Active Directory: Attributes in the Partial Attribute Set
Introduction
The Partial Attribute Set (PAS) is the subset of attributes in the Active Directory Schema that are replicated to the Global Catalog (GC). Each Domain Controller (DC) has a complete writable replica of the domain the DC resides in. If it is also a Global Catalog server, then it also has a partial read-only replica of all other naming contexts in the forest. The partial replicas include all objects, but only selected attributes for those objects. The selected attributes are those in the Partial Attribute Set.
Add Attributes to the PAS
The Active Directory schema determines which attributes are in the Partial Attribute Set. Each AD attribute has a corresponding object of class attributeSchema in the schema container. You can add an attribute to the Partial Attribute Set by assigning the value TRUE to the isMemberOfPartialAttributeSet property of this object. If the value of the isMemberOfPartialAttributeSet property is blank, then the attribute is not in the PAS. If the value is FALSE, then the attribute is flagged to be removed from the PAS. This means the attribute was once in the PAS, but was later removed. If you add an attribute to the PAS, you should also make sure it is replicated to other Domain Controllers.
You can use the Active Directory Schema MMC to change which attributes are in the PAS. The MMC will update the value of the isMemberOfPartialAttributeSet attribute. Changes to the PAS must be done on the Domain Controller that holds the Schema Master FSMO role. You must be a member of the Schema Admins group to modify the schema. If the Schema Master is on a DC with Windows 2000, modifying the PAS causes a full synchronization of the GC to all Global Catalog servers in the forest. Because of the network traffic that results, this should be done with caution. However, this is no longer a problem if the operating system of the Schema Master is Windows 2003 or above. With the newer operating systems only the PAS changes are replicated.
Which Attributes are in the PAS
The isMemberOfPartialAttributeSet property determines if the attribute is in the PAS. But there is also a bit of the systemFlags property of attribute objects called the FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit (with bit mask 0x02). It turns out that both settings are relevant. The bit of the systemFlags property specifies attributes that must be in the PAS by default. Modifying the systemFlags property is not supported. You can use the isMemberOfPartialAttributeSet property to add attributes to the PAS. You can also use it to remove attributes from the PAS, but only if the FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit is not set. If you attempt to assign FALSE to the isMemberOfPartialAttributeSet property of an attribute with the FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit set, an error will be raised.
The LDAP filter for attributes that are in the Partial Attribute Set is as follows:
(isMemberOfPartialAttributeSet=TRUE)
The value TRUE (or FALSE) must be in all upper case. The FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit of the systemFlags property is not part of the filter. This is because it is not possible for isMemberOfPartialAttributeSet to be anything other than TRUE if the bit is set. Also, there is no need to include the clause (objectCategory=attributeSchema). Only objects in the schema container with this class have the isMemberOfPartialAttributeSet property anyway.
You can use the following at the command prompt of a Domain Controller to output the lDAPDisplayNames of all attributes in the Partial Attribute Set (assuming your domain is mydomain.com):
dsquery * "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -Filter "(isMemberOfPartialAttributeSet=TRUE)" -Attr lDAPDisplayName
Similarly, you can use the following PowerShell statement:
Get-ADObject -SearchBase "cn=Schema,cn=Configuration,dc=mydomain,dc=com" -LDAPFilter "(isMemberOfPartialAttributeSet=TRUE)" -Properties lDAPDisplayName | Select lDAPDisplayName
How Changes to the PAS are Synchronized
Changes to the attributes in the Partial Attribute Set must be synchronized among all of the Global Catalog servers in the forest. This can take considerable time, especially if the operating system is Windows 2000. Two special attributes are used to facilitate this, the partialAttributeSet and partialAttributeDeletionList attributes. Ordinarily there is no need to consider these attributes, but they should be explained so there is no confusion with the isMemberOfPartialAttributeSet attribute.
Both the partialAttributeSet and partialAttributeDeletionList attributes are themselves in the PAS, so they are in the Global Catalog. However, they are not replicated between Domain Controllers. They have different values on each GC and represent the state of the PAS on the particular GC. These attributes have a special syntax (they are byte arrays). They are available on all objects in Active Directory, but only have meaning on objects representing naming contexts in the Global Catalog. The partialAttributeSet attribute specifies which attributes are in the Partial Attribute Set on a particular GC. The partialAttributeDeletionList attribute specifies any attributes that need to be removed from the PAS. Once the particular GC is up to date, these special attributes are reset on the GC.
Credit
This topic was discussed in this thread in the TechNet Directory Services forum:
isMemberOfPartialAttributeSet & FLAG_ATTR_REQ_PARTIAL_SET_MEMBER in systemFlags
The issue was explained by Christoffer Andersson in this blog post:
FLAG_ATTR_REQ_PARTIAL_SET_MEMBER vs isMemberOfPartialAttributeSet"
See Also
- Active Directory: LDAP Syntax Filters
- How Active Directory Replication Works
- Windows Server Resources on the TechNet Wiki
- Wiki: Active Directory Domain Services (AD DS) Portal
- Active Directory: Glossary
Other Resources
- How the Global Catalog Works
- Attributes
- Attribute isMemberOfPartialAttributeSet
- System Flags
- Attribute partialAttributeSet
- partialAttributeSet
- Partial-Attribute-Set attribute
- Partial-Attribute-Deletion-List attribute