There are certain roles in Active Directory – which is a multi-master directory (meaning that every DC can write if he’s member of the domain) – which need a “single-master”, someone who takes care that certain things are only performed once and they are unique.
As we should know, there are five of those “Flexible Single Master Operations”-Masters (FSMOs) (however let’s not get into the discussion why they are called “Flexible” – back in the NT5-beta-days (beta of Windows 2000) they were even called “Floating”). Two which are unique in the forest, and three which are unique in the domain.
FSMOs per forest:
- Schema-Master: guess what – someone has to be responsible updating the schema and making sure that it’s unique. What a surprise!
- Domain Naming Master: Same for certain names in the forest, which need to be unique.
FSMOs per domain:
- PDC-Emulator: the most complex and most important role. Not only reliable to replicate AD-content to NT4-BDCs (not in Windows Server 2008 anyways), but the PDC-Emulator is also the last instance of password changes, he’s targeted by the Group Policy Object Editor, takes care of AD-integrated DFS-Namespace, the PDC-E of the forest-root-domain is responsible for providing the right time to all members of the forest, a.s.o. He’s important, and you need him even if you don’t have NT4 in your domain anymore (hopefully – it’s gray-haired by now).
- RID-Master: My favorite role, since he reminds me on your account managers at the Octoberfest. Every year we take a lot of customers to the Octobeerfest [;)]. Someone is assigned per table to get beer-coupons for everyone. If he’s running out he has to go to the account manager responsible to get another stack. The RID-Master is doing the same. He’s making sure that RID (the last part of the security-identifier) is unique per domain by giving every DC a stack of RIDs to issue, and if he’s running out of RIDs (meaning that his stack is half-empty / half-full) he’s requesting the next RID-Pool.
- Infrastructure-Master: He’s the one who makes sure that cross-domain memberships are being taken care of (what a sentence). So what he’s really doing is comparing group-memberships and other cross-domain links against other domains (in the GC), and if some link is targeted at another domain in the forest he’s taking care to create a phantom so that all DCs know what the link-target is. Why is that – lets get out of the “bullet-points”.
If we look at the AD-Database (which is not being replicated – AD does take care of replication – the database is the local store per domain controller) there are two major tables in the database: the data-table and the link-table. Every row in the data-table is a single object, which is referenced by the “Distinguished Name Tag (DNT)”. This is a unique ID for each object in the database (per domain controller – across domain controllers it is very unlikely that the same object has the same DNT – as I said – replication is on the application layer and not on the Database-Layer). However, there is the link-table. The Link-Table is taking care of all links. So all group-members vs. user-member-ofs a.s.o. are stored there with their DNT. If the DC needs to enumerate group members, he’s simply searching in the link-table for the “link-source” and enumerates their targets, if he’s looking for the member-of information of a user he’s searching for the link-destination and enumerates their sources. Sounds logical? Hopefully.
But remember that groups (such as other links) may contain objects of other domains. How would we be able to reference those, they don’t have a row and don’t have a DNT in the domain database. That’s where the Infrastructure-Master kicks in. He’s taking care to create phantom-objects of objects which are referenced in a domain but which are from a foreign domain. So those objects are being created as “small version of those objects” in the domain where they are referenced. They are even smaller than the partitial attribute set which makes it into the Global Catalog. I’ve already blogged about the Global Catalog vs. Infrastructure Master dependency, so for this discussion go there. Also you can look at the Knowledgebase-Article “KB 248047: Phantoms, tombstones and the infrastructure master” on TechNet. The last parts about cross-domain references are the interesting ones in this context.
So how many FMSO-Role owners do we have in our forest?
- There is one Schema-Master.
- There is one Domain Naming Master.
- The number of PDC-Emulators is the same than the number of domains.
- The number of RID-Masters is the same than the number of domains.
- The number of Infrastructure Masters is …
How many infrastructure masters do we have?
Most would say “as much as we have domains as well”. Wrong!
And that’s the interesting part – we do have one Infrastructure Master per domain, that’s correct. But – remember that Windows Server 2003 introduced Application Partitions? We would be able to have link-references (they could even be cross partitions, not even domains) in an application partition as well. However if the “Domain Infrastructure Master” wouldn’t hold a copy of the application partition (which has a separate and configurable replication scope – one of our customers has one application partition per site but cross-domain), how would he be able to take care of those cross-partition references? He wouldn’t be able to, there’s no way he could do this.
