Link to home
Create AccountLog in
Avatar of kam_uk
kam_uk

asked on

Domain Controllers 'owning' objects

Hi

An AD theory question for you guys..

I have one AD forest, split into emea.kam.com and apac.kam.com domains. Within each domain, there are multiple sites and OU's etc.

Each site has multiple DC's.

Question - am I correct in thinking that no DC actually 'owns' any AD object? Because the NTDS database is fully replicated, the information is completely shared between DC's of the same domain?
ASKER CERTIFIED SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Yes - this has been the case since Windows 2000 when the concept of a PDC and BDC was put out to grass. Object attibutes can be changed on any DC (Apart from RODCs in Win2008) and will replicate to the others.
Avatar of Fingo11
Fingo11

Actually there is ownership of items in AD.  Most of the objects created by default show and owner of the Domain Admins group.  Even DCs themselves have owners.  Records in DNS zones that are Active Directory Integrated are usually owned by the clients themselves that register them.  Many different objects all with owners.  Although I am not sure if the "Domain" itself can own an object (Never tried to change ownership that way)

Fingo11
Fingo, those are Permissions settings on Objects that determine who can read and modify them. Not which Domain Controllers can control them.
Grab a copy of REPLMON.EXE from the Windows Support Tools and view the 3 partitions - domain, schema and configuration.  You'll see the domain partition is replicated among all DC's in the domain, whereas the schema and configuration are replicated to ALL DC's in the forest.  Each DC has a copy of the object, associated with a USN - kinda like a serial # for the object - so it can know who has the latest copy of an object.

AD Objects seen with ADUC are in the domain partition, while objects seen in AD Sites & Services are configuration.  Schema is a little harder to get into, but that's what gets updated when you add a new version of Exchange (etc) into the domain and it needs a 'schema update'
Read this:
http://en.wikipedia.org/wiki/Flexible_single_master_operation
It gives a very good explanation of what roles/servers "own" what.