kam_uk
asked on
Domain Controllers 'owning' objects
Hi
An AD theory question for you guys..
I have one AD forest, split into emea.kam.com and apac.kam.com domains. Within each domain, there are multiple sites and OU's etc.
Each site has multiple DC's.
Question - am I correct in thinking that no DC actually 'owns' any AD object? Because the NTDS database is fully replicated, the information is completely shared between DC's of the same domain?
An AD theory question for you guys..
I have one AD forest, split into emea.kam.com and apac.kam.com domains. Within each domain, there are multiple sites and OU's etc.
Each site has multiple DC's.
Question - am I correct in thinking that no DC actually 'owns' any AD object? Because the NTDS database is fully replicated, the information is completely shared between DC's of the same domain?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Brian Pierce
Yes - this has been the case since Windows 2000 when the concept of a PDC and BDC was put out to grass. Object attibutes can be changed on any DC (Apart from RODCs in Win2008) and will replicate to the others.
Actually there is ownership of items in AD. Most of the objects created by default show and owner of the Domain Admins group. Even DCs themselves have owners. Records in DNS zones that are Active Directory Integrated are usually owned by the clients themselves that register them. Many different objects all with owners. Although I am not sure if the "Domain" itself can own an object (Never tried to change ownership that way)
Fingo11
Fingo11
Fingo, those are Permissions settings on Objects that determine who can read and modify them. Not which Domain Controllers can control them.
Grab a copy of REPLMON.EXE from the Windows Support Tools and view the 3 partitions - domain, schema and configuration. You'll see the domain partition is replicated among all DC's in the domain, whereas the schema and configuration are replicated to ALL DC's in the forest. Each DC has a copy of the object, associated with a USN - kinda like a serial # for the object - so it can know who has the latest copy of an object.
AD Objects seen with ADUC are in the domain partition, while objects seen in AD Sites & Services are configuration. Schema is a little harder to get into, but that's what gets updated when you add a new version of Exchange (etc) into the domain and it needs a 'schema update'
AD Objects seen with ADUC are in the domain partition, while objects seen in AD Sites & Services are configuration. Schema is a little harder to get into, but that's what gets updated when you add a new version of Exchange (etc) into the domain and it needs a 'schema update'
Read this:
http://en.wikipedia.org/wiki/Flexible_single_master_operation
It gives a very good explanation of what roles/servers "own" what.
http://en.wikipedia.org/wiki/Flexible_single_master_operation
It gives a very good explanation of what roles/servers "own" what.