Types of Application Directory Partitions
In
Windows 2000 Active Directory environments, domain controllers could
hold up to four types of partitions, depending on their configured
role. The types of partitions included:
The
domain partition, which contained all objects associated with a
particular domain. This partition was replicated to all domain
controllers in the same domain.
The
schema partition, which contained a copy of the Active Directory schema
for a given forest. This partition was replicated to all domain
controllers in the same forest.
The
configuration partition, which contained information about Active
Directory sites and services. This partition was replicated to all
domain controllers in the same forest.
The
global catalog partition, which contained a subset of the attributes of
all objects in an Active Directory forest. This partition was
replicated to all domain controllers configured as global catalog
servers in the same forest.
Windows
Server 2003 continues to support all four types of Active Directory
partitions found in Windows 2000, but it also introduces a new type of
partition known as an application directory partition.
An application directory partition is a partition that is replicated
only to specific domain controllers throughout an Active Directory
forest. Because an application directory partition is a feature
specific to Windows Server 2003, only domain controllers running
Windows Server 2003 can host a replica of an application directory
partition.
Note
Although
only domain controllers running Windows Server 2003 can host a replica
of an application directory partition, these partitions can exist in
Active Directory environments that still include Windows 2000 or
Windows NT 4.0 domain controllers. |
The
main purpose of an application directory partitions is to store data
(objects and attributes) related to Active Directory–integrated
applications and services. For example, Windows Server 2003
automatically creates an application directory partition for data used
by the TAPI service. Along the same lines, an application directory
partition could also be used to store data relating to services such as
DNS. Some benefits of using application directory partitions to store information include:
Provides redundancy, availability, and fault tolerance by replicating data to specific domain controllers throughout a forest
Might
reduce replication traffic because the application or service data is
only replicated to specific domain controllers (replicas) where the
information is required
Allows
applications or services that use Lightweight Directory Access Protocol
(LDAP) to store and access their data in Active Directory.
Note
Application
directory partitions can hold any type of object except security
principals such as users, computers, and security groups. |
Application
directory partitions are most commonly created by the applications that
use them to store and replicate data. However, members of the
Enterprise Admins group can manually create or manage application
directory partitions by using the Ntdsutil.exe command-line tool.
Application Directory Partition Naming
An
application directory partition is part of the overall forest namespace
just like any domain directory partition. It follows the same DNS and
distinguished name naming conventions as a domain partition did in
Windows 2000 Active Directory. An application directory partition can
appear anywhere in the forest namespace that a domain partition can
appear.
An application directory partition can be placed in the following areas in the forest namespace:
For
example, if you created an application directory partition named app1
as a child of the contoso.com domain, the DNS name of the application
directory partition would be app1.contoso.com. The distinguished name
of the application directory partition would be
dc=app1,dc=contoso,dc=com. If you then created an application directory
partition named app2 as a child of app1.contoso.com, the DNS name of
the application directory partition would be app2.app1.contoso.com and
the distinguished name would be dc=app2,dc=app1,dc=contoso,dc=com.
However,
if the domain contoso.com was the root of the only domain tree in your
forest, and you created an application directory partition with the DNS
name of app1 and the distinguished name of dc=app1, this application
directory partition would not be in the same tree as the contoso.com
domain. This application directory partition would be the root of a new
tree in the forest.
Domain
partitions cannot be children of an application directory partition.
For example, if you created an application directory partition with the
DNS name of app1.contoso.com, you could not create a domain with the
DNS name domain1.app1.contoso.com.
Application Directory Partition Replication
The
Knowledge Consistency Checker (KCC) automatically generates and
maintains the replication topology for all application directory
partitions in a forest. When an application directory partition has
replicas in more than one site, those replicas follow the same
intersite replication schedule as a domain partition. Unlike objects
from a domain partition, objects stored in an application directory
partition are never replicated to the global catalog. However, any
domain controller running Windows Server 2003 can hold an application
directory partition replica, including global catalog servers.
In
addition, if an application requests data through the global catalog
port (with LDAP, port 3268, or with LDAP/SSL, port 3269), that query
will not return any objects from an application directory partition if
the computer hosting the application directory partition is also
hosting the global catalog. This structure was adopted so that LDAP
queries to different global catalogs would not return inconsistent
results because the application directory partition might be replicated
only to certain global catalog servers.
Tip
Objects
stored in an application directory partition are never replicated to
the global catalog. However, a domain controller functioning as a
global catalog server can host a replica of an application directory
partition. |
Application Directory Partitions and Domain Controller Demotion
If
you need to demote a domain controller that is hosting a replica of an
application directory partition, you must consider the following:
If a domain controller holds a replica
of an application directory partition, you must remove the domain
controller from the replica set or delete the application directory
partition before you can demote the domain controller.
If a domain controller holds the last replica of an application directory partition, before you can demote the domain controller you must do one of the following:
Specify that you want the Active Directory Installation Wizard to remove all replicas from the domain controller.
Remove the replica manually by using the utility provided by the application that installed it.
Remove the replica manually by using the Ntdsutil.exe command.
Before deleting an application directory partition, you should:
Identify the applications that use it
To determine what application directory partitions are hosted on a
computer, refer to the list on the Application Directory Partitions
page of the Active Directory Installation Wizard, as shown in Figure 1.
Determine whether it is safe to delete the last replica Removing
the last replica of an application directory partition results in the
permanent loss of any data contained in the partition. If you have
identified the applications using the application directory partition,
consult the documentation provided with those applications to determine
whether there is any reason to keep the data. If the programs that use
the application directory partition are no longer being used, it is
probably safe to remove the partition. In cases where you must demote
the last domain controller holding a replica but have determined that
the application directory partition must not be permanently deleted,
follow these steps:
1. | Add a replica of the partition on another domain controller.
|
2. | Force the replication of the contents of the application directory partition to the domain controller holding the new replica.
|
3. | Remove the replica of the partition on the domain controller to be demoted.
|
Identify the partition deletion tool provided by the application
Almost all programs that create application directory partitions
provide a utility to manage and remove these partitions as necessary.
When possible, always delete an application directory partition by
using the utility provided by the program that created it. Refer to the
program’s documentation for information about removing application
directory partitions that were created and used by that program. If you
cannot identify the program that created the application directory
partition, or if the program does not provide a means to delete any
application directory partitions that it might have created, you can
use the Ntdsutil.exe command-line tool. To do this, refer to the
section “Creating or Deleting an Application Directory Partition” later in this lesson.
Note
If
the domain controller holds a TAPI application directory partition, you
can use the Tapicfg.exe command-line tool to remove the TAPI
application directory partition. For more information about the
Tapicfg.exe command-line tool, refer to the Windows Server 2003 help. |
Security Descriptor Reference Domain
Every container and object in Active Directory has a set of access control information associated with it. Known as a security descriptor,
this information controls the type of access allowed by users, groups,
and computers. If the object or container is not assigned a security
descriptor by the application or service that created it, it is
assigned the default security descriptor for that object class as
defined in the schema. This default security descriptor is ambiguous in
that it might assign members of the Domain Admins group read
permissions to the object, but it does not specify to what domain the
domain administrators belong. When an object is created in a domain
partition, that domain partition is used to specify which Domain Admins
group is assigned the read permission. For example, if an object is
created in domain1.contoso.com, members of the domain1 Domain Admins
group would be assigned read permission.
When
an object is created in an application directory partition, the
definition of the default security descriptor is less clear because an
application directory partition can have replicas on domain controllers
in different domains. Because of this potential ambiguity, a default
security descriptor reference domain is assigned when the application
directory partition is created.
The
default security descriptor reference domain defines which domain name
should be used when an application directory partition needs to assign
a domain value for the default security descriptor. If the application
directory partition is a child of a domain partition, the parent domain
partition becomes the security descriptor reference domain by default.
If the application directory partition is a child object of another
application directory partition, the security descriptor reference
domain of the parent application directory partition becomes the
reference domain of this new partition. If the new application
directory partition is created as the root of a new tree, the forest
root domain is used as the default security descriptor reference domain.
