[Last Call] Learn how to a build a cloud-first strategyRegister Now


Infrastructure FSMO  Role

Posted on 2009-04-17
Medium Priority
Last Modified: 2012-06-21
Hi All,
I have 2 questions for you.
Question 1.
Where Infrastructure FSMO roles come in to an action.In an single domain enviornment or multiple domain enviornment ?
Please give me clear understaning with an example, will be very helpful to me.
where to keep infrastructure role ?
what happen If my infrastructure role dc goes down but my Globalcatalog Dc is up and running. ?

Qusetion 2 :-
Another confusing part in my mind is application partition.
please explain me with an example.

Thanks all....

Question by:shankarvetrivel
LVL 57

Accepted Solution

Mike Kline earned 189 total points
ID: 24165490
In a single domain environment it doesn't come into play.
In a mult-domain structure it maintains references to objects in the other domains (you will hear them referred to as "phantoms".
So an example
You have Domain1 and Domain2.   If you create a group in domain1 and place members in it from domain2 then the IM in domain1  is used to maintin those references.
While we are on the Infrastructure master topic there is always debate about putting it on a GC or not.  Not sure why this debate still goes on but just today on a question this was being debated.  I'll point you to a short and good blog entry on that
If the infrastructure master goes down then there won't be cross domain updates...not sure how many changes you are making but users will still be able to function.
An applications partition is a directory partition that is replicated only to specific domain controllers.  So two examples you probably already have and may not realize it.
when you install DNS in W2K3 two new app partitions are created those are the DomainDNSZones and ForestDnsZones.   The Forest zone is replicated to all DNS servers running DNS in your forest, and as you can guess the domain zone replicates to DNS servers on DCs in your domain.  So as the name implies the partition only replicates to certain DCs.
LVL 27

Assisted Solution

bluntTony earned 186 total points
ID: 24165666
Specifically, the Infrastructure master manages group membership references between user/computer accounts and groups (linked attributes). For example : John is a member of the group Group1. Group1 has an attribute 'members' where the DN of john is held. John has an attribute 'memberof' where the DN of the group is held. These are called linked attributes.
The primary attribute is 'members' on the group. When this is modified, AD automatically updates the attribute of the corresponding account. e.g. you remove John out of the group, modifying the group attribute, and AD then removes the group from John's 'memberof' attribute.
What the infrastructure master does is handle this operation across domains for objects which do not exist in it's own domain. It creates 'phantom' objects for the accounts in other domains so that it can update the linked attributes.
Like Mike says, single domain it's irrelevant, multi domain - unless ALL the DCs in your domain are also GCs, then do not place the Infrastructure Master on a GC.

Author Closing Comment

ID: 31571347
THanks,really helped me.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question