none
Where is PAS stored?

    Question

  • Situation:

    ForestA and ForestB have 2 way trusts between the forests. In ForestA, where is the partial attribute set (PAS) for ForestB stored? I am aware of where the trust is stored (system container of Default Naming Context). I'm also aware of the hidden user object in the Users container, but not where the PAS itself is stored.

    Reason for looking:

    We believe a large increase in our AD database is a result of PAS replication from trusts, but cannot find data on how to verify.

    Your help is much appreciated.

    Thursday, April 6, 2017 12:08 PM

All replies

  • See this

    https://social.technet.microsoft.com/wiki/contents/articles/23097.active-directory-attributes-in-the-partial-attribute-set.aspx

    Thursday, April 6, 2017 7:55 PM
  • Hi,
    Maybe, you need to check if anybody deleted the printer queues, alternatively, please check if any group policy or script/scheduled task is configured to delete the printer queues.
    And you could have a try auditing printer events to track who/what deleted printer queues, please see: https://technet.microsoft.com/en-us/library/cc976774.aspx
    According to the name, it seems the copies of drivers, if you have confirmed that the correct driver is installed, you could delete them.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 7, 2017 8:28 AM
    Moderator
  • The attributes in the PAS are the ones in the Schema that have the attribute isMemberOfPartialAttributeSet equal to True. To find all attributes in the PAS use the following PowerShell:

    Get-ADObject -SearchBase "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -LDAPFilter "(isMemberOfPartialAttributeSet=TRUE)" -Properties lDAPDisplayName | Select lDAPDisplayName

    Or, use dsquery:

    dsquery * "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -Filter "(isMemberOfPartialAttributeSet=TRUE)" -Attr lDAPDisplayName


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, April 7, 2017 10:19 AM
  • Narayanan:

    Excellent article, but I'm more interested to know where the actual values in the PAS are stored. I know that the attributes that are a member of the PAS are specified in the Configuration partition, but I would assume that the values of these attributes from the other forest is saved in one of the existing NTDS partitions since a new one is not created like it is when a new domain is added to the forest.

    Friday, April 7, 2017 3:53 PM
  • I think the answer is that the PAS is the subset of attributes of objects that is replicated to the Global Catalog (GC). So the values are saved in the GC. The Global Catalog is a separate partition in the Active Directory database, similar to the Configuration partition. Any Domain Controller can be configured to also host a copy of the GC. The Global Catalog architecture is documented here:

    https://technet.microsoft.com/en-us/library/how-global-catalog-servers-work%28v=WS.10%29.aspx

    When a new domain is added to a forest, all GC's in the new domain get populated by normal replication of GC's. Replication is documented here:

    https://social.technet.microsoft.com/wiki/contents/articles/4592.how-active-directory-replication-works.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, April 7, 2017 4:56 PM
  • Correct

    when you have 2 different forests, i do not think the values of these attributes from other forest is saved in the second forest which it has the trust with. I will check again and get back to you

    Friday, April 7, 2017 5:28 PM
  • PAS is only limited to the GC's in the same forest as mentioned before. DUe to trusts, your PAS never increases.
    Friday, April 7, 2017 5:53 PM
  • Narayanan is correct, and I missed that point in the original question. The Global Catalog is a read-only catalog of all objects in a forest. It does not include objects in another forest, even if it is trusted.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, April 7, 2017 6:57 PM
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 10, 2017 1:31 PM
    Moderator