Active Directory domain controllers, when first installed, host three predefined partitions. The Configuration naming context is replicated to all domain controllers in the forest, and it contains information that is needed forest-wide, such as the site topology and LDAP query policies. The Schema naming context is also replicated forest-wide and contains all of the schema objects that define how data is stored and structured in Active Directory. The third partition is the Domain naming context, which is replicated to all of the domain controllers that host a particular domain.
There is another partition type that is called an
application partition, which is very similar to the
other naming contexts except that you can configure which domain
controllers in the forest will replicate the data that’s contained within
it. Examples include the DomainDnsZones
partition, which is replicated across all AD integrated DNS servers in the
same domain, and ForestDnsZones, which
is replicated across all AD integrated DNS servers in the forest. This
capability gives administrators much more flexibility over how they can
store and replicate the data that is contained in Active Directory. If you
need to replicate a certain set of data to only two different sites, for
example, you can create an application partition that will only replicate
the data to the domain controllers in those two sites rather than
replicating the data to additional DCs that have no need for it.
See Chapter 13 for more on DNS-related management tasks, as well as Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly), for more details on application partitions.
Application partitions are stored in Active Directory in a similar
fashion as a Domain NC. In fact, application partitions and Domain NCs
consist of the same two types of objects: a domainDNS object and a crossRef object that resides under the
Partitions container in the
Configuration naming context (CNC). Application partitions have a
similar naming convention as domains and can be named virtually anything
you want. You can create an application partition that uses the current
namespace within the forest. For example, in the
adatum.com (dc=adatum,dc=com) forest, you could create an
apps.adatum.com (dc=apps,dc=adatum,dc=com) application
partition. Alternatively, a name that is part of a new tree can also be
used; for example, apps.local (dc=apps,dc=local). Application partitions can
also be subordinate to other application partitions.
Table 17-1 and Table 17-2 contain some of the
interesting attributes of domainDNS
and crossRef objects as they apply to
application partitions.
Table 17-1. Attributes of domainDNS objects
Attribute | Description |
|---|---|
| Relative distinguished name of the application partition. |
| This attribute must be set to 5 when creating an application partition. See Creating and Deleting an Application Partition for more information. |
| List of |
Table 17-2. Attributes of crossRef objects
Attribute | Description |
|---|---|
| Relative distinguished
name of the |
| Fully qualified DNS name of the application partition. |
| List of |
| Domain used for security descriptor translation. See Setting the Reference Domain for an Application Partition for more information. |
| Distinguished name of the
application partition’s corresponding |
| Bit flag that identifies
whether the |
You want to create or delete an application partition. Application partitions are useful if you need to replicate data to a subset of locations where you have domain controllers. Instead of replicating the application data to all domain controllers in a domain, you can use an application partition to replicate the data to only the domain controllers of your choosing.
Use the following command to create an application partition on a domain controller:
> ntdsutil > activate instance ntds > partition management > connections > connect to server<DomainControllerName>> quit > create nc<AppPartitionDN>NULL > quit > quit
Use the following command to delete an application partition:
> ntdsutil > activate instance ntds > partition management > connections > connect to server<DomainControllerName>> quit > delete nc<AppPartitionDN>> quit > quit
To create an application partition, you create a domainDNS object that serves as the root
container for the partition. A crossRef object is automatically created in
the Partitions container in the
Configuration NC. Conversely, when removing an application partition,
you only need to remove the crossRef
object and the domainDNS is
automatically deleted. When you delete an application partition, all
objects within the partition also get deleted. Tombstone objects are not
created for any of the objects within the application partition or for
the application partition itself.
From the menu, select Connection→Connect.
Click OK to connect to the closest domain controller over port 389.
From the menu, select Connection→Bind.
Click OK to bind as the currently logged on user or select the option to bind with credentials, enter the credentials, and then click OK.
From the menu, select Browse→Search.
For Base DN, type the DN of the
Partitionscontainer (e.g.,cn=partitions,cn=configuration,dc=adatum,dc=com).For Filter, enter:
(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5))
For Scope, select One Level.
