Chapter 17. Application Partitions

Introduction

Active Directory domain controllers, when first installed, host three predefined partitions. The Configuration naming context is replicated to all domain controllers in the forest, and it contains information that is needed forest-wide, such as the site topology and LDAP query policies. The Schema naming context is also replicated forest-wide and contains all of the schema objects that define how data is stored and structured in Active Directory. The third partition is the Domain naming context, which is replicated to all of the domain controllers that host a particular domain.

There is another partition type that is called an application partition, which is very similar to the other naming contexts except that you can configure which domain controllers in the forest will replicate the data that’s contained within it. Examples include the DomainDnsZones partition, which is replicated across all AD integrated DNS servers in the same domain, and ForestDnsZones, which is replicated across all AD integrated DNS servers in the forest. This capability gives administrators much more flexibility over how they can store and replicate the data that is contained in Active Directory. If you need to replicate a certain set of data to only two different sites, for example, you can create an application partition that will only replicate the data to the domain controllers in those two sites rather than replicating the data to additional DCs that have no need for it.

See Chapter 13 for more on DNS-related management tasks, as well as Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly), for more details on application partitions.

The Anatomy of an Application Partition

Application partitions are stored in Active Directory in a similar fashion as a Domain NC. In fact, application partitions and Domain NCs consist of the same two types of objects: a domainDNS object and a crossRef object that resides under the Partitions container in the Configuration naming context (CNC). Application partitions have a similar naming convention as domains and can be named virtually anything you want. You can create an application partition that uses the current namespace within the forest. For example, in the adatum.com (dc=adatum,dc=com) forest, you could create an apps.adatum.com (dc=apps,dc=adatum,dc=com) application partition. Alternatively, a name that is part of a new tree can also be used; for example, apps.local (dc=apps,dc=local). Application partitions can also be subordinate to other application partitions.

Table 17-1 and Table 17-2 contain some of the interesting attributes of domainDNS and crossRef objects as they apply to application partitions.

Table 17-1. Attributes of domainDNS objects

Attribute

Description

dc

Relative distinguished name of the application partition.

instanceType

This attribute must be set to 5 when creating an application partition. See Creating and Deleting an Application Partition for more information.

msDs-masteredBy

List of nTDSDSA object DNs of the domain controllers that replicate the application partition. See Finding the Replica Servers for an Application Partition for more information.

Table 17-2. Attributes of crossRef objects

Attribute

Description

cn

Relative distinguished name of the crossRef object. This value is generally a GUID for application partitions.

dnsRoot

Fully qualified DNS name of the application partition.

msDS-NC-Replica-Locations

List of nTDSDSA object DNs of the domain controllers that replicate the application partition. See Finding the Replica Servers for an Application Partition for more information.

msDS-SDReferenceDomain

Domain used for security descriptor translation. See Setting the Reference Domain for an Application Partition for more information.

nCName

Distinguished name of the application partition’s corresponding domainDNS object.

systemFlags

Bit flag that identifies whether the crossRef represents an application. See Finding the Application Partitions in a Forest for more information.

Creating and Deleting an Application Partition

Problem

You want to create or delete an application partition. Application partitions are useful if you need to replicate data to a subset of locations where you have domain controllers. Instead of replicating the application data to all domain controllers in a domain, you can use an application partition to replicate the data to only the domain controllers of your choosing.

Solution

Using a command-line interface

Use the following command to create an application partition on a domain controller:

> ntdsutil
> activate instance ntds
> partition management
> connections
> connect to server <DomainControllerName>
> quit
> create nc <AppPartitionDN> NULL
> quit
> quit

Use the following command to delete an application partition:

> ntdsutil
> activate instance ntds
> partition management
> connections
> connect to server <DomainControllerName>
> quit
> delete nc <AppPartitionDN>
> quit
> quit

Discussion

To create an application partition, you create a domainDNS object that serves as the root container for the partition. A crossRef object is automatically created in the Partitions container in the Configuration NC. Conversely, when removing an application partition, you only need to remove the crossRef object and the domainDNS is automatically deleted. When you delete an application partition, all objects within the partition also get deleted. Tombstone objects are not created for any of the objects within the application partition or for the application partition itself.

