Domain Controllers 'owning' objects


An AD theory question for you guys..

I have one AD forest, split into and domains. Within each domain, there are multiple sites and OU's etc.

Each site has multiple DC's.

Question - am I correct in thinking that no DC actually 'owns' any AD object? Because the NTDS database is fully replicated, the information is completely shared between DC's of the same domain?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSenior Systems AdminCommented:
Yes, there is no ownership in Active Directory. However, Objects added to AD on one Domain Controller won't exist on others until replication occurs. That said, computers are configured to utilize a specific domain controller for authentication and login based on which site they are in. The site they are in is assigned through the Subnets that are assigned to each site. So if Site A has a subnet of 192.168.1.x, then all computers within that IP scheme will attempt to contact the Domain Controller(s) that is assigned to that site first, then attempt to use the next closest site based on link cost if the DCs in the site are incommunicado.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian PiercePhotographerCommented:
Yes - this has been the case since Windows 2000 when the concept of a PDC and BDC was put out to grass. Object attibutes can be changed on any DC (Apart from RODCs in Win2008) and will replicate to the others.
Actually there is ownership of items in AD.  Most of the objects created by default show and owner of the Domain Admins group.  Even DCs themselves have owners.  Records in DNS zones that are Active Directory Integrated are usually owned by the clients themselves that register them.  Many different objects all with owners.  Although I am not sure if the "Domain" itself can own an object (Never tried to change ownership that way)

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Adam BrownSenior Systems AdminCommented:
Fingo, those are Permissions settings on Objects that determine who can read and modify them. Not which Domain Controllers can control them.
Daryl SirotaDirector of Technical ServicesCommented:
Grab a copy of REPLMON.EXE from the Windows Support Tools and view the 3 partitions - domain, schema and configuration.  You'll see the domain partition is replicated among all DC's in the domain, whereas the schema and configuration are replicated to ALL DC's in the forest.  Each DC has a copy of the object, associated with a USN - kinda like a serial # for the object - so it can know who has the latest copy of an object.

AD Objects seen with ADUC are in the domain partition, while objects seen in AD Sites & Services are configuration.  Schema is a little harder to get into, but that's what gets updated when you add a new version of Exchange (etc) into the domain and it needs a 'schema update'
Read this:
It gives a very good explanation of what roles/servers "own" what.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.