MORE INFORMATION
FRS Objects in Active Directory
FRS relies on containers, objects, and attributes that are stored in Active Directory and that are replicated among domain controllers in a given domain to function. Critical objects include FRS member and subscriber objects. Required and optional attributes include the schedule, the file filters, the folder filters, and the database location. Schema definitions define the containers or the location where FRS objects are located. Containers, objects, and attributes that are used by FRS are described in more detail later in this article.
FRS supports two replica sets, DFS and SYSVOL. When you use Dcpromo.exe to promote domain controllers, containers, objects, and attributes for SYSVOL, replica sets are created (they are created indirectly). You can use the DFS snap-in (Dfsgui.msc) to create objects when you configure replication between two or more targets in a DFS root or link, or when you add new members to an existing FRS set.
Replica Sets for Subscription and Subscriber Objects
The section describes the object hierarchy for FRS subscription and subscriber objects. In the following scenario, computer \\DC1 is a domain controller in the A.COM domain, and it participates in two FRS replica sets, \\DC1\SYSVOL and the \\A.DOM\DFSROOT domain DFS root:
DN Path ObjectClass
DC=A,DC=COM Root Domain NC
OU=Domain Controllers OU Container
CN=<Computername> Computer
CN=NTFRS Subscriptions NtFrsSubscriptions
CN=Domain System Volume (SYSVOL) NtFrsSubscriber
CN=NTFRS Subscriptions NtFrsSubscriptions
CN=DFSROOT NtFrsSubscriber
Subscription and subscriber objects are located under the computer object in the domain naming context for each computer in a DFS or SYSVOL replica set. The next section is an overview of each object in the subscriber hierarchy:
NTFRS-Subscriptions
The NTFRS-Subscriptions object is similar to a NTFRS-Settings object in that it is primarily used as a container to group NTFRS-Subscriber objects. The objects are located under the computer object; therefore, you can remotely administer these objects even if a user's computer is turned off or if it is not yet installed. The
FRS-Working-Path attribute defines the location of the Ntfrs.jdb file, which is typically located in the %SystemRoot%\Ntfrs folder tree. The following table lists the required and optional attributes for the NTFRS-Subscriptions object:
|
Common-Name | NTFRS-Subscriptions |
System-May-Contain | FRS-Version |
System-May-Contain | FRS-Working-Path |
NTFRS-Subscriber
Every NTFRS-Subscriber object under a computer's computer object corresponds to a replica set that the computer is a member of. The
FRS-Member-Reference attribute of the NTFRS-Subscriber object points to the member object of the replica set that it corresponds to. Every NTFRS-Subscriber object also has both an
FRS-Root-Path attribute that specifies the folder tree to replicate and a
FRS-Staging-Path attribute that specifies the folder to store the staging files under. The following table lists some of the required and optional attributes of the NTFRS-Subscriber object:
|
Common-Name | NTFRS-Subscriber |
System-Must-Contain | FRS-Root-Path |
System-Must-Contain | FRS-Staging-Path |
System-May-Contain | FRS-Member-Reference |
NTFRS Settings, Replica Set, and Member Objects
This section describes the object hierarchy for FRS settings, replica set, member, and connection objects (DFS replica sets only). In this scenario, two domain controllers, \\DC1 and \\DC2, are members of the A.COM domain and participate in the \\A.COM\SYSVOL and the \\A.COM\DFSROOT replica sets. Note that the NTDS-Connection object exist for members of DFS replica sets:
DN Path ObjectClass
DC=A,DC=COM Root Domain NC
CN=SYSTEM, Container
CN=File Replication Service nTFRSSettings
CN=Domain System Volume (SYSVOL share) nTFRSReplicaSet
CN=DC1 nTFRSMember
CN=DC2 nTFRSMember
CN=DFSROOT nTFRSReplicaSet
CN=DC1 nTFRSMember
CN=<GUID> NTDS Connection
CN=DC2 nTFRSMember
CN=<GUID> NTDS Connection
The following section describes
the settings object, the replica set object, the member object, and the connection object.