See Also

MSDN: Creating an Application Directory Partition; MSDN: Deleting an Application Directory Partition

Finding the Application Partitions in a Forest

Problem

You want to find the application partitions that have been created in a forest.

Solution

Using a graphical user interface

  1. Open LDP.

  2. From the menu, select Connection→Connect.

  3. Click OK to connect to the closest domain controller over port 389.

  4. From the menu, select Connection→Bind.

  5. Click OK to bind as the currently logged on user or select the option to bind with credentials, enter the credentials, and then click OK.

  6. From the menu, select Browse→Search.

  7. For Base DN, type the DN of the Partitions container (e.g., cn=partitions,cn=configuration,dc=adatum,dc=com).

  8. For Filter, enter:

    (&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5))
  9. For Scope, select One Level.

  10. Click the Options button.

  11. For Attributes, enter dnsRoot.

  12. Click Run.

Using a command-line interface

Use the following command to find all of the application partitions in a forest:

> dsquery * cn=partitions,cn=configuration,<ForestDN> -filter↵
"(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5))"↵
-scope onelevel -attr dnsRoot

You can also find application partitions in a forest using AdFind:

> adfind -sc appparts+

Using PowerShell

The following example will search for application partitions within an Active Directory domain:

Get-ADObject -SearchBase "cn=partitions,cn=configuration,<ForestDN>" -Filter {(objectCategory -eq "crossref") -and (systemFlags -eq "5")}

Discussion

To get the list of application partitions in this recipe’s solution, we queried all crossRef objects in the Partitions container that have the systemFlags attribute with the bits 0 and 2 set (5 in decimal). To do this, a logical AND bitwise filter was used. See Searching with a Bitwise Filter for more on searching with a bitwise filter.

You can take a shortcut by not including the bitwise OID in the search filter, and changing it to systemFlags=5. This currently produces the same results in the test forest as with the bitwise filter, but there are no guarantees since it is a bit-flag attribute. You may encounter circumstances in which an application partition would have another bit set in systemFlags that would yield a different value.

In each solution, the dnsRoot attribute was printed for each application partition, which contains the DNS name of the application partition. You can also retrieve the nCName attribute, which contains the distinguished name of the application partition.

Adding or Removing a Replica Server for an Application Partition

Problem

You want to add or remove a replica server for an application partition. After you’ve created an application partition, you should make at least one other server a replica server in case the first server fails.

Solution

Using a graphical user interface

To add a replica server to an application partition, follow these steps:

  1. Open ADSI Edit.

  2. If necessary, connect to the Configuration naming context of the forest the application partition is in.

  3. Expand the Configuration naming context and click on cn=Partitions.

  4. In the right pane, right-click on the crossRef object that represents the application partition and select Properties.

  5. Under Attributes, select the msDS-NC-Replica-Locations attribute and click Edit.

  6. In the “Value to add” field, enter the following:

    cn=NTDS Settings,cn=<DCName>,cn=Servers,cn=Default-First-Site-Name,↵
    cn=Sites,cn=Configuration,<ForestDN>
  7. Click Add, and then OK twice.

To remove a replica server from an application partition, follow these steps:

  1. Open ADSI Edit.

  2. If necessary, connect to the Configuration naming context of the forest the application partition is in.

  3. Expand the Configuration naming context and click on cn=Partitions.

  4. In the right pane, right-click on the crossRef object that represents the application partition and select Properties.