Click the Options button.
For Attributes, enter
dnsRoot.Click Run.
Use the following command to find all of the application partitions in a forest:
> dsquery * cn=partitions,cn=configuration,<ForestDN> -filter↵
"(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5))"↵
-scope onelevel -attr dnsRootYou can also find application partitions in a forest using AdFind:
> adfind -sc appparts+
To get the list of application partitions in this recipe’s
solution, we queried all crossRef
objects in the Partitions container
that have the systemFlags attribute
with the bits 0 and 2 set (5 in decimal). To do this, a logical AND
bitwise filter was used. See Searching with a Bitwise Filter for more on searching with
a bitwise filter.
You can take a shortcut by not including the bitwise OID in the
search filter, and changing it to systemFlags=5. This currently produces the
same results in the test forest as with the bitwise filter, but there
are no guarantees since it is a bit-flag attribute. You may encounter
circumstances in which an application partition would have another bit
set in systemFlags that would yield a
different value.
In each solution, the dnsRoot
attribute was printed for each application partition, which contains the
DNS name of the application partition. You can also retrieve the
nCName attribute, which contains the
distinguished name of the application partition.
You want to add or remove a replica server for an application partition. After you’ve created an application partition, you should make at least one other server a replica server in case the first server fails.
To add a replica server to an application partition, follow these steps:
If necessary, connect to the Configuration naming context of the forest the application partition is in.
Expand the Configuration naming context and click on
cn=Partitions.In the right pane, right-click on the
crossRefobject that represents the application partition and select Properties.Under Attributes, select the
msDS-NC-Replica-Locationsattribute and click Edit.In the “Value to add” field, enter the following:
cn=NTDS Settings,cn=
<DCName>,cn=Servers,cn=Default-First-Site-Name,↵ cn=Sites,cn=Configuration,<ForestDN>Click Add, and then OK twice.
To remove a replica server from an application partition, follow these steps:
Open ADSI Edit.
If necessary, connect to the Configuration naming context of the forest the application partition is in.
Expand the Configuration naming context and click on
cn=Partitions.In the right pane, right-click on the
crossRefobject that represents the application partition and select Properties.Under Attributes, select the
msDS-NC-Replica-Locationsattribute and click Edit.Select the value to remove and then click Remove.
Click OK twice.
Use the following command to add a replica server for an application partition:
> ntdsutil > activate instance ntds > partition management > connections > connect to server<DomainControllerName>> quit > add nc replica<AppPartitionDN> <DomainControllerName>> quit > quit
Use the following command to remove a replica server from an application partition:
> ntdsutil > activate instance ntds > partition management > connections > connect to server<DomainControllerName>> quit > remove nc replica<AppPartitionDN> <DomainControllerName>> quit > quit
The following command will add DC2 to the list of replica locations for app1.adatum.com, while leaving the rest of the list intact:
Get-ADObject -SearchBase "cn=Partitions,cn=Configuration,dc=adatum,dc=com" -Filter {dnsroot -eq "app1.adatum.com"} | Set-ADObject -Add @{"msDS-NC-Replica-Locations"="cn=NTDS Settings,cn=DC2,cn=Servers, cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=adatum,dc=com"}The following command will remove DC2 from the replica location list for app1.adatum.com, without removing any other entries:
Get-ADObject -SearchBase "cn=Partitions,cn=Configuration,dc=adatum,dc=com" -Filter {dnsroot -eq "app1.adatum.com"} | Set-ADObject -Remove @{"msDS-NC-Replica-Locations"="cn=NTDS Settings,cn=DC2,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=adatum,dc=com"}When you initially create an application partition, there is only
one domain controller that hosts the application partition, namely the
one you created the application partition on. You can add any other
domain controllers in the forest as replica servers. The list of replica
servers is stored in the msDS-NC-Replica-Locations attribute on the
crossRef object for the application
partition in the Partitions
container. That attribute contains the distinguished name of each
replica server’s nTDSDSA object. To
add a replica server, simply add the DN of the new replica server’s
nTDSDSA object. To remove a replica
server, remove the DN corresponding to the server’s nTDSDSA object that you want to remove. Behind
the scenes, the KCC gets triggered anytime there is a change to that
attribute, at which point it will either cause the application partition
to get replicated to the target domain controller or remove the replica
from the target DC. When a domain controller is demoted, it should
automatically remove itself as a replica server for any application
partitions that it replicated.
