO Role is a Flexible Single Master Operation and a Domain Controller responsible for updating an object's Security Identifier (SID) and Distinguished Name in a cross-domain object reference.

When an object in one AD DOMAIN is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The Infrastructure Master FSMO Role

NOTE: The Infrastructure Master (IM) role should be held by a Domain Controller that is not a Global Catalog server(GC). If the Infrastructure Master FSMO Role runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log.

If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

When the Recycle Bin optional feature is enabled, every DC is responsible to update its cross-domain object references when the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role. For more information, see Infrastructure FSMO Role at http://msdn.microsoft.com/en-us/library/cc223753.aspx

Infrastructure Master FSMO Role Responsibility#

Infrastructure Master FSMO Role is responsible for an unattended process that "fixes-up" stale references, known as phantoms, within the Microsoft Active Directory database or DIT. Phantoms are created on Domain Controllers (DCs) that require a database cross-reference between an object within their own database and an object from another domain within the AD Forest. This occurs, for example, when you add a user from one domain to a group within another domain in the same AD Forest.

Each Domain Controller is individually responsible for creating its own phantoms with the notable exception of Global Catalogs (GCs). Since Global Catalogs store a Partial Attribute Set copy of all objects within the forest, they are able to create cross-domain references without the need for such phantoms. Phantoms are deemed stale when they no longer contain up-to-date data, which occurs because of changes that have been made to the foreign object the phantom represents, e.g., when the target object is renamed, moved, migrated between domains or deleted. The Infrastructure Master FSMO Role is exclusively responsible for locating and fixing stale phantoms. Any changes introduced as a result of the "fix-up" process must then be replicated to all remaining Domain Controllers within the AD DOMAIN.

Note: The Infrastructure Master does not perform the "fix-up" role within a single domain forest since phantoms are unnecessary.

More Information#

There might be more information for this subject on one of the following: