6.1.1.2.2.1.2.1.1 nTDSDSA Object
Each DC in a forest has an nTDSDSA object in the config NC. See requirements in section 6.1.2.1. An nTDSDSA object has the following attributes:
name: NTDS Settings
parent: An object with objectClass server.
objectClass: nTDSDSA
dMDLocation: The DSName of the schema NC root.
invocationId: The invocationId for this DC (section 3.1.1.1.9).
options: One or more of the following bits presented in big-endian byte order.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
D |
D |
D |
D |
G |
X: Unused. Must be zero and ignored.
GC (NTDSDSA_OPT_IS_GC, 0x00000001): This DC is, or is becoming, a GC server.
DI (NTDSDSA_OPT_DISABLE_INBOUND_REPL, 0x00000002): This DC does not perform inbound replication unless the DRS_SYNC_FORCED flag is passed. See [MS-DRSR] section 4.1.10.4.1, ReplicateNCRequestMsg, for the effects of this option.
DO (NTDSDSA_OPT_DISABLE_OUTBOUND_REPL, 0x00000004): This DC does not perform outbound replication unless the DRS_SYNC_FORCED flag is passed. See [MS-DRSR] section 4.1.10.5.2, GetReplChanges, for the effects of this option.
DNX (NTDSDSA_OPT_DISABLE_NTDSCONN_XLATE, 0x00000008): This DC does not translate connection objects into repsFroms. See section 6.2 for more information.
DS (NTDSDSA_OPT_DISABLE_SPN_REGISTRATION, 0x00000010): This DC does not perform SPN (2) registration. Only interpreted by AD LDS DCs. See [MS-DRSR] sections 2.2.3.3 and 2.2.4.3, SPN (2) for a Target DC in AD LDS, for the effects of this option.
systemFlags: {FLAG_DISALLOW_MOVE_ON_DELETE}
msDS-Behavior-Version: Indicates the DC version. See section 6.1.4.2 for more information.
msDS-PortLDAP: In AD LDS, stores the LDAP port for this instance. Not present in AD DS.
msDS-PortSSL: In AD LDS, stores the SSL port for this instance. Not present in AD DS.
msDS-ServiceAccount: In AD LDS, stores the foreignSecurityPrincipal object that represents the service account running this DC. Not present in AD DS.
hasMasterNCs: Contains the DSName of the NC root objects representing the schema NC, config NC, and domain NC for the default domain of the DC. This attribute always contains these three values and only these three values. This attribute is not present on the nTDSDSA object of an RODC.
hasPartialReplicaNCs: Contains the DSName of the root objects of all domain NCs within the forest for which the DC hosts a partial NC replica.
msDS-HasInstantiatedNCs: Contains an Object(DN-Binary) value for each NC replica that is hosted by this DC. The DN field is the DN of the root object of the NC. The Binary field contains the value of the instanceType attribute on the root object of the NC. This is a binary encoding of attribute instanceType with little-endian byte ordering.
Requirement: The DN fields of all the values of msDS-HasInstantiatedNCs MUST be equal to the set of DNs contained in the values of msDS-hasMasterNCs and hasPartialReplicaNCs.
msDS-HasDomainNCs: Equals the DSName of the NC root object for which the DC is hosting a regular NC replica. This attribute MUST have only one value. This NC root is called the default domain for the DC.
msDS-hasMasterNCs: Contains the DSNames of the root objects of all writable NC replicas hosted by this DC. Not present on the nTDSDSA object of an RODC. On a normal (writable) DC, includes the default NC, config NC, schema NC, and all application NC replicas hosted by the DC.
msDS-hasFullReplicaNCs: Contains the DSNames of the root objects of all read-only full NC replicas hosted by this DC. Not present on the nTDSDSA object of a normal (writable) DC. On an RODC, includes the default NC, config NC, schema NC, and all application NC replicas hosted by the DC.
msDS-ReplicationEpoch: [MS-DRSR] section 4.1.3.1 (client behavior of IDL_DRSBind) and [MS-DRSR] section 4.1.10.5 (server behavior of IDL_DRSGetNCChanges) specify the effects of this attribute.
msDS-DefaultNamingContext: In AD LDS, specifies the NC that is to be returned as the default NC by the defaultNamingContext attribute of the root DSE. If this attribute is not set, AD LDS does not have a default NC and the defaultNamingContext attribute of the root DSE is treated by the server as if it does not exist. Not present in AD DS.
objectCategory: This attribute is a mandatory attribute representing the schema definition of the nTDSDSA object. If the objectCategory points to the classSchema object for the nTDSDSA class, then this nTDSDSA object is for a normal (writable) DC. If the objectCategory points to the classSchema object for the nTDSDSARO class, then this nTDSDSA object is for an RODC.
msDS-EnabledFeature: This value references the objects that represent optional features that are enabled in the DC. See section 3.1.1.9.