  5. Under Attributes, select the msDS-NC-Replica-Locations attribute and click Edit.

  6. Select the value to remove and then click Remove.

  7. Click OK twice.

Using a command-line interface

Use the following command to add a replica server for an application partition:

> ntdsutil
> activate instance ntds
> partition management
> connections
> connect to server <DomainControllerName>
> quit
> add nc replica<AppPartitionDN> <DomainControllerName>
> quit
> quit

Use the following command to remove a replica server from an application partition:

> ntdsutil
> activate instance ntds
> partition management
> connections
> connect to server <DomainControllerName>
> quit
> remove nc replica <AppPartitionDN> <DomainControllerName>
> quit
> quit

Using PowerShell

The following command will add DC2 to the list of replica locations for app1.adatum.com, while leaving the rest of the list intact:

Get-ADObject -SearchBase "cn=Partitions,cn=Configuration,dc=adatum,dc=com" -Filter {dnsroot -eq "app1.adatum.com"} | Set-ADObject -Add @{"msDS-NC-Replica-Locations"="cn=NTDS Settings,cn=DC2,cn=Servers, cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=adatum,dc=com"}

The following command will remove DC2 from the replica location list for app1.adatum.com, without removing any other entries:

Get-ADObject -SearchBase "cn=Partitions,cn=Configuration,dc=adatum,dc=com" -Filter {dnsroot -eq "app1.adatum.com"} | Set-ADObject -Remove @{"msDS-NC-Replica-Locations"="cn=NTDS Settings,cn=DC2,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=adatum,dc=com"}

Discussion

When you initially create an application partition, there is only one domain controller that hosts the application partition, namely the one you created the application partition on. You can add any other domain controllers in the forest as replica servers. The list of replica servers is stored in the msDS-NC-Replica-Locations attribute on the crossRef object for the application partition in the Partitions container. That attribute contains the distinguished name of each replica server’s nTDSDSA object. To add a replica server, simply add the DN of the new replica server’s nTDSDSA object. To remove a replica server, remove the DN corresponding to the server’s nTDSDSA object that you want to remove. Behind the scenes, the KCC gets triggered anytime there is a change to that attribute, at which point it will either cause the application partition to get replicated to the target domain controller or remove the replica from the target DC. When a domain controller is demoted, it should automatically remove itself as a replica server for any application partitions that it replicated.

See Also

Finding the Replica Servers for an Application Partition for finding the replica servers for an application partition

Finding the Replica Servers for an Application Partition

Problem

You want to find the replica servers for an application partition.

Solution

Using a graphical user interface

  1. Open ADSI Edit.

  2. Connect to the Configuration naming context of the forest the application partition is in, if it is not already present in the left pane.

  3. Expand the Configuration naming context and click on the Partitions container.

  4. In the right pane, right-click on the crossRef object that represents the application partition and select Properties.

  5. Under Attributes, select the msDS-NC-Replica-Locations attribute and then click View.

Using a command-line interface

> ntdsutil
> activate instance ntds
> partition management
> connections
> connect to server <DomainControllerName>
> quit
> list nc replicas <AppPartitionDN>
> quit
> quit

Using PowerShell

Get-ADObject -SearchBase "cn=Partitions,cn=Configuration,dc=adatum,dc=com" -Filter; {dnsroot -eq "<PartitionFQDN>"} -Properties msDS-NC-Replica-Locations

Discussion

The list of replica servers for an application partition is stored in the multivalued msDS-NC-Replica-Locations attribute on the crossRef object for the application partition. This object is located in the Partitions container in the Configuration naming context.

See Also

Adding or Removing a Replica Server for an Application Partition for adding and removing replica servers

Finding the Application Partitions Hosted by a Server

Problem

You want to find the application partitions that a particular server is hosting. Before you decommission a server, it is good to check to see whether it hosts any application partitions and, if so, to add another replica server to replace it.

Solution

Using a graphical user interface

  1. Open LDP.

  2. From the menu, select Connection→Connect.

  3. Click OK to connect to the closest domain controller over port 389.

  4. From the menu, select Connection→Bind.

  5. Click OK to bind as the currently logged on user or select the option to bind with credentials, enter the credentials, and then click OK.

