6.1.1.1.4 Domain NC Root

  • Article

distinguishedName: See section 3.1.1.1 for more information about domain NC naming rules.

objectClass: domainDNS

fSMORoleOwner: This value refers to the nTDSDSA object of the DC that owns the PDC FSMO role. See section 6.1.5 for more information about the PDC role.

systemFlags: {FLAG_DISALLOW_DELETE | FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE}

wellKnownObjects: This attribute holds DN-Binary values. See section 6.1.4 for details.

otherWellKnownObjects: This attribute holds DN-Binary values. See section 6.1.4 for details.

msDS-Behavior-Version: This value defines the functional level of the domain. See section 6.1.4.

nTMixedDomain: This value defines whether NT BDC replication [MS-NRPC] is available in the domain. See section 6.1.4.1.

domainReplica: See section 3.1.1.5 for more information.

msDS-AllowedDNSSuffixes: List of DNS suffixes that are allowed in the dNSHostName and msDS-AdditionalDnsHostName attributes of computer objects in this domain.

nTSecurityDescriptor:

  • Let D1 be a DC that is instructed to host a writable domain replica NC (see section 6.1.2.3 for hosting requirements). In order for D1 to replicate the domain NC, D1 MUST be granted the following rights on the domain NC root:

    • DS-Replication-Get-Changes

    • DS-Replication-Get-Changes-All

    • DS-Replication-Get-Changes-In-Filtered-Set

  • Let D2 be a DC that is instructed to host a partial or read-only domain replica NC (see section 6.1.2.3 for hosting requirements) such that objects in the NC replica can have attributes in the filtered attribute set. In order for D2 to replicate the domain NC, D2 MUST be granted the following right on the domain NC root:

    • DS-Replication-Get-Changes

    • DS-Replication-Get-Changes-In-Filtered-Set

  •  Let D3 be a DC that is instructed to host a partial or read-only domain replica NC (see section 6.1.2.3 for hosting requirements) such that objects in the NC replica will not have attributes in the filtered attribute set. In order for D3 to replicate the domain NC, D3 MUST be granted the following right on the domain NC root:

    • DS-Replication-Get-Changes

msDS-EnabledFeature: This value references the objects that represent optional features that are enabled in the domain. See section 3.1.1.9.