Finding the Replica Servers for an Application Partition for finding the replica servers for an application partition
Connect to the Configuration naming context of the forest the application partition is in, if it is not already present in the left pane.
Expand the Configuration naming context and click on the
Partitionscontainer.In the right pane, right-click on the
crossRefobject that represents the application partition and select Properties.Under Attributes, select the
msDS-NC-Replica-Locationsattribute and then click View.
The list of replica servers for an application partition is stored
in the multivalued msDS-NC-Replica-Locations attribute on the
crossRef object for the application
partition. This object is located in the Partitions container in the Configuration
naming context.
Adding or Removing a Replica Server for an Application Partition for adding and removing replica servers
You want to find the application partitions that a particular server is hosting. Before you decommission a server, it is good to check to see whether it hosts any application partitions and, if so, to add another replica server to replace it.
From the menu, select Connection→Connect.
Click OK to connect to the closest domain controller over port 389.
From the menu, select Connection→Bind.
Click OK to bind as the currently logged on user or select the option to bind with credentials, enter the credentials, and then click OK.
From the menu, select Browse→Search.
For Base DN, type the DN of the
Partitionscontainer (e.g.,cn=partitions,cn=configuration,dc=adatum,dc=com).For Filter, enter:
(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5)(msDS-NC-Replica-Locations=cn=NTDS Settings,cn=
<DomainControllerName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestDN>))For Scope, select One Level.
Click the Options button.
For Attributes, enter
dnsRoot.Click OK.
Click Run.
Use the following command to find all of the application
partitions hosted by a domain controller. To run this command, you
need the distinguished name of the forest root domain
(<ForestDN>), the common name of the
DC’s server object
(<DomainControllerName>), and the
common name of the site object the
server is in (<SiteName>).
> dsquery * "cn=partitions,cn=configuration,<ForestDN>" -scope onelevel -attrdnsRoot -filter "(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5) (msDS-NC-Replica-Locations=cn=NTDS Settings,cn=<DomainControllerName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestDN>))"
You can also display the application partitions hosted by a particular DC using AdFind:
> adfind -partitions -s onelevel -bit -f"(&(objectcategory=crossRef)(systemFlags:AND:=5)(msDS-NC-Replica-Locations=cn=NTDS Settings,cn=<DomainControllerName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>))"
As described in Adding or Removing a Replica Server for an Application
Partition and Finding the Replica Servers for an Application Partition, the msDS-NC-Replica-Locations attribute on
crossRef objects contains the list of
replica servers for a given application partition. Each of the solutions
illustrates how to perform a query using this attribute to locate all of
the application partitions a particular domain controller is a replica
server for. For the GUI and CLI solutions, you need to know the
distinguished name of the nTDSDSA
object for the target domain controller.
Adding or Removing a Replica Server for an Application Partition and Finding the Replica Servers for an Application Partition for finding the replica servers for an application partition
You want to verify that an application partition is instantiated on a replica server. After you add a domain controller as a replica server for an application partition, the data in the application partition needs to fully replicate to that domain controller before it can be used on that domain controller.
Use the following command to determine whether there are any problems with application partitions on a domain controller:
> dcdiag /test:checksdrefdom /test:verifyreplicas /test:crossrefvalidation/s:<DomainControllerName>You can also verify the state of a particular application partition by using ntdsutil as follows:
> ntdsutil > activate instance ntds > partition management > connections > connect to server<DCName>> quit > list nc replicas<PartitionDN>> quit > quit
The dcdiag CheckSDRefDom, VerifyReplicas, and CrossRefValidation tests can help determine
whether an application partition has been instantiated on a server and
whether there are any problems with it. Here is the
dcdiag help information for those three
tests:
CrossRefValidationThis test looks for cross-references that are in some way invalid.
