Many developers who use ADSI or LDAP to store and access
relatively static and globally interesting data in Active Directory
would also prefer, for the sake of simplicity and uniformity, to
continue using ADSI or LDAP access for their dynamic data
requirements. Dynamic data is data that changes more frequently
than what has been recommended for storing in Active Directory.
Dynamic data typically changes faster than the replication latency
involved in propagating the change to all replicas of the data.
In Windows 2000, the support for dynamic data is limited.
Storing dynamic data in a domain partition is complex. The data is
replicated to all domain controllers in the domain which is often
unnecessary and can result in inconsistent data due to replication
latency. This can adversely impact network performance. In
addition, domain partitions are not effective for applications that
must replicate data across domain boundaries. Another option in
Windows 2000 is to store dynamic data in attributes marked as
non-replicated. However, this arrangement is limited in that it has
a single point of failure, namely, the single domain controller
housing the only copy of the object's non-replicated
attributes.
Application directory partitions provide the ability to control
the scope of replication and allow the placement of replicas in a
manner more suitable for dynamic data. As a result, the application
directory partition provides the capability of hosting dynamic data
in Active Directory, thus allowing ADSI/LDAP access to it, without
significantly impacting network performance.
The Windows 2000 DNS service is an example of a service
that can take advantage of application directory partitions. In
Windows 2000, if the DNS service is optionally configured to
use Active Directory, the DNS zone data is stored in Active
Directory in a domain partition. That is, the data is replicated to
all domain controllers in the domain, regardless of whether a DNS
server is configured to run on the domain controller. This is an
instance where full domain-wide replication is superfluous. By
storing the DNS zone data in an application directory partition,
the service can redefine the scope of replication to only that
subset of domain controllers in the domain that actually run the
DNS server.
Consider the following scenarios for hosting a replica of an
application directory partition:
A replica of an application directory partition can be created
on any Windows Server 2003 family operating system or later
domain controller in an Active Directory forest.
The set of domain controllers that host replicas of an
application directory partition can be specified. Unlike a domain
partition, an application directory partition is not required to
replicate to all domain controllers in a domain, and it can
replicate to domain controllers in different domains of the
forest.
A domain controller with an application directory partition
replica can coexist and function in a mixed-mode environment with
other Windows 2000 or Windows NT 4.0 domain
controllers.
Types of data that can be stored in an application directory
partition include:
An application directory partition can contain instances of any
object type except security principals, such as users, computers,
or groups.
Objects in an application directory partition can maintain
DN-value references to other objects in the same application
directory partition, to objects in the configuration and schema
partitions, and to any naming context head (which is the top object
of a directory partition, such as the domainDNS object at
the top of an application directory partition).
For more information and an example of the type of dynamic data
that could be stored in an application directory partition, see
Dynamic Objects. Dynamic objects
are supported beginning with Windows Server 2003. Dynamic
objects have a property that determines the time-to-live, after
which the object is deleted by Active Directory.
Some limitations of application directory partitions
include:
Objects in an application directory partition cannot maintain
DN-value references to objects in other application directory
partitions or domain partitions. Likewise, objects in Domain,
Configuration, and Schema Partitions cannot maintain DN-value
references to objects in an application directory partition. A
DN-value reference can be maintained to the naming context
head.
Objects in an application directory partition are not
replicated to the Global Catalog. As with any domain controller, a
global catalog server can still be configured to be a full replica
of an application directory partition.
When an application directory partition replica is created, the
Domain-Naming FSMO role must be on a Windows Server 2003
family operating system or later domain controller. After the
application directory partition replica is created, the Domain
Naming FSMO role can be assigned back to a Windows 2000 domain
controller.
Application directory partition objects cannot be moved to
other Active Directory partitions outside the partition in which
they were created.
Other application directory partition features include:
The security and access control model for the application
directory partition is the same as that for other partitions in
Active Directory.
The time intervals that control the latency of initiating an
originating change notification to replication partners within a
site can be configured separately for each application directory
partition basis.
Application directory partitions can be named just as regular
domains, attached anywhere in the Active Directory namespace where
a domain can, and discovered using DNS even by down-level
Windows 2000 systems.
An application directory partition can be created, its
replication scope defined, and its configurable settings adjusted
programmatically using standard LDAP and ADSI APIs. For more
information about programmatically manipulating application
directory partitions, see Application Directory
Partitions.