Active Directory Structure and Storage Technologies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Administrators use Active Directory to store and organize objects on a network (such as users, computers, devices, and so on) into a secure hierarchical containment structure that is known as the logical structure. Although the logical structure of Active Directory is a hierarchical organization of all users, computers, and other physical resources, the forest and domain form the basis of the logical structure. Forests, which are the security boundaries of the logical structure, can be structured to provide data and service autonomy and isolation in an organization in ways that can both reflect site and group identities and remove dependencies on the physical topology.

Note

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to Active Directory Domain Services.

Domains can be structured in a forest to provide data and service autonomy (but not isolation) and to optimize replication with a given region. This separation of logical and physical structures improves manageability and reduces administrative costs because the logical structure is not affected by changes in the physical structure. The logical structure also makes it possible to control access to data. This means that you can use the logical structure to compartmentalize data so that you can control access to it by controlling access to the various compartments.

The data that is stored in Active Directory can come from many diverse sources. With so many different data sources and so many different types of data, Active Directory must employ some type of standardized storage mechanism so that it can maintain the integrity of the data that it stores. In Active Directory, objects are used to store information in the directory, and all objects are defined in the schema. The object definitions contain information, such as data type and syntax, that the directory uses to ensure that the stored data is valid. No data can be stored in the directory unless the objects that are used to store the data are first defined in the schema. The default schema contains all the object definitions that Active Directory needs to function; however, you can also add object definitions to the schema.

While the directory is exposed to you through a logical structure that consists of elements such as domains and forests, the directory itself is implemented through a physical structure that consists of a database that is stored on all domain controllers in a forest. The Active Directory data store handles all access to the database. The data store consists of both services and physical files. These services and physical files make the directory available, and they manage the processes of reading and writing the data inside the database that exists on the hard disk of each domain controller.

Active Directory Structure and Storage Architecture

The Active Directory structure and storage architecture consists of four parts:

  • Active Directory domains and forests. Forests, domains, and organizational units (OUs) make up the core elements of the Active Directory logical structure. A forest defines a single directory and represents a security boundary. Forests contain domains.

  • Domain Name System (DNS) support for Active Directory. DNS provides a name resolution service for domain controller location and a hierarchical design that Active Directory can use to provide a naming convention that can reflect organizational structure.

  • Schema. The schema provides object definitions that are used to create the objects that are stored in the directory.

  • Data store. The data store is the portion of the directory that manages the storage and retrieval of data on each domain controller.

    The following figure illustrates the Active Directory data structure and storage architecture.

Active Directory Data Structure and Storage Architecture

Active Directory Data and Storage Architecture

Active Directory Domains and Forests

Domains partition the directory into smaller sections within a single forest. This partitioning results in more control over how data is replicated so that an efficient replication topology can be established and network bandwidth is not wasted by replicating data where it is not required. OUs make it possible to group resources in a domain for management purposes, such as applying Group Policy or delegating control to administrators.

The following figure illustrates the relationships of OUs, domains, and forests in the logical structure architecture.

Logical Structure Architecture

Logical Structure Architecture

DNS Support for Active Directory

Active Directory uses DNS as its domain controller location mechanism. When any of the principal Active Directory operations, such as authentication, updating, or searching, is performed, domain joined computers use DNS to locate Active Directory domain controllers, and these domain controllers use DNS to locate each other. For example, when a network user with an Active Directory user account logs on to an Active Directory domain, the user’s computer uses DNS to locate a domain controller for the Active Directory domain to which the user wants to log on.

To log on to a network that consists of an Active Directory forest, a client workstation must first be able to locate a nearby domain controller. The domain controller is necessary for initial authentication of both the workstation and the user and for subsequent authorization of the user for the files and resources to which the user needs access. The support that is provided to Active Directory by DNS enables a client workstation to locate a domain controller.

Active Directory Schema

The Active Directory schema contains definitions for all the objects that are used to store information in the directory. There is one schema per forest. However, a copy of the schema exists on every domain controller in the forest. This way, every domain controller has quick access to any object definition that it might need, and every domain controller uses the same definition when it creates a given object. The data store relies on the schema to provide object definitions, and the data store uses those definitions to enforce data integrity. The result is that all objects are created uniformly, and it does not matter which domain controller creates or modifies an object because all domain controllers use the same object definition.

The following figure illustrates the relationship of the schema to the data store in the schema architecture.

Schema Architecture

Schema Architecture

Active Directory Data Store

The Active Directory data store is made up of several components that together provide directory services to directory clients. These components include the following:

  • Four interfaces:

    • Lightweight Directory Access Protocol (LDAP)

    • Replication (REPL) and domain controller management interface

    • Messaging API (MAPI)

    • Security Accounts Manager (SAM)

  • Three service components:

    • Directory System Agent (DSA)

    • The database layer

    • Extensible Storage Engine (ESE)

  • The directory database where the data is actually stored

The following figure illustrates the relationships of these components in the data store architecture.

Data Store Architecture

Data Store Architecture

Active Directory Structure and Storage Components

You can define some components for structure and storage in Active Directory, while others are defined by the system and cannot be modified.

  • Forests, domains, and OUs are components that constitute the logical structure of Active Directory. You define them during the installation of Active Directory.

  • DNS support for Active Directory includes components that are used to locate domain controllers and that use DNS naming schemes. Each domain in a forest must adhere to DNS naming schemes, and domains are organized in a root and subordinate domain hierarchy.

  • The schema is a single component that exists inside the directory. The schema contains definitions of the objects that are used to store information in the directory. These object definitions include two primary components: classSchema objects and attributeSchema objects.

  • The data store consists of three layers of components. The first layer provides the interfaces that clients need to access the directory. The second layer provides the services that perform the operations that are associated with reading data from and writing data to the directory database. The third layer is the database itself, which exists as a single file on the hard disk of each domain controller.

Active Directory Domains and Forests

The logical structure of Active Directory is a hierarchical structure of Active Directory domains and OUs in a forest. The relationships of the components in the logical structure control access to stored data, and they control how information is replicated between the various domain controllers in the forest. The main components of the Active Directