Managing application directory partitions

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Managing application directory partitions

You can use the following tools to create, delete, or manage application directory partitions.

  • application-specific tools from the application vendor

  • Ntdsutil command-line tool

  • LDP

  • Active Directory Service Interfaces (ADSI)

For information about creating and managing application directory partitions with ADSI, see Active Directory Service Interfaces (ADSI) at the Microsoft Web site. For information about LDP, see Administration tools for the Active Directory schema.

For information about the Ntdsutil command-line tool, see Ntdsutil.

The following provides information about using Ntdsutil to create and manage application directory partitions.

Creating an application directory partition

When you create an application directory partition, you are creating the first instance of this partition. You can create an application directory partition by using the create nc option in the domain management menu of Ntdsutil. When creating an application directory partition using LDP or ADSI, provide a description in the description attribute of the domain DNS object that indicates the specific application that will use the partition. For example, if the application directory partition will be used to store data for a Microsoft accounting program, the description could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a description. For more information, see Create or delete an application directory partition.

Deleting an application directory partition

When you delete an application directory partition, you are removing all replicas of that partition from your forest. You can delete an application directory partition by using the delete nc command in the domain management menu of Ntdsutil. The deletion process will need to replicate to all domain controllers that contain a replica of the application directory partition before the deletion process is complete. Any data that is contained in the application directory partition will be lost.

The Active Directory Promotion Wizard (Dcpromo) cannot demote a domain controller if that domain controller holds a copy of an application directory partition. For more information, see Create or delete an application directory partition.

Adding and removing a replica of an application directory partition

An application directory partition replica is an instance of an partition on another domain controller. The information in the application directory partition is replicated between the domain controllers. Application directory partition replicas are created for either redundancy or data access purposes. You can add a replica of an application directory partition by using the add nc replica command in the domain management menu of Ntdsutil. You can remove an application directory partition replica by using the delete nc replica command in the domain management menu of Ntdsutil. For more information, see Add or remove an application directory partition replica.

Setting application directory partition reference domain

The security descriptor reference domain defines a domain name for the default security descriptor for objects in the application directory partition. By default, the security descriptor reference domain is the parent domain of the application directory partition. If the application directory partition is a child of another application directory partition, the default security descriptor reference domain is the security descriptor reference domain of the parent application directory partition. If the application directory partition has no parent, the forest root domain becomes the default security descriptor reference domain. You can use Ntdsutil to change the default security descriptor reference domain. For more information, see Set an application directory partition reference domain.

Setting replication notification delays

Changes made to a particular directory partition on a particular domain controller are replicated to the other domain controllers that contain that directory partition. The domain controller on which the change was made notifies its replication partners that it has a change. You can configure how long the domain controller will wait to send the change notification to its first replication partner. You can also configure how long it waits to send the subsequent change notification to its remaining replication partners. These delays can be set for any directory partition (including domain directory partitions) on a particular domain controller. For more information, see Set a notification delay.

Displaying application directory partition information

Any domain controller that holds a replica of a particular directory partition (including application directory partitions) is said to be a member of the replica set for that directory partition. You can use Ntdsutil to list the domain controllers that are members of a particular replica set for an application directory partition. An addition of a domain controller to the replica set attribute on the cross-reference object does not create the replica, but it will display when the list nc replica command is used in Ntdsutil. The creation of the instance must replicate before the creation of the replica is complete. For more information, see Display application directory partition information.

Delegating the creation of application directory partitions

There are two things that happen when creating an application directory partition:

  • Creation of the cross-reference object.

  • Creation of the application directory partition root node.

Normally only members of the Enterprise Admins group can create an application directory partition. However, it is possible for a member of the Enterprise Admins group to prepare a cross-reference object for the application directory partition and to delegate the rest of the process to someone with more limited permissions.

The cross-reference object for an application directory partition holds several valuable pieces of information, including the domain controllers that are to have a replica of this partition and the security descriptor reference domain. The partition root node is the Active Directory object at the root of the partition

The Enterprise Admin can create the cross-reference object then delegate to a person or group with less permissions the right to create the application directory partition root node. Both creation of the cross-reference object and the application directory partition root node can be accomplished using Ntdsutil.

After using Ntdsutil to create the cross-reference object, the enterprise administrator must modify the cross-reference object's access control list to allow the delegated administrator to modify this cross-reference. This will allow the delegated administrator to create the application directory partition and modify the list of domain controllers that holds replicas of this application directory partition. The delegated administrator must use the names of the application directory partition and the domain controller name that were specified during the precreation process. For more information, see Prepare a cross-reference object.

For more information about application directory partitions, see Application directory partitions.