You
can also manually specify a different security reference domain if that
better meets your needs. However, if you plan to change the default
security descriptor reference domain of a particular application
directory partition, you should do so before creating the first
instance of that partition. To do this, you must prepare what is known
as a cross-reference object, and change the default security reference
domain before creating the new application directory partition. The
procedure for creating a cross-reference object is discussed later in
this lesson.
Managing Application Directory Partitions
A variety of tools can be used to create, delete, or manage application directory partitions, including:
Application-specific tools from the application vendor
The Ntdsutil.exe command-line tool
The LDP.exe utility
Active Directory Service Interfaces (ADSI)
This
lesson provides information about using Ntdsutil.exe to create and
manage application directory partitions. To manage application
directory partitions, you must first complete the following tasks:
Create or delete an application directory partition
Add or remove an application directory partition replica
Display application directory partition information
Set a notification delay
Prepare a cross-reference object
Set an application directory partition reference domain
Note
To
perform these tasks, you must be a member of the Domain Admins group or
the Enterprise Admins group in Active Directory, or you must have been
delegated the appropriate authority. |
To
perform tasks related to creating and managing application directory
partitions, the domain management command is issued from within
Ntdsutil.exe. The following steps outline the procedure to access
domain management functions with the Ntdsutil.exe utility.
1. | Click Start, and then click Command Prompt.
|
2. | At the command prompt, type ntdsutil.
|
3. | At the ntdsutil prompt, type domain management.
|
4. | At the domain management prompt, type connection.
|
5. | At the server connections prompt, type connect to server ServerName, where ServerName is the DNS name of the domain controller to which you want to connect, as shown in Figure 2.
|
6. | At the server connections prompt, type quit.
|
Creating or Deleting an Application Directory Partition
When
you create an application directory partition, you are creating the
first instance of this partition. When you delete an application
directory partition, you are removing all replicas of that partition
from your forest. The deletion process must replicate to all domain
controllers that contain a replica of the application directory
partition before the deletion process is complete. When an application
directory partition is deleted, any data that is contained in it is
lost. The following steps create or delete an application directory
partition.
1. | Type the appropriate commands to invoke the Ntdsutil.exe domain management command if necessary.
|
2. | At the domain management prompt, do one of the following.
To create an application directory partition, type: create nc ApplicationDirectoryPartition DomainController,where ApplicationDirectoryPartition is the distinguished name of the application directory partition you want to create, such as dc=app1,dc=contoso,dc=com, and DomainController
is the DNS name of the domain controller on which you want to create
the application directory partition. To create the application
directory partition on the domain controller you are currently
connected to, you can use null for DomainController. This is illustrated in Figure 3.
To delete an application directory partition, type: delete nc ApplicationDirectoryPartition, where ApplicationDirectoryPartition is the distinguished name of the application directory partition you want to delete.
|
Adding or Removing an Application Directory Partition Replica
An application directory partition replica
is an instance of a partition on another domain controller, created for
redundancy or load-balancing purposes. When you remove an application
directory partition replica, any data that is contained in the replica
is lost.
To add or remove an application directory partition replica:
1. | Type the appropriate commands to invoke the Ntdsutil.exe domain management command.
|
2. | At the domain management command prompt, do one of the following.
To add an application directory partition replica, type: add nc ApplicationDirectoryPartition DomainController, where ApplicationDirectoryPartition is the distinguished name of the application directory partition replica that you want to add, and DomainController
is the DNS name of the domain controller on which you want to create
the application directory partition replica. To add the application
directory partition replica on the domain controller you are currently
connected to, you can use null for DomainController. To remove an application directory partition replica, type: remove nc ApplicationDirectoryPartition DomainController, where ApplicationDirectoryPartition is the distinguished name of the application directory partition replica that you want to delete, and DomainController
is the DNS name of the domain controller on which you want to remove
the application directory partition replica. To remove the application
directory partition replica on the domain controller you are currently
connected to, you can use null for DomainController.
|
Tip
Remember that the create nc and delete nc Ntdsutil.exe domain management commands are used to create and delete application directory partitions, while the add nc and remove nc commands are used to add and remove application directory partition replicas. |
Displaying Application Directory Partition Information
Any
domain controller that holds a replica of a particular partition
(including application directory partitions) is considered to be a
member of the replica set for that directory partition. Ntdsutil.exe
can be used to list the domain controllers that are members of a
replica set for any directory partition, including application
directory partitions.
