Link to home
Create AccountLog in
Avatar of kam_uk

asked on

Domain Controllers 'owning' objects


An AD theory question for you guys..

I have one AD forest, split into and domains. Within each domain, there are multiple sites and OU's etc.

Each site has multiple DC's.

Question - am I correct in thinking that no DC actually 'owns' any AD object? Because the NTDS database is fully replicated, the information is completely shared between DC's of the same domain?
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Yes - this has been the case since Windows 2000 when the concept of a PDC and BDC was put out to grass. Object attibutes can be changed on any DC (Apart from RODCs in Win2008) and will replicate to the others.
Avatar of Fingo11

Actually there is ownership of items in AD.  Most of the objects created by default show and owner of the Domain Admins group.  Even DCs themselves have owners.  Records in DNS zones that are Active Directory Integrated are usually owned by the clients themselves that register them.  Many different objects all with owners.  Although I am not sure if the "Domain" itself can own an object (Never tried to change ownership that way)

Fingo, those are Permissions settings on Objects that determine who can read and modify them. Not which Domain Controllers can control them.
Grab a copy of REPLMON.EXE from the Windows Support Tools and view the 3 partitions - domain, schema and configuration.  You'll see the domain partition is replicated among all DC's in the domain, whereas the schema and configuration are replicated to ALL DC's in the forest.  Each DC has a copy of the object, associated with a USN - kinda like a serial # for the object - so it can know who has the latest copy of an object.

AD Objects seen with ADUC are in the domain partition, while objects seen in AD Sites & Services are configuration.  Schema is a little harder to get into, but that's what gets updated when you add a new version of Exchange (etc) into the domain and it needs a 'schema update'
Read this:
It gives a very good explanation of what roles/servers "own" what.