NTFRS-Settings
The NTFRS-Settings object is used as a container for the NTFRS-Replica-Set object. The NTFRS-Settings object can contain other NTFRS-Settings objects; therefore, it provides a way to form a hierarchy to better organize the NTFRS-Replica-Set objects. The following table describes some of the attributes in the NTFRS-Settings object:
|
Common-Name | NTFRS-Settings |
System-Must-Contain | FRS-Extensions |
System-May-Contain | Managed-By |
NTFRS-Replica-Set
Every NTFRS-Replica-Set object represents a set of computers that replicate a specified folder tree and a common set of data between them. There is one NTFRS-Replica-Set object for every replica set. There can be any number of replica sets in a domain but only one NTFRS-Replica-Set can be of the SYSVOL type. The NTFRS-Replica-Set object has to be directly under an NTFRS-Settings object. The most commonly used attributes on this object are
FRS-Replica-Set-Type,
FRS-File-Filter,
FRS-Directory-Filter, and
Schedule. If you set the
Schedule attribute, it applies to all the NTDS-Connection objects in the replica set that do not have a
Schedule attribute. The following tables lists some of the attributes on the NTFRS-Replica-Set object:
|
Common-Name | NTFRS-Replica-Set |
System-Must-Contain | FRS-Directory-Filter |
System-May-Contain | FRS-Primary-Member |
System-May-Contain | Schedule |
NTFRS-Member
Every NTFRS-Member object corresponds to a computer that is part of the replica set. The relationship between the member and the computer is indicated by the
Frs-Computer-Reference attribute. The NTFRS-Member object may contain one or more NTDS-Connection object that define the inbound partners that a member replicates from. These connection objects refer to other member objects in the same replica set object. In the case of SYSVOL replica sets, the
ServerReference attribute of the NTFRS-Member object points to the NTDS-Settings objects that contain the NTDS-Connection objects that this member replicates from.
|
Common-Name | NTFRS-Member |
System-May-Contain | Frs-Computer-Reference |
System-May-Contain | Server-Reference (SYSVOL only) |
NTDS-Connection
You can use the NTDS-Connection objects to form a topology between the members of a replica set. These NTDS-Connection objects define the inbound and the outbound partners of a member of a replica set.
NTDS-Connection objects are located under the member object in the domain naming context for DFS replica sets. For SYSVOL replica sets, FRS uses both manually generated connection objects and connection objects that are generated by Knowledge Consistency Checker (KCC) that are located in the Servers-NTDS-Settings object in the configuration naming context. You can use the Active Directory Sites and Services snap-in to view these connection objects. These connection objects are also used during replication of Active Directory.
The NTDS-Connection object is inbound to the NTFRS-Member object that it is located under, and it is outbound from the NTFRS-Member object that its
From-Server attribute points to.
In the case of SYSVOL, the NTDS-Connection object is inbound to the NTFRS-Member object that corresponds to the NTDS-Settings object that the NTDS-Connection object is located under. It is outbound from the NTFRS-Member object that corresponds to the NTDS-Settings object that its
From-Server attribute points to.
You can use the
Enabled-Connection attribute on the NTDS-Connection object to disable a connection. You can also use it to clear backlogs in the outbound log and the staging folder on a given upstream partner. A disabled connection is removed from the replication topology for the replica set.
You can use the
Schedule attribute on the NTDS-Connection object to control the schedule of replication over this connection. The following table lists some of the attributes for the NTDS-Connection objects:
|
Common-Name | NTDS-Connection |
System-May-Contain | Enabled-Connection |
System-May-Contain | From-Server |
System-May-Contain | Options |
System-May-Contain | Schedule |
Relationships Between Objects
The following four reference attributes are used to link the FRS member and subscriber objects together:
- Members to Computer: The member object uses the Frs-Computer-Reference attribute to point to a computer object.
- Subscriber to Member: The subscriber object uses the Frs-Member-Reference attribute to point to a member object.
- Member to Server: The member object uses the Server-Reference attribute to point to an NTDS-Settings object. Under normal circumstances, FRS configures this link when it creates the directory service objects for the SYSVOL. Only members of the SYSVOL replica set need this attribute.
- Connection to Member: The connection object uses the FromServer attribute to point to a member object. In the case of SYSVOL replica sets, this attribute points to an NTDS-Settings object.
How Objects Are Removed from Active Directory
FRS objects and attributes are removed from Active Directory when you gracefully demote or remove servers from replicated DFS roots and links. If you delete an object before you understand its importance or if you accidentally delete containers that host child objects, you can cause serious system failure. As a general rule, you should never delete FRS member and subscriber objects and their parent containers from Active Directory unless the installation of the operating system that you created them for is not coming back online. The following list describes some deletion scenarios (these scenarios have been reported to Microsoft Product Support Services in the past):
- You use the Active Directory Sites or Services snap-in to delete a domain controller's NTDS-Settings object or equivalent for orphaned or offline domain controllers. When you do so, the ServerReference attribute on the FRS member object becomes null. Null "serverrefs" halt inbound or outbound replication of SYSVOL for that computer.
- You delete computer objects for member servers or domain controllers in FRS replica sets or their child objects.
- You delete one or more member objects of a replica set or you delete the SYSVOL NTFRS-Replica container that has member objects for each of the domain controllers in the domain.