  6. From the menu, select Browse→Search.

  7. For Base DN, type the DN of the Partitions container (e.g., cn=partitions,cn=configuration,dc=adatum,dc=com).

  8. For Filter, enter:

    (&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5)(msDS-NC-Replica-Locations=cn=NTDS Settings,cn=<DomainControllerName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestDN>))
  9. For Scope, select One Level.

  10. Click the Options button.

  11. For Attributes, enter dnsRoot.

  12. Click OK.

  13. Click Run.

Using a command-line interface

Use the following command to find all of the application partitions hosted by a domain controller. To run this command, you need the distinguished name of the forest root domain (<ForestDN>), the common name of the DC’s server object (<DomainControllerName>), and the common name of the site object the server is in (<SiteName>).

> dsquery * "cn=partitions,cn=configuration,<ForestDN>" -scope onelevel -attrdnsRoot -filter "(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5)
(msDS-NC-Replica-Locations=cn=NTDS Settings,cn=<DomainControllerName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestDN>))"

You can also display the application partitions hosted by a particular DC using AdFind:

> adfind -partitions -s onelevel -bit -f"(&(objectcategory=crossRef)(systemFlags:AND:=5)(msDS-NC-Replica-Locations=cn=NTDS
Settings,cn=<DomainControllerName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>))"

Using PowerShell

Get-ADObject -SearchBase "cn=Partitions,cn=Configuration,dc=adatum,dc=com" -Filter {(objectCategory -eq "crossRef") -and (systemFlags -eq "5") -and (msDS-NC-Replica-Locations -eq "cn=NTDS Settings,cn=<DCName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestDN>")}

Discussion

As described in Adding or Removing a Replica Server for an Application Partition and Finding the Replica Servers for an Application Partition, the msDS-NC-Replica-Locations attribute on crossRef objects contains the list of replica servers for a given application partition. Each of the solutions illustrates how to perform a query using this attribute to locate all of the application partitions a particular domain controller is a replica server for. For the GUI and CLI solutions, you need to know the distinguished name of the nTDSDSA object for the target domain controller.

Verifying Application Partitions Are Instantiated Correctly on a Server

Problem

You want to verify that an application partition is instantiated on a replica server. After you add a domain controller as a replica server for an application partition, the data in the application partition needs to fully replicate to that domain controller before it can be used on that domain controller.

Solution

Using a command-line interface

Use the following command to determine whether there are any problems with application partitions on a domain controller:

> dcdiag /test:checksdrefdom /test:verifyreplicas /test:crossrefvalidation/s:<DomainControllerName>

You can also verify the state of a particular application partition by using ntdsutil as follows:

> ntdsutil
> activate instance ntds
> partition management
> connections
> connect to server <DCName>
> quit
> list nc replicas <PartitionDN>
> quit
> quit

Discussion

The dcdiag CheckSDRefDom, VerifyReplicas, and CrossRefValidation tests can help determine whether an application partition has been instantiated on a server and whether there are any problems with it. Here is the dcdiag help information for those three tests:

CrossRefValidation

This test looks for cross-references that are in some way invalid.

CheckSDRefDom

This test checks that all application directory partitions have appropriate security descriptor reference domains.

VerifyReplicas

This test verifies that all application directory partitions are fully instantiated on all replica servers.

