Understanding FSMO ROles – 6: Infrastructure Master

By | June 18, 2020

In last post, we have discussed Domain Naming Master. In this post, we will understand the 1st Domain Level Role – the Infrastructure Master. Before start, we should always remember that any changes in Forest Level roles will affect the entire forest but changes in Domain Level roles will only affect that particular Domain. For example, if we have a root domain DevOpsAge.local and 2 child domains – US.DevOpsAge.local and IN.DevOpsAge.local, both forest level roles (Schema Master and Domain Naming Master) will be for the entire forest (containing all 3 domains), but every domain will have their own domain level roles (Infrastructure Master, RID Master and PDC). In this case, we will have 3-3 domain level roles (1 in each domain) in our environment.

So what is Infrastructure Master? First thing to know that Infrastructure Master is only useful if and only if we have multiple domains in our forest. In other word, if we have only one forest and one domain environment, Infrastructure Master role will sit idle and do nothing. That’s because IM is responsible to identify objects in different domains. In other words, Infrastructure Master keeps records of all cross domains objects. Confused? Ok, let me clarify.

Suppose we have two domains – Domain-1 and Domain-2. Now if any user/computer from Domain-1 wants to access any resource (share, file, folder, printer etc.) in Domain-2, Infrastructure Master is the one who will decide which object belongs to which domain. In short, the proper domain wise classification of any object in Active Directory is handled by Infrastructure Master.

Let’s take one more example, if a User from Domain-1 is added in a group of Domain-2, that is IM who maintains that record and let cross domains object work properly.

What if my Infrastructure Master is down? If we have only one domain/forest environment, nothing will happen. However if we are working with multiple domain, any user/computer from one domain can’t access any resource in any other domain, in case Infrastructure Master is down. In short, in single forest/domain structure, Infrastructure Master is not at all required but in multi-domain structure, it’s a mission critical role.

There are two important things we also need to remember:

  • Never ever place Infrastructure Master role in a DC which is also a GC (Global Catalog), unless every domain controllers in your environment are Global Catalog. Normally we make every DC as GC, but if you are running your AD environment with selective GCs and you put IM role in that DC, IM role will not function. Reason because Global Catalog also hold references of objects from all the domains and if you put IM Role on GC, GC will overpower the IM and you will start getting issue in cross domain authentications.
  • If the domain functional level of our AD infrastructure is 2008 R2 and above, we have an option to enable the Active Directory Recycle Bin. If AD recycle bin is disabled, Infrastructure Master will play it’s role as usual, however if we enable AD recycle bin, in this case there IM will sit idle as each Domain Controller will keep records of all created, modified and deleted objects itself.

That’s all for Infrastructure Master. In next post, we will discuss the 2nd Domain Level role – the RID Master.

Leave a Reply

Your email address will not be published. Required fields are marked *