Joined: 04 Dec 2006
|Posted: Thu Aug 27, 2009 1:00 pm Post subject: Managing Application Directory Partitions
|Article by Brien M. Posey
As you probably know, the Windows Active Directory is a relational database that is referenced by servers and workstations for everything from security to configuration information. Given the Active Directory’s extensible nature, it should come as no surprise that individual applications can be designed in a way that allows them to store data or configuration information within the Active Directory.
One of the advantages of using the Active Directory to store application related information is that the Active Directory database is distributed across multiple domain controllers. This means that if a domain controller should fail, another domain controller should still contain a functional copy of the application’s data.
This distributed design works great in small to medium sized organizations, but presents some interesting problems in larger organizations. For example, imagine that your company’s finance department deployed a brand new, Active Directory enabled application. In a situation like this, it would be rare for anyone outside of the Finance department to need access to the application.
The problem comes into play with the way that the Active Directory replicates the application’s data to other domain controllers. If the Finance department has their own domain, then there’s really no reason to replicate the application’s data outside of the finance domain. Confining the application’s data within the finance domain would help to keep the application secure, and would also prevent needless replication traffic from flowing across the rest of the network. Normally, Active Directory doesn’t work this way though. The application’s data would be replicated across the organization regardless of whether it was needed outside of the finance department or not.
This is where application partitions come into play. Application partitions allow you to designate a particular area of the Active Directory for use by an application. Furthermore, you can designate which specific domain controllers the application partition should be replicated to.
Application Partition Name Space
When you create an application partition, that partition has its own name space, similar to the way that a domain is given its own name space within the Active Directory. An application partition is actually very similar structurally to a domain. The biggest difference is that an application partition can not contain security principles (users, groups, computers, etc.).
Since application directory partitions are so structurally similar to domains, it shouldn’t surprise you that they use similar name spaces to domains. An application directory partition can exist as a child of a domain, as a child of an application directory partition, or as a new tree in a forest. For example, if you had an Active Directory consisting of a single domain named brienposey.com, and you wanted to create an application directory partition named application as a child of this domain, then the namespace for the new application directory partition would be application.brienposey.com.
An application directory partition can also exist as a child of another application directory partition. Therefore, if you wanted to create an application directory partition named application2 and make it a child of the partition named application, then the DNS namespace would be application2.application.brienposey.com.
If however, you wanted to create an application directory partition named application as a new tree in the forest, then the DNS namespace would simply be application.com. This new application directory partition would not reference the brienposey.com because brienposey.com is a root level domain in the forest. The new application directory partition would exist parallel to this domain rather than beneath it, and would therefore have the DNS namespace application.com.
Creating an Application Directory Partition
There are several different tools that can be used to create an application directory partition. You can use the NTDSUTIL command line tool, ADSIEDIT, or LDAP commands. Some application vendors will also include code in their applications to create the application directory partition for you.
If you do have to create the application directory partition yourself, the easiest way of doing so is probably to use the NTDSUTIL command. To do so, open a command prompt window and enter the NTDSUTIL command. When you do, you will see the NTDSUTIL prompt appear. Enter the DOMAIN MANAGEMENT command at the prompt, and you will see the prompt change from NTDSUTIL to domain management.
At this point, you must decide which domain controller you want to create the application directory partition on. You can always replicate the application directory partition to other domain controllers later, but you must initially select a single domain controller. The only stipulations to choosing a domain controller are that you must have sufficient rights to create the application directory partition on the designated domain controller, and the domain controller must be running Windows Server 2003. Windows 2000 Server does not support application directory partitions.
Once you have selected a domain controller, you must connect to it. To do so, enter the command CONNECT TO SERVER servername, where servername is the fully qualified domain name of the domain controller that you want to connect to. Once you have connected to your target domain controller, you will use the following command to create the application directory partition:
CREATE NC application_directory_partition domain_controller
Before you actually create an application directory partition though, I want to take a moment and explain a little bit about this command. The domain_controller portion of the command is the fully qualified domain name of the domain controller that you want to create the new application directory partition on. For example, if you had a domain controller named Taz in the brienposey.com domain, then the fully qualified domain name would be Taz.brienposey.com.
It is critically important to remember though that although you are using the domain controller that you have selected to create and store the new application directory partition, the application directory partition will have a completely different name space from the domain controller and is in no way dependant on the domain controller’s name space. Remember that the new application directory partition can exist as a child of a domain, as a child of another application directory partition, or parallel to the root level domain.
The application directory partition’s location within the forest is determined by the name that you enter into the application_directory_partition portion of the CREATE NC command.
Now that you know how the command works, let’s create a application directory partition named Application as a child of the brienposey.com domain, using a domain controller named Taz. To create such a partition, you would use the following command:
CREATE NC application.brienposey.com Taz.brienposey.com
Replicating the Application Directory Partition
So far I have shown you how to create an application directory partition. This partition will not be replicated to any other domain controllers by default. If you want to replicate the application directory partition to other domain controllers, you will have to specify which domain controllers you want to function as replicas.
The process for specifying a replica is very similar to the process that you used to create the partition initially. You would begin the process by opening a command prompt window and entering the NTDSUTIL command followed by the DOMAIN MANAGEMENT command and the CONNECT TO SERVER servername command. Next, you would enter the following command to specify the replica:
ADD NC REPLICA application_directory_partition domain_controller
When you enter this command, the application_directory_partition portion of the command refers to the application directory partition that you have already created. The domain_controller portion of the command is the fully qualified domain name of the domain controller that you want to add the replica to. For example, if you wanted to create a replica of the application directory partition that we created earlier on a domain controller named Relevant in the brienposey.com domain, the command would look like this:
ADD NC Replica application.brienposey.com Relevant.brienposey.com
The process for removing a replica is almost identical to creating it. The syntax is:
REMOVE NC REPLICA application_directory_partition domain_controller
Deleting an Application Directory Partition
Deleting an application directory partition is a globally destructive action. When you delete an application directory partition, you are deleting all of the partition’s replicas and all of the data stored within the partition. Therefore, you should carefully consider the consequences of your actions and make a full system backup before deleting a partition.
The command for deleting an application directory partition is:
DELETE NC application_directory_partition
It is sometimes useful to store configuration information, or even data related to an application in the Active Directory. When doing so, it is considered good etiquette to place application specific information into a dedicated application directory partition. In this article, I have explained how to create and remove application directory partitions and how to manage replicas of those partitions.