Active Directory 2008 : Configuring the Global Catalog and Application Directory Partitions (part 2) - Understanding Application Directory Partitions

7. Understanding Application Directory Partitions

In review, the Domain, Configuration, and Schema partitions of the directory are replicated to all DCs in a domain, the Configuration and Schema are further replicated to all DCs in the forest, and the partial attribute set is replicated by global catalog servers. In addition, Active Directory also supports application directory partitions. An application directory partition is a portion of the data store that contains objects required by an application or service that is outside of the core AD DS service. Unlike other partitions, application partitions can be targeted to replicate to specific domain controllers; they are not, by default, replicated to all DCs.

Application directory partitions are designed to support directory-enabled applications and services. They can contain any type of object except security principals such as users, computers, or security groups. Because these partitions are replicated only as needed, application directory partitions provide the benefits of fault tolerance, availability, and performance while optimizing replication traffic.

The easiest way to understand application directory partitions is to examine the application directory partitions maintained by Microsoft DNS Server. When you create an Active Directory–integrated zone, DNS records are replicated between DNS servers by using an application directory partition. The partition and its DNS record objects are not replicated to every domain controller, only to those acting as DNS servers.

To explore the application directory partitions in your forest:

1. Open ADSI Edit.

2. Right-click the root of the snap-in, ADSI Edit, and click Connect To.

3. In the Select A Well Known Naming Context drop-down list, choose Configuration, and then click OK.

4. Expand Configuration and the folder representing the Configuration partition, and then select the Partitions folder, CN=Partitions, in the console tree.

   The details pane displays the partitions in your AD DS data store, as shown in Figure 3.

Figure 3. Partitions in the contoso.com forest

Note the two application partitions in Figure 3, ForestDnsZones and DomainDnsZones. Most application partitions are created by applications that require them. DNS is one example, and Telephony Application Programming Interface (TAPI) is another. Members of the Enterprise Admins group can also create application directory partitions manually by using Ntdsutil.exe.

An application partition can appear anywhere in the forest namespace that a domain partition can appear. The DNS partitions distinguished names—DC=DomainDnsZones,DC=contoso,DC=com, for example—place the partitions as children of the DC=contoso,DC=com domain partition. An application partition can also be a child of another application partition or a new tree in the forest.

Generally speaking, you use tools specific to the application to manage the application directory partition, its data, and its replication. For example, simply adding an Active Directory–integrated zone to a DNS server automatically configures the domain controller to receive a replica of the DomainDns partition. With tools such as Ntdsutil.exe and Ldp.exe, you can manage application directory partitions directly.

You should consider application partitions before demoting a domain controller. If a domain controller is hosting an application directory partition, you must evaluate the purpose of the partition, whether it is required by any applications, and whether the domain controller holds the last remaining replica of the partition, in which case, demoting the domain controller would result in permanent loss of all information in the partition. Although the Active Directory Domain Services Installation Wizard prompts you to remove application directory partitions, it is recommended that you manually remove application directory partitions before demoting a domain controller.

Practice Replication and Directory Partitions

Practice Replication and Directory Partitions

In this practice, you configure replication of the GC and examine the DNS application directory partitions.

EXERCISE 1 Configure a Global Catalog Server

The first domain controller in a forest acts as a GC server. You might want to place GC servers in additional locations to support directory queries, logon, and applications such as Exchange Server. In this exercise, you configure SERVER02 to host a replica of the partial attribute set—the GC.

1. Log on to SERVER01 as Administrator.

2. Open the Active Directory Sites And Services snap-in.

3. Expand HEADQUARTERS, Servers, and SERVER02.

4. Right-click NTDS Settings below SERVER02 and click Properties.

5. Select Global Catalog and click OK.

EXERCISE 2 Configure Universal Group Membership Caching

In sites without GC servers, user logon might be prevented if the site’s domain controller is unable to contact a GC server in another site. To reduce the likelihood of this scenario, you can configure a site to cache the membership of universal groups. In this exercise, you create a site to reflect a branch office and configure the site to cache universal group membership.

1. Right-click Sites and click New Site.

2. In the Name box, type BRANCHB.

3. Select DEFAULTIPSITELINK.

4. Click OK.

   If this were a production environment, you would need to create at least one subnet object linked to the site and install a domain controller in BRANCHB.

5. Select BRANCHB in the console tree.

6. Right-click NTDS Site Settings in the details pane and click Properties.

7. On the Site Settings tab, select the Enable Universal Group Membership Caching check box.

8. Click OK.

EXERCISE 3 Examine Application Directory Partitions

In this exercise, you explore the DomainDnsZone application directory partition, using ADSI Edit.

1. Open ADSI Edit from the Administrative Tools program group.

2. Right-click the root node of the snap-in, ADSI Edit, and click Connect To.

3. In the Select A Well Known Naming Context drop-down list, choose Configuration. Click OK.

4. Select Configuration in the console tree, and then expand it.

5. Select CN=Configuration, DC=contoso, DC=com in the console tree, and then expand it.

6. Select CN=Partitions in the console tree.

7. Make a note of the Directory Partition Name of the DomainDnsZones partition: DC=DomainDnsZones,DC=contoso,DC=com.

8. Right-click ADSI Edit and click Connect To.

9. Select the Select Or Type A Distinguished Name Or Naming Context option.

10. In the combo box, type DC=DomainDnsZones,DC=contoso,DC=com. Click OK.

11. Select Default Naming Context in the console tree, and then expand it.

12. Select and then expand DC=DomainDnsZones,DC=contoso,DC=com.

13. Select and then expand CN=MicrosoftDNS.

14. Select DC=contoso.com.

15. Examine the objects in this container. Compare them to the DNS records for the contoso.com domain, which you can view by using DNS Manager.