CheckSDRefDomThis test checks that all application directory partitions have appropriate security descriptor reference domains.
VerifyReplicasThis test verifies that all application directory partitions are fully instantiated on all replica servers.
Another way you can check to see whether a certain application
partition has been instantiated on a domain controller is to look at the
msDS-HasInstantiatedNCs attribute for
the server’s nTDSDSA object. That
attribute has DN with Binary syntax and contains a list of all the
application partitions that have been successfully instantiated on the
server. Unfortunately, tools such as ADSI Edit and DSQuery do not
interpret DN with Binary attributes correctly, but it can be viewed with
LDP. In addition, you can use AdFind as follows:
adfind -b "cn=NTDS Settings,cn=<DCName>,cn=Servers,cn=<SiteName>,cn=Sites,cn=Configuration,<ForestDN>" -f "msds-HasInstantiatedNCs=B:8:0000000D:<ParitionDN>" -dn
This will return results similar to the following:
AdFind V01.47.00cpp Joe Richards ([email protected]) October 2012 Using server: adatum-dc.adatum.com:389 Directory: Windows Server 2012 dn:cn=NTDS Settings,cn=DC2,cn=Servers,cn=Default-First-Site-Name,cn=Sites cn=Configuration,dc=adatum,dc=com 1 Objects returned
You want to set the replication notification delay for an application partition. Two replication-related settings that you can customize for application partitions (or any naming context for which change notification is enabled) include the first and subsequent replication delays after a change to the partition has been detected. The first replication delay is the time that a domain controller waits before it notifies its first replication partner that there has been a change. The subsequent replication delay is the time that the domain controller waits after it has notified its first replication partner before it will notify its next partner. You may need to customize these settings so that replication happens as quickly as you need it to for data in the application partition.
Connect to the Configuration naming context of the forest that the application partition is in if a connection is not already present in the left pane.
Expand the Configuration naming context and click on the
Partitionscontainer.In the right pane, right-click on the
crossRefobject that represents the application partition and select Properties.Set the
msDS-Replication-Notify-First-DSA-DelayandmsDS-Replication-Notify-Subsequent-DSA-Delayattributes to the number of seconds you want for each delay (see this recipe’s for more details).Click OK.
To change the settings using the command line, run the following command:
> repadmin /notifyopt "<DCName>" "<AppPartitionDN>" /first:<FirstDelayInSeconds>/subs:<NextDelayInSeconds>
You can also change both of these parameters using AdMod, as follows:
> admod -b<AppPartitionCrossRefDN>msDS-Replication-Notify-First-DSA-Delay::<FirstDelayInSeconds>msDS-Replication-Notify-Subsequent-DSA-Delay::<NextDelayInSeconds>
To modify the initial and subsequent notification delays, you can use the following PowerShell commands:
Set-ADObject "<PartitionDN>" -Replace @{"msDS-Replication-Notify-First-DSA-Delay"="<Interval>"} Set-ADObject "<PartitionDN>" -Replace @{"msDS-Replication-Notify-Subsequent-DSA-Delay"="<Interval>"}
The settings that control the notification delay are stored in the
msDS-Replication-Notify-First-DSA-Delay and
msDS-Replication-Notify-Subsequent-DSA-Delay
attributes on the application partition’s crossRef object in the Partitions container. The time values are
stored as seconds. The default for application partitions is 15 seconds
for the first delay and three seconds for each subsequent delay.
You want to set the reference domain for an application partition.
Whenever you create an object in Active Directory, the default security
descriptor that’s defined in the schema for the object’s class is
applied to the object. This default security descriptor may reference
specific groups, such as Domain Admins, but it is
not specific to a domain. This makes a lot of sense for domain naming
contexts, where the Domain Admins group in question
would be the one that’s defined in the domain in question. But for
application partitions that don’t contain a Domain
Admins group, it is not so straightforward. Which domain’s
Domain Admins group do you use? To work around this
issue, you can set a default security descriptor reference domain for an
application partition by setting the msDS-SDReferenceDomain attribute of the
partition’s crossRef object. The
default value of the msDS-SDReferenceDomain attribute is the domain
that the application partition was created in.
