Whenever you create an object in Active Directory, the default security descriptor defined in the schema for the object's class is applied to the object. This default security descriptor may reference specific groups, such as Domain Admins, but it is not specific to a domain. This makes a lot of sense for domain-naming contexts, where the Domain Admins group in question would be the one defined in the domain. For application partitions, which don't contain a Domain Admins group, it is not so straightforward. Which domain's Domain Admins group do you use? To work around this issue, you can set a default security descriptor reference domain for an application partition by setting the msDS-SDReferenceDomain attribute of the partition's crossRef object.
Open ADSI Edit.
Connect to the Configuration naming context of the forest the application partition is in if it is not already present in the left pane.
Expand the Configuration naming context and click on the Partitions container.
In the right pane, right-click on the crossRef object that represents the application partition and select Properties.
Under Attributes, select the msDS-SDReferenceDomain attribute.
> ntdsutil "dom man" conn "co to se <DomainControllerName>" q "set nc ref domain[RETURN] <AppPartitionDN> <DomainDN>" q q
' This code sets the SD reference domain for the specified app partition ' ------ SCRIPT CONFIGURATION ------ ' DN of reference domain strRefDomainDN = "<DomainDN>" ' e.g. dc=emea,dc=rallencorp,dc=com ' Fully qualified DNS name of app partition strAppPart = "<AppPartitionFQDN>" ' e.g. app.rallencorp.com ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://RootDSE") strBase = "<LDAP://cn=Partitions," & _ objRootDSE.Get("ConfigurationNamingContext") & ">;" strFilter = "(&(objectcategory=crossRef)(dnsRoot=" & _ strAppPart & "));" strAttrs = "nCName,msDS-SDReferenceDomain,distinguishedName;" strScope = "onelevel" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) if objRS.RecordCount <> 1 then WScript.Echo "Did not find a match for application partition " & _ strAppPart WScript.Quit else objRS.MoveLast WScript.Echo "Current Reference Domain: " & _ objRS.Fields("msDS-SDReferenceDomain").Value set objCrossRef = GetObject("LDAP://" & _ objRS.Fields("distinguishedName").Value ) objCrossRef.Put "msDS-SDReferenceDomain", strRefDomainDN objCrossRef.SetInfo WScript.Echo "New Reference Domain: " & _ objCrossRef.Get("msDS-SDReferenceDomain") end if
If you don't set the msDS-SDReferenceDomain attribute for an application partition, then a certain hierarchy is followed to determine the default security descriptor domain. These are the guidelines:
If the application partition is created as part of a new tree, the forest root domain is used as the default domain.
If the application partition is a child of a domain, the parent domain is the default domain.
If the application partition is a child of another application partition, the parent application partition's default domain is used.
Recipe 10.19 for more on setting the default security descriptor for a class, Recipe 17.1 for creating an application partition, and MS KB 322669 (HOW TO: Manage the Application Directory Partition and Replicas in Windows Server 2003)