Another way you can check to see whether a certain application partition has been instantiated on a domain controller is to look at the msDS-HasInstantiatedNCs attribute for the server’s nTDSDSA object. That attribute has DN with Binary syntax and contains a list of all the application partitions that have been successfully instantiated on the server. Unfortunately, tools such as ADSI Edit and DSQuery do not interpret DN with Binary attributes correctly, but it can be viewed with LDP. In addition, you can use AdFind as follows:

adfind -b "cn=NTDS Settings,cn=<DCName>,cn=Servers,cn=<SiteName>,cn=Sites,cn=Configuration,<ForestDN>" -f "msds-HasInstantiatedNCs=B:8:0000000D:<ParitionDN>" -dn

This will return results similar to the following:

AdFind V01.47.00cpp Joe Richards ([email protected]) October 2012

Using server: adatum-dc.adatum.com:389
Directory: Windows Server 2012

dn:cn=NTDS Settings,cn=DC2,cn=Servers,cn=Default-First-Site-Name,cn=Sites
cn=Configuration,dc=adatum,dc=com

1 Objects returned

See Also

MSDN: ms-DS-Has-Instantiated-NCs attribute [AD Schema]

Setting the Replication Notification Delay for an Application Partition

Problem

You want to set the replication notification delay for an application partition. Two replication-related settings that you can customize for application partitions (or any naming context for which change notification is enabled) include the first and subsequent replication delays after a change to the partition has been detected. The first replication delay is the time that a domain controller waits before it notifies its first replication partner that there has been a change. The subsequent replication delay is the time that the domain controller waits after it has notified its first replication partner before it will notify its next partner. You may need to customize these settings so that replication happens as quickly as you need it to for data in the application partition.

Solution

Using a graphical user interface

  1. Open ADSI Edit.

  2. Connect to the Configuration naming context of the forest that the application partition is in if a connection is not already present in the left pane.

  3. Expand the Configuration naming context and click on the Partitions container.

  4. In the right pane, right-click on the crossRef object that represents the application partition and select Properties.

  5. Set the msDS-Replication-Notify-First-DSA-Delay and msDS-Replication-Notify-Subsequent-DSA-Delay attributes to the number of seconds you want for each delay (see this recipe’s for more details).

  6. Click OK.

Using a command-line interface

To change the settings using the command line, run the following command:

> repadmin /notifyopt "<DCName>" "<AppPartitionDN>" /first:<FirstDelayInSeconds>
/subs:<NextDelayInSeconds>

You can also change both of these parameters using AdMod, as follows:

> admod -b <AppPartitionCrossRefDN>msDS-Replication-Notify-First-DSA-Delay::<FirstDelayInSeconds> msDS-Replication-Notify-Subsequent-DSA-Delay::<NextDelayInSeconds>

Using PowerShell

To modify the initial and subsequent notification delays, you can use the following PowerShell commands:

Set-ADObject "<PartitionDN>" -Replace @{"msDS-Replication-Notify-First-DSA-Delay"="<Interval>"}

Set-ADObject "<PartitionDN>" -Replace @{"msDS-Replication-Notify-Subsequent-DSA-Delay"="<Interval>"}

Discussion

The settings that control the notification delay are stored in the msDS-Replication-Notify-First-DSA-Delay and msDS-Replication-Notify-Subsequent-DSA-Delay attributes on the application partition’s crossRef object in the Partitions container. The time values are stored as seconds. The default for application partitions is 15 seconds for the first delay and three seconds for each subsequent delay.

See Also

MSDN: Application Directory Partition Replication [Active Directory]; MSDN: Modifying Application Directory Partition Configuration [Active Directory]; MSDN: ms-DS-Replication-Notify-First-DSA-Delay; MSDN: ms-DS-Replication-Notify-Subsequent-DSA-Delay

Setting the Reference Domain for an Application Partition

Problem

You want to set the reference domain for an application partition. Whenever you create an object in Active Directory, the default security descriptor that’s defined in the schema for the object’s class is applied to the object. This default security descriptor may reference specific groups, such as Domain Admins, but it is not specific to a domain. This makes a lot of sense for domain naming contexts, where the Domain Admins group in question would be the one that’s defined in the domain in question. But for application partitions that don’t contain a Domain Admins group, it is not so straightforward. Which domain’s Domain Admins group do you use? To work around this issue, you can set a default security descriptor reference domain for an application partition by setting the msDS-SDReferenceDomain attribute of the partition’s crossRef object. The default value of the msDS-SDReferenceDomain attribute is the domain that the application partition was created in.

