Application directory partitions
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Application directory partitions
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
Applications and services can use application directory partitions to store application-specific data. Application directory partitions can contain any type of object, except security principals. TAPI is an example of a service that stores its application-specific data in an application directory partition.
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to different domain controllers in a forest. The data can be replicated to a specific domain controller or any set of domain controllers anywhere in the forest. This differs from a domain directory partition in which data is replicated to all domain controllers in that domain. Storing application data in an application directory partition instead of in a domain directory partition may reduce replication traffic because the application data is only replicated to specific domain controllers. Some applications may use application directory partitions to replicate data only to servers where the data will be locally useful.
Another benefit of application directory partitions is that applications or services that use Lightweight Directory Access Protocol (LDAP) can continue using it to access and store their application data in Active Directory. For more information, see Managing application directory partitions.
Application directory partition naming
An application directory partition is part of the overall forest namespace just like a domain directory partition. It follows the same Domain Name System (DNS) and distinguished names naming conventions as a domain directory partition. An application directory partition can appear anywhere in the forest namespace that a domain directory partition can appear.
There are three possible application directory partition placements within your forest namespace:
A child of a domain directory partition.
A child of an application directory partition.
A new tree in the forest.
If you created an application directory partition called example1 as a child of the microsoft.com domain, the DNS name of the application directory partition would be example1.microsoft.com. The distinguished name of the application directory partition would be dc=example1, dc=microsoft, dc=com.
If you then created an application directory partition called example2 as a child of example1.microsoft.com, the DNS name of the application directory partition would be example2.example1.microsoft.com and the distinguished name would be dc=example2, dc=example1, dc=microsoft, dc=com.
If the domain microsoft.com was the root of the only domain tree in your forest, and you created an application directory partition with the DNS name of example1 and the distinguished name of dc=example1, this application directory partition is not in the same tree as the microsoft.com domain. This application directory partition would be the root of a new tree in the forest.
Domain directory partitions cannot be children of an application directory partition. For example, if you created an application directory partition with the DNS name of example1.microsoft.com, you could not create a domain with the DNS name of domain.example1.microsoft.com.
Application directory partition replication
The Knowledge Consistency Checker (KCC) automatically generates and maintains the replication topology for all application directory partitions in the enterprise. When an application directory partition has replicas in more than one site, those replicas follow the same intersite replication schedule as the domain directory partition.
Objects stored in an application directory partition are never replicated to the global catalog as read-only replicas. Any domain controller running Windows Server 2003 can hold a replica, including global catalogs.
Additionally, if an application requests data through the global catalog port, that query will not return any objects from an application directory partition, even if the computer hosting the application directory partition is also hosting the global catalog. This is done so that LDAP queries to different global catalogs will not return inconsistent results because the application directory partition is replicated to only one of the global catalogs.
Security descriptor reference domain
Every container and object on the network has a set of access control information attached to it. Known as a security descriptor, this information controls the type of access allowed by users, groups, and computers. If the object or container is not assigned a security descriptor by the application or service that created it, then it is assigned the default security descriptor for that object class as defined in the schema. This default security descriptor is ambiguous in that it may assign members of the Domain Admins group read permissions to the object, but it does not specify to what domain the domain administrators belong. When this object is created in a domain naming partition, that domain naming partition is used to specify which Domain Admins group actually is assigned read permission. For example, if the object is created in mydomain.microsoft.com then members of the mydomain Domain Admins group would be assigned read permission.
When an object is created in an application directory partition, the definition of the default security descriptor is difficult because an application directory partition can have replicas on different domain controllers belonging to different domains. Because of this potential ambiguity, a default security descriptor reference domain is assigned when the application directory partition is created.
The default security descriptor reference domain defines what domain name to use when an object in the application directory partition needs to define a domain value for the default security descriptor. The default security descriptor reference domain is assigned at the time of creation.
If the application directory partition is a child of a domain directory partition, by default, the parent domain directory partition becomes the security descriptor reference domain. If the application directory partition is a child object of another application directory partition, the security descriptor reference domain of the parent application directory partition becomes the reference domain of the new, child, application directory partition. If the new application directory partition is created as the root of a new tree, then the forest root domain is used as the default security descriptor reference domain.
You can manually specify a security reference domain using Ntdsutil. However, if you plan to change the default security descriptor reference domain of a particular application directory partition, you should do so before creating the first instance of that partition. To do this, you must prepare the cross-reference object and change the default security reference domain before completing the application directory partition creation process. For information about precreating the cross-reference object, see Prepare a cross-reference object. For information about changing the default security reference domain, see Set an application directory partition reference domain.