Phantom Objects in Active Directory
Infrastructure Master Role and Global Catalog
Microsoft recommends not making the domain controller with the infrastructural master role the Global Catalog server.
But this recommendation applies only for these cases:
- There are several domains in the forest
- There are domain controllers in the same domain which are not global catalog servers.
One reason for the recommendation is the existence of phantom objects in Active Directory. Phantom objects are database objects used for “internal administrative purpose operations” in Active Directory. These phantom objects cannot be displayed by LDAP or ADSI.
Phantom objects can be created if, for example, an object is deleted in Active Directory, but there are still references or links to the object. Phantom objects may also be created if a local domain group has a user from another domain as a member.
If a domain controller has the infrastructure role and is simultaneously the global catalog server, phantom objects are never created (and never updated).
In Active Directory phantom objects are created inter domain group-to-user links. They contain only the minimum information so that the original object can be found from the other domain (distinguished Name, object-GUID and object-SID).
Remote user deleted – phantom object update necessary
Now, if a user from another domain joins the local domain group, a phantom object for the “remote user” will be created. If this “remote user” is changed or deleted the respective phantom object in the domain controller with an infrastructure role needs to be updated accordingly. But this is only possible if the domain controller with an infrastructure master role is not also a global catalogue server.
Event log: Event id 1419
If you can find the event id “1419” with the event source “BTDS General” in the event log please check if the infrastructure master role is also a global catalogue server, and, if necessary, adjust the settings according to the Microsoft recommendations.
BUT, The recommendation can be ignored in the following cases:
- There is only one domain in the forest, then the infrastructure master may also be a global catalog server.
- Each domain controller in the same domain is also the respective global catalog server.
If all domain controllers are also the global catalogue, the infrastructure master has nothing to do, because each global catalogue server knows all objects from the other domains.