Solution

Using a graphical user interface

  1. Open ADSI Edit.

  2. Connect to the Configuration naming context of the forest the application partition is in if it is not already present in the left pane.

  3. Expand the Configuration naming context and click on the Partitions container.

  4. In the right pane, right-click on the crossRef object that represents the application partition and select Properties.

  5. Under Attributes, select the msDS-SDReferenceDomain attribute.

  6. Enter the Distinguished Name for the appropriate domain and click OK.

Using a command-line interface

> ntdsutil
> activate instance ntds
> partition management
> connections
> connect to server <DomainControllerName>
> quit
> set nc ref domain<AppPartitionDN> <DomainDN>
> quit
> quit

You can also set the reference domain using AdMod:

> adfind -partitions -f "(dnsRoot=<PartitionDNSName>)" -dsq | admod msDS-SDReferenceDomain::"<DomainDN>"

Using PowerShell

Set-ADObject "<PartitionDN>" -Replace @{"msDS-SDReferenceDomain"="<DomainDN>"}

Discussion

If you don’t set the msDS-SDReferenceDomain attribute for an application partition, then a specific hierarchy will be followed to determine the default security descriptor domain. These are the guidelines:

  • If the application partition is created as part of a new tree, the forest root domain is used as the default domain.

  • If the application partition is a child of a domain, the parent domain is used as the default domain.

  • If the application partition is a child of another application partition, the parent application partition’s default domain is used.

See Also

Modifying the Default Security of a Class for more on setting the default security descriptor for a class; Creating and Deleting an Application Partition for creating an application partition

Delegating Control of Managing an Application Partition

Problem

You want to delegate control over the management of an application partition.

Solution

Using a graphical user interface

  1. Open ADSI Edit.

  2. Connect to the Configuration naming context of the forest the application partition is in if it is not already present in the left pane.

  3. Expand the Configuration naming context and click on the Partitions container.

  4. In the right pane, right-click on the crossRef object that represents the application partition and select Properties.

  5. Click the Security tab.

  6. Click the Advanced button.

  7. Click the Add button.

  8. Use the object picker to find the user or group you want to delegate control to and click OK.

  9. Under Properties, check the boxes beside Write msDS-NC-Replica-Locations, Write msDS-SDReferenceDomain, Write msDS-Replication-Notify-First-DSA-Delay, and Write msDS-Replication-Notify-Subsequent-DSA-Delay.

  10. Click OK.

Using a command-line interface

> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-NC-Replica-Locations
> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-SDReferenceDomain
> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-First-DSA-Delay
> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-Subsequent-DSA-Delay

Warning

As is the case with most permissions, you should exercise care when delegating the ability to create or modify application partitions. Because application partitions reside within Active Directory, allowing them to be placed indiscriminately or setting the initial and subsequent replication delays too low can bring your network to a grinding halt.

Discussion

If you want to delegate control of management of application partitions, you must grant control over four key attributes. Here is a description of each attribute and what can be accomplished by having control over it:

msDS-NC-Replica-Locations

A user can add replica servers for the application partition. See Adding or Removing a Replica Server for an Application Partition for more information.

msDS-SDReferenceDomain

A user can define the default security descriptor domain for the application partition. See Setting the Reference Domain for an Application Partition for more information.

msDS-Replication-Notify-First-DSA-Delay

See Setting the Replication Notification Delay for an Application Partition for more information.

msDS-Replication-Notify-Subsequent-DSA-Delay

See Setting the Replication Notification Delay for an Application Partition for more information.

If you want to delegate control over managing objects within the application partition, you need to follow the same procedures you would when delegating control over objects in a domain naming context. See Delegating Control of an Active Directory Integrated Zone for more information on delegating control.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.136.236.17