AD Partitions and replication ports - ToddMaxey/Technical-Documentation GitHub Wiki

In Microsoft Active Directory (AD), the Directory Information Tree (DIT) is logically segmented into partitions (also called naming contexts) to optimize replication, manageability, and data segregation. Below is a comprehensive overview of the major AD partitions, their uses, replication behaviors, and the network ports and protocols involved in Active Directory operations.

---

• Purpose: Defines all object classes and attributes that can exist in the directory.

• Scope: Forest-wide.

• Replication: Replicated to all Domain Controllers (DCs) in the forest.

• Usage: Enables consistency in object structure across domains. For example, the definition of a "User" or "Computer" object is stored here.

---

• Purpose: Stores configuration data for the forest and services (e.g., sites, services, partitions, forest-wide settings).

• Scope: Forest-wide.

• Replication: Replicated to all DCs in the forest.

• Usage: Defines the topology for replication, naming contexts, and global settings like service connection points.

---

• Purpose: Contains all objects specific to a given domain (users, groups, computers, organizational units).

• Scope: Domain-specific.

• Replication: Replicated only to all DCs within the same domain.

• Usage: This is the primary partition for domain operations like authentication, group policy, and user/group management.

---

• Purpose: Stores application-specific data that needs to be widely available but not domain-specific (e.g., DNS zone data).

• Scope: Can be replicated to specific DCs in the forest.

• Replication: Controlled manually or by application (e.g., DNS application partition replicates only to DNS servers).

• Usage: Used by applications like AD-integrated DNS, which require custom replication scope and separation from domain data.

---

• Multimaster Replication: All DCs hold a writable copy (except RODCs), and changes can be made on any DC.

• Conflict Resolution: Based on a combination of USNs (Update Sequence Numbers), version numbers, timestamps, and originating DC GUIDs.

• Topology: Automatically generated and optimized by the Knowledge Consistency Checker (KCC).

• Protocol: Uses RPC over IP for efficient replication within a single AD site.

• Schedule: Frequent, change-notification triggered with a default latency of 15 seconds and a maximum delay of 3 seconds after notification.

• Topology: Manually configured site links determine the replication path.

• Protocol: Can use either:

  • RPC over IP (default, secure, for AD data and SYSVOL)

  • SMTP (only for schema and configuration partitions; not for domain partition)

• Schedule: Less frequent, scheduled replication (default: every 180 minutes).

• Compression: Enabled by default to reduce bandwidth over WAN.

---

Service	Port/Protocol	Direction	Purpose
LDAP	TCP/389	Bidirectional	Directory access (standard)
LDAP over SSL (LDAPS)	TCP/636	Bidirectional	Secure LDAP access
Global Catalog	TCP/3268	Bidirectional	GC queries (partial domain replica)
Global Catalog over SSL	TCP/3269	Bidirectional	Secure GC queries
Kerberos	TCP/88, UDP/88	Bidirectional	Authentication
DNS	TCP/53, UDP/53	Bidirectional	Name resolution, AD-integrated DNS
SMB (for SYSVOL, Netlogon, etc.)	TCP/445	Bidirectional	File replication, GPO, login scripts
RPC Endpoint Mapper	TCP/135	Bidirectional	Service location (especially for AD RPC communication)
RPC Dynamic Ports	TCP/49152–65535 (default)	Bidirectional	Dynamic assignment for RPC-based services, including replication

---

• Read-Only Domain Controllers (RODCs): Store a read-only copy of domain partition only. Schema and configuration partitions are read-only by design on RODCs. They never hold FSMO roles.

• FSMO Role Ownership: Schema and Domain Naming Masters operate at the forest level; others operate at the domain level and are linked to these partitions.