Connect to the Configuration naming context of the forest the application partition is in if it is not already present in the left pane.
Expand the Configuration naming context and click on the
Partitionscontainer.In the right pane, right-click on the
crossRefobject that represents the application partition and select Properties.Under Attributes, select the
msDS-SDReferenceDomainattribute.Enter the Distinguished Name for the appropriate domain and click OK.
> ntdsutil > activate instance ntds > partition management > connections > connect to server<DomainControllerName>> quit > set nc ref domain<AppPartitionDN> <DomainDN>> quit > quit
You can also set the reference domain using AdMod:
> adfind -partitions -f "(dnsRoot=<PartitionDNSName>)" -dsq | admod msDS-SDReferenceDomain::"<DomainDN>"
If you don’t set the msDS-SDReferenceDomain attribute for an
application partition, then a specific hierarchy will be followed to
determine the default security descriptor domain. These are the
guidelines:
If the application partition is created as part of a new tree, the forest root domain is used as the default domain.
If the application partition is a child of a domain, the parent domain is used as the default domain.
If the application partition is a child of another application partition, the parent application partition’s default domain is used.
Modifying the Default Security of a Class for more on setting the default security descriptor for a class; Creating and Deleting an Application Partition for creating an application partition
Connect to the Configuration naming context of the forest the application partition is in if it is not already present in the left pane.
Expand the Configuration naming context and click on the
Partitionscontainer.In the right pane, right-click on the
crossRefobject that represents the application partition and select Properties.Click the Security tab.
Click the Advanced button.
Click the Add button.
Use the object picker to find the user or group you want to delegate control to and click OK.
Under Properties, check the boxes beside Write
msDS-NC-Replica-Locations, WritemsDS-SDReferenceDomain, WritemsDS-Replication-Notify-First-DSA-Delay, and WritemsDS-Replication-Notify-Subsequent-DSA-Delay.
> dsacls<AppPartitionCrossRefDN>/G<UserOrGroup>:RPWP;msDS-NC-Replica-Locations > dsacls<AppPartitionCrossRefDN>/G<UserOrGroup>:RPWP;msDS-SDReferenceDomain > dsacls<AppPartitionCrossRefDN>/G<UserOrGroup>:RPWP;msDS-Replication-Notify-First-DSA-Delay > dsacls<AppPartitionCrossRefDN>/G<UserOrGroup>:RPWP;msDS-Replication-Notify-Subsequent-DSA-Delay
Warning
As is the case with most permissions, you should exercise care when delegating the ability to create or modify application partitions. Because application partitions reside within Active Directory, allowing them to be placed indiscriminately or setting the initial and subsequent replication delays too low can bring your network to a grinding halt.
If you want to delegate control of management of application partitions, you must grant control over four key attributes. Here is a description of each attribute and what can be accomplished by having control over it:
msDS-NC-Replica-LocationsA user can add replica servers for the application partition. See Adding or Removing a Replica Server for an Application Partition for more information.
msDS-SDReferenceDomainA user can define the default security descriptor domain for the application partition. See Setting the Reference Domain for an Application Partition for more information.
msDS-Replication-Notify-First-DSA-DelaySee Setting the Replication Notification Delay for an Application Partition for more information.
msDS-Replication-Notify-Subsequent-DSA-DelaySee Setting the Replication Notification Delay for an Application Partition for more information.
If you want to delegate control over managing objects within the application partition, you need to follow the same procedures you would when delegating control over objects in a domain naming context. See Delegating Control of an Active Directory Integrated Zone for more information on delegating control.
Delegating Control of an Active Directory Integrated Zone; Using the Delegation of Control Wizard for delegating control; Adding or Removing a Replica Server for an Application Partition for more on adding and removing replica servers; Setting the Replication Notification Delay for an Application Partition for more on the replication delay attributes; Setting the Reference Domain for an Application Partition for more on the default security descriptor domain