CN=Infrastructure – what is it?

Reading Time: 2 minutes

Few days ago on a newsgroup (yes, Usenet still lives πŸ™‚ ) somebody asked question what CN=Infrastructure is and if it can have something to do with GPO problems which are affecting his AD infrastructure. So … can it be a cause of such problems?

I was thinking about describing some case related to objects recovery which is also related to infrastructure updates so maybe first I will describe what this CN=Infrastructure object is and what role is it playing in AD.  

If you haven't seen it yet time to switch on advanced mode in ADU&C or use tool like LDP.EXE or ADSIEdit.msc – AD might not look the same :).  You will find this object in every domain under main naming context so its full DN will be something like CN=Infrastructure,DC=<domain>,DC=<tld>.

If You will look for it on a web information can be found that this is representation fo Infrastructure Master role holder. This is little simplification of its role. As we know Infrastructure Master exists in every domain and is used for some tasks, one of them is managing phantom objects. Phantom objects (another creature which might be present in AD but is not easy to see) is being created in directory to represent objects from other domain (naming context) which is member of a group etc. Infrastructure Master role holder is responsible for creating, updating and deleting there objects in AD.

And here our CN=Infrastructure object is playing its part. Because phantoms are not exactly directory objects and exists only in DB layer changes to phantoms can't be replicated using standard AD mechanisms. If Infrastructure master has to inform other DCs about phantom changes it creates infrastructureUpdate class object in CN=Infrastructure (object, even if it is not a container can contain other objects) and this object is being replicated across environment and processed to update phantom data. To make it more interesting such object is being deleted right away after creation :).

So as You can see Infrastructure object is being used as some kind of transport for updates generated by Infrastructure Master in domain.

BTW – using permissions on Infrastructure object you can delegate permission to manage infrastructure master FSMO role holder. But I don't think that this is task which is delegated often.

Answering newsgroup question – it is very unlikely that this object can break something with GPO processing in domain. And at the end it turned out that something else was causing these errors. 

And now I will start to work on second part of this story …