Therefor we have one infrastructure master per domain, plus one per application partition. So by default, if you have a Windows Server 2003 or higher forest with the default application partitions (for DNS, the forestDnsZones and domainDnsZones), let’s assume five domains, then you have:
- 1 Schema Master
- 1 Domain Naming Master
- 5 PDC-Emulators
- 5 RID-Masters
- 11 Infrastructure Masters (5 Domain Infrastructure Masters + 1 for the forestDnsZones + 5 for the domainDnsZones of each domain – however they may reside on the same DC)
Where can I see the application partitions infrastructure masters?
To see where the IMs of the application partitions reside, you have to go into active directory with any tool like adsiedit.msc, ldp or whatever you prefer. Connect to the application partition, navigate to the cn=Infrastructure-object underneath the application partitions root, and look at the fSMORoleOwner-Attribute. It’s pointing to the NTDSSettings-Object of the server who currently holds the role. You can also use dsquery to do this:
dsquery * cn=Infrastructure,dc=domainDnsZones,dc=example,dc=com -attr fSMORoleOwner
If you want to figure out what partitions you have in the forest, you can use the following command:
dsquery * cn=partitions,cn=configuration,dc=example,dc=com -attr nCName
And if we only want application partitions, we add the filter (systemflags=5) which means that we are looking for all partitions which don’t replicate to the global catalog, which is the case for application partitions (Note: App-IMs may reside on GCs therefore [;)] ):
dsquery * cn=partitions,cn=configuration,dc=example,dc=com -filter "(systemflags=5)" -attr nCName
And for those of you who like small one-line commands, they can figure out who the infrastructure master is for all application partitions (as said, all in one line):
for /f %i in ('dsquery * "cn=partitions,cn=configuration,dc=example,dc=com"
Have fun [;)]
But why do I care about application partitions infrastructure masters?
Actually I had a conversation about this in Redmond a couple years ago, that there’s a infrastructure master for every application partition. I had actually forgotten about this, until a collegue of mine told me about an issue when preparing your forest for Windows Server 2008 Read-Only Domain Controllers (RODCs).
If you want to prepare your forest for Windows Server 2008 Read-Only Domain Controllers, you have to run “adprep /rodcprep”. This command is setting permissions so that RODCs are able to replicate content. RODCs are not in the Domain Controllers Group, so by default they don’t have sufficient permissions. Since RODCs may hold Active Directory-integrated DNS-Zones, they are also required to have those permissions on the application partition. Since we cannot be sure that a certain DC holds all application partitions – for domainDnsZones that’s granted if you have multiple domains – and since it’s not granted that the domains Infrastructure Master holds the application partitions in this domain (e.g. if he’s not DNS-Server, he doesn’t hold the domainDnsZones of his own domain as well) Microsoft decided to target the IMs with this command (we are still at “adprep /rodcprep”).
Many companies have either reinstalled DCs or took DCs down. One of the DCs which has often been taken down is the first DC in the forest, either because he’s being updated from a previous OS or because it was old hardware, hardware-failures a.s.o. However, the first DC in the forest also holds the application partition infrastructure master (let’s introduce the acronym AP-IM and D-IM, second for the domains infrastructure master) for the forestDnsZones and for the domainDnsZones of the forest root domain. When administrators took down those DCs, they moved FSMOs because they know it’s the right thing to do. However, if you use either the MMCs or ntdsutil to move the FSMOs (KB 324801: How to view and transfer FSMO roles in Windows Server 2003 and KB 255504: Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller) the AP-IM will not be moved automatically.
So it is very likely that a company has application partitions which do not have an infrastructure master, because the server is offline/removed and the role hasn’t been transferred.
Is it critical if the application partition infrastructure master is not available anymore?
No, in most cases it’s not. E.g. the default application partitions are used by DNS only, and only store the DNS-Zones and the dnsNode-Objects which reflect the records. They don’t use links, therefor there’s no need for an infrastructure master at those application partitions. However, you need to fix this for sure if you want to introduce Windows Server 2008 Read-Only Domain Controllers to be able to run “adprep /rodcprep”. You can either do this manually by simply changing the attribute fSMORoleOwner of the cn=Infrastructure,dc=<your-application-partitions-dn>-Object with the distinguishedName of the NTDSSettings-Object of the server who’s supposed to hold the role. The issue is also described in KB 949257: Error message when you run the “Adprep /rodcprep” command in Windows Server 2008: “Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com” which also provides you with a VBScript to change the role owner.