To display information about different directory partitions, including application directory partitions:
1. | Type the appropriate commands to invoke the Ntdsutil.exe domain management command.
|
2. | At the domain management prompt, do one or more of the following.
To show the distinguished names of known directory partitions, type list. This is illustrated in Figure 4.
To show the reference domain and replication delays for an application directory partition, type list nc information DistinguishedName, where DistinguishedName is the distinguished name of the application directory partition you want information about. To show the list of domain controllers in the replica set for an application directory partition, type list nc replicas DistinguishedName, where DistinguishedName is the distinguished name of the application directory partition you want information about.
|
Setting Replication Notification Delays
Changes
made to a particular directory partition on a domain controller are
replicated to the other domain controllers that contain that directory
partition. The domain controller on which the change was made notifies
its replication partners that it has a change. You can configure how
long the domain controller will wait to send the change notification to
its first replication partner if necessary. Similarly, you can also
configure how long a domain controller waits to send the subsequent
change notifications to its remaining replication partners. These
delays can be set for any directory partition (including domain
directory partitions) on a particular domain controller.
To set a replication notification delay:
1. | Type the appropriate commands to invoke the Ntdsutil.exe domain management command.
|
2. | At the domain management command prompt, type set nc replicate notification delay ApplicationDirectoryPartition DelayInSeconds AdditionalDelayInSeconds, where ApplicationDirectoryPartition is the distinguished name of the application directory partition for which you want to set a notification delay, DelayInSeconds is the number of seconds to delay before sending the change notification to the first replication partner, and AdditionalDelayInSeconds is the number of seconds to delay before sending subsequent change notifications to the remaining replication partners.
|
Delegating the Creation of Application Directory Partitions
Two primary actions take place when a new application directory partition is created.
Normally,
only members of the Enterprise Admins group can create an application
directory partition. However, a member of the Enterprise Admins group
can prepare a cross-reference object for the application directory
partition in order to delegate the rest of the process to a user with
more limited permissions.
The cross-reference object
for an application directory partition holds several valuable pieces of
information, including the domain controllers that are to hold a
replica of this partition and the security descriptor reference domain.
The partition root node is the Active Directory object at the root of
the partition.
An
Enterprise Admin can create the cross-reference object and then
delegate to a person or group with less permissions the right to create
the application directory partition root node. Both the creation of the
cross-reference object and the application directory partition root
node can be accomplished using Ntdsutil.exe.
After
using Ntdsutil.exe to create the cross-reference object, the enterprise
administrator must modify the cross-reference object’s access control
list to allow the delegated user to modify this cross-reference. This
will ultimately allow the delegated user to create the application
directory partition and modify the list of domain controllers that hold
replicas of the partition.
To prepare a cross-reference object:
1. | Type the appropriate commands to invoke the Ntdsutil.exe domain management command.
|
2. | At the domain management command prompt, type precreate ObjectName DomainController, where ObjectName is the distinguished name of the object you want to create and DomainController is the DNS name of the domain controller on which the object will reside.
|
Setting the Application Directory Partition Reference Domain
The
security descriptor reference domain specifies a domain name for the
default security descriptor for objects in an application directory
partition. Recall that, by default, the security descriptor reference
domain is the parent domain of the application directory partition. If
the application directory partition is a child of another application
directory partition, the default security descriptor reference domain
is the security descriptor reference domain of the parent application
directory partition. If the application directory partition has no
parent, the forest root domain becomes the default security descriptor
reference domain. You can use Ntdsutil.exe to change the default
security descriptor reference domain.
To set an application directory partition reference domain:
1. | Type the appropriate commands to invoke the Ntdsutil.exe domain management command.
|
2. | At the domain management command prompt, type set nc reference domain ApplicationDirectoryPartition ReferenceDomain, where Application-DirectoryPartition is the distinguished name of the application directory partition for which you want to set the reference domain, and ReferenceDomain is the distinguished name of the domain that you want to be the reference domain for the application directory partition.
|
Tip
Know
how to create and configure application directory partitions by using
the various Ntdsutil.exe commands looked at in this lesson. |
