The Partial Attribute Set (PAS) is the subset of attributes in the Active
Directory Schema that are replicated to the Global
Catalog (GC). Each Domain Controller (DC) has a complete writable replica
of the domain the DC resides in. If it is also a Global Catalog server, then it also has a partial read-only replica of all other naming
contexts in the
forest. The partial replicas include all
objects, but only selected attributes for those objects. The selected attributes are those in the Partial Attribute Set.
The Active Directory schema determines which attributes are in the Partial Attribute Set. Each AD attribute has a corresponding object of class
attributeSchema in the
schema container. You can add an attribute to the Partial Attribute Set by assigning the value TRUE to the isMemberOfPartialAttributeSet property of this object. If the value of the isMemberOfPartialAttributeSet property is blank, then the attribute is
not in the PAS. If the value is FALSE, then the attribute is flagged to be removed from the PAS. This means the attribute was once in the PAS, but was later removed. If you add an attribute to the PAS, you should also make sure it is replicated to other Domain
You can use the Active Directory Schema MMC to change which attributes are in the PAS. The MMC will update the value of the isMemberOfPartialAttributeSet
attribute. Changes to the PAS must be done on the Domain Controller that holds the Schema Master
FSMO role. You must be a member of the Schema Admins group to modify the schema. If the Schema Master is on a DC with Windows 2000, modifying the PAS causes a full synchronization of the GC to all Global Catalog servers in the forest. Because of the network
traffic that results, this should be done with caution. However, this is no longer a problem if the operating system of the Schema Master is Windows 2003 or above. With the newer operating systems only the PAS changes are replicated.
↑ Return to Top
The isMemberOfPartialAttributeSet property determines if the attribute is in the PAS. But there is also a bit of the systemFlags property of attribute objects called the FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit (with bit mask 0x02). It turns out that both settings
are relevant. The bit of the systemFlags property specifies attributes that must be in the PAS by default. Modifying the systemFlags property is not supported. You can use the isMemberOfPartialAttributeSet property to add attributes to the PAS. You can also
use it to remove attributes from the PAS, but only if the FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit is not set. If you attempt to assign FALSE to the isMemberOfPartialAttributeSet property of an attribute with the FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit set, an error
will be raised.
The LDAP filter for attributes that are in the Partial Attribute Set is as follows:
The value TRUE (or FALSE) must be in all upper case. The FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit of the systemFlags property is not part of the filter. This is because it is not possible for isMemberOfPartialAttributeSet to be anything other than TRUE if the
bit is set. Also, there is no need to include the clause (objectCategory=attributeSchema). Only objects in the schema container with this class have the isMemberOfPartialAttributeSet property anyway.
You can use the following at the command prompt of a Domain Controller to output the lDAPDisplayNames of all attributes in the Partial
Attribute Set (assuming your domain is mydomain.com):
dsquery * "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -Filter "(isMemberOfPartialAttributeSet=TRUE)" -Attr lDAPDisplayName
Similarly, you can use the following PowerShell statement:
Get-ADObject -SearchBase "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -LDAPFilter "(isMemberOfPartialAttributeSet=TRUE)" -Properties lDAPDisplayName | Select lDAPDisplayName
Changes to the attributes in the Partial Attribute Set must be synchronized among all of the Global Catalog servers in the forest. This can take considerable time, especially if the operating system is Windows 2000. Two special attributes are used to facilitate
this, the partialAttributeSet and partialAttributeDeletionList attributes. Ordinarily there is no need to consider these attributes, but they should be explained so there is no confusion with the isMemberOfPartialAttributeSet attribute.
Both the partialAttributeSet and partialAttributeDeletionList attributes are themselves in the PAS, so they are in the Global Catalog. However, they are not replicated between Domain Controllers. They have different values on each GC and represent the state
of the PAS on the particular GC. These attributes have a special syntax (they are byte arrays). They are available on all objects in Active Directory, but only have meaning on objects representing naming contexts in the Global Catalog. The partialAttributeSet
attribute specifies which attributes are in the Partial Attribute Set on a particular GC. The partialAttributeDeletionList attribute specifies any attributes that need to be removed from the PAS. Once the particular GC is up to date, these special attributes
are reset on the GC.
This topic was discussed in this thread in the TechNet Directory Services forum:
isMemberOfPartialAttributeSet & FLAG_ATTR_REQ_PARTIAL_SET_MEMBER
The issue was explained by
Christoffer Andersson in this blog post:
FLAG_ATTR_REQ_PARTIAL_SET_MEMBER vs isMemberOfPartialAttributeSet"