subject: Security Descriptor Reference Domain [print this page] Every container and object on the network has a set of access control information attached to it. Known as a security descriptor, this information controls the type of access allowed by users, groups, and computers. If the object or container is not assigned a security descriptor by the application or service that created it, then it is assigned the default security descriptor for that object class as defined in the schema. This default security descriptor is ambiguous in that it may assign members of the Domain Admins group read permissions to the objectIT Exams, but it does not specify to what domain the domain administrators belong. When this object is created in a domain naming partition, that domain naming partition is used to specify which Domain Admins group actually is assigned read permission. For example, if the object is created in mydomain.microsoft.com, then members of the mydomain Domain Admins group would be assigned read permission.
When an object is created in an application directory partition, the definition of the default security descriptor is difficult because an application directory partition can have replicas on different domain controllers belonging to MCSE Certification different domains. Because of this potential ambiguity, a default security descriptor reference domain is assigned when the application directory partition is created.
The default security descriptor reference domain defines what domain name to use when an object in the application directory partition needs to define a domain value for the default security descriptor. The default security descriptor reference domain is assigned at the time of creation.
If the application directory partition is a child of a domain directory partition, by default, the parent domain directory partition becomes the security descriptor reference domain. If the application directory partition is a child object of another application directory partition, the security descriptor reference domain of the parent application directory partition becomes the reference domain of the new, child, application directory partition. If the new application directory partition is created 70-290 Exam as the root of a new tree, then the forest root domain is used as the default security descriptor reference domain.
You can manually specify a security reference domain. However, if you plan to change the default security descriptor reference domain of a particular application directory partition, you should do so before creating the first instance of that partition. To do this, you must prepare the cross-reference object and change the default security reference domain before completing the application directory partition creation process.
