3.1.1.1.5 NC, NC Replica

The type DSNAME is defined as a C structure in [MS-DRSR] section 5:DSNAME; this state model uses the simpler dsname, which contains the same information in a tuple of the form

dsname: [dn: DN; guid: GUID; sid: SID]

When a dsname is stored within the state model, it is formatted as specified in [MS-DRSR] section 5.15.2.1.

An NC is a dsname containing a non-NULL dn and non-NULL GUID, used in forming names for a tree of objects in one or more replicas. These replicas are called NC replicas. Given an NC x, it is convenient to say "the replicas of x" to refer to x's NC replicas.

A replica of NC x is a replica as already defined, with its root object r constrained as follows:

Mutation of a replica in the general sense is unconstrained. In the case of a replica of a specific NC, the root object cannot be replaced, because doing so would change the objectGUID (and objectSid if any), and this must equal the NC's guid. In a replica of a given NC the root object's DN cannot be changed, because the root object's DN must equal the NC's dn.

All replicas in Active Directory are NC replicas, not general replicas.

NC replicas are mutable via several protocols including LDAP. The term originating update means any mutation to an NC replica performed via any protocol except replication.

Active Directory performs replication between replicas of the same NC to converge their states, so an update originated on one replica is reflected in all the others. The replication algorithm has the property that if originating updates to all replicas ceases and communication between replicas is maintained, the application-visible states of the replicas will eventually converge to a common value. Applications of Active Directory can read from several replicas of a given NC and observe the differences, but applications typically bind to a single replica.

Active Directory supports four NC types:

  1. Domain NC. An NC that represents a security domain. The objectSid attribute exists only on objects within a domain NC. The sid field of a domain NC is not NULL. AD DS supports domain NCs, but AD LDS does not.

  2. Application NC. An NC that does not represent a security domain. Compared with domain NCs, application NCs and their replicas can be created more freely. The sid field of an application NC is NULL.

  3. Config NC. An NC that stores Active Directory configuration information. The sid field of a config NC is NULL.

  4. Schema NC. An NC that stores Active Directory schema information. The sid field of a schema NC is NULL.

The dn of a domain NC or an AD DS application NC takes the form:

dc=n1,dc=n2, ... dc=nk

where each ni satisfies the syntactic requirements of a DNS name component [RFC1034]. Such a DN corresponds to the DNS name:

n1. n2. ... .nk

This is the DNS name of the NC. The mapping just specified follows [RFC2247].

In AD LDS, an application NC can have any valid DN; therefore an AD LDS application NC does not necessarily have a DNS name.

Replicas of a domain NC have one of these two subtypes:

  1. Full. A replica whose objects contain their full state as defined by all originating writes.

  2. Partial. A replica whose objects contain a filtered view of the full state as defined by all originating writes. There are three types of the partial replica:

    1. GC partial NC replica: The filter removes all attributes (and their values) that are not in the partial replica's GC partial attribute set.

    2. Filtered partial NC replica: The filter removes all the attributes (and their values) that are in the filtered attribute set. The default NC, config NC, and application NC on a RODC are filtered partial NC replicas.

    3. Filtered GC partial NC replica: The filter removes all the attributes (and their values) that are not in the partial replica's partial attribute set, as well as all the attributes (and their values) in the filtered attribute set. Domain NCs, excluding the default domain NC, that are hosted on an RODC are filtered GC partial NC replicas. Such domain NCs will exist on the RODC when the RODC is a GC.

Replicas of other NC types are always full. A full replica is either writable, that is, it accepts originating updates, or is read-only. A partial replica is read-only.

This section has introduced many concepts without describing how they are reflected in the state model. To a great extent this obligation will be discharged in other sections of this document. The schema NC is described in section 3.1.1.2, while the other NC types are described in section 7.1. Here are three elaborations of the state model that can be explained without making a forward reference:

  1. NC replicas are modeled by making a dsname, converted into a string formatted as specified in [MS-DRSR] section 5.15.2.1, the first element of a replica.

  2. The root object of a domain NC or an AD DS application NC has class domainDNS. The RDN attribute of domainDNS is dc. Therefore both the dc and name attributes of the root object of a domain NC or an AD DS application NC equal the first component of the NC's DNS name. The root object of an AD LDS application NC can have any object class except dMD or configuration.

  3. In AD DS, the generation of objectSid values is constrained by the sid of a domain NC as follows. The sid of a domain NC, the domain SID, is a SID with four subauthorities. The root object of a domain NC has objectSid equal to the domain SID, as required by the definition of NC replica. Every security principal object o in a domain NC has o!objectSid equal to the domain SID plus the RID portion (that is, it has five subauthorities). The RID portion of o!objectSid is a number not assigned as the RID portion of the objectSid to any other object of the domain, including objects that existed earlier but have been deleted.

    Section 3.1.1.5.2.4 specifies how AD DS assigns RIDs. The same section specifies how AD LDS generates objectSid values for new AD LDS security principals.

Continuing the example, let the example NC be a domain NC, and let the object with name "Peter Houston" be assigned the RID value 2055 (decimal). Then the state of the example NC is as follows.


(
  "<GUID=5>;<SID=0x0105...94E1F2E6>;
   dc=microsoft,dc=com"
  ( (objectGUID 5) (parent 0) (dc "microsoft")
    (objectClass top ... domainDNS)
    (name "microsoft") (rdnType dc)
    (objectSid 0x0105...94E1F2E6) )
  ( (objectGUID 2) (parent 5) (ou "NTDEV")
    (objectClass top ... organizationalUnit)
    (name "NTDEV") (rdnType ou) )
  ( (objectGUID 9) (parent 2) (cn "Peter Houston")
    (objectClass top ... user) 
    (name "Peter Houston") (rdnType cn)
    (objectSid 0x0105...94E1F2E607080000) )
)

The DNS name of this domain NC is microsoft.com. Note that the domain SID is a prefix of the "Peter Houston" object's objectSid. Portions of the (long) SID values have been elided for clarity; consider the elided portions to be the following hex digits


0000000000051500000089598D33D3C56B68

and the example SID will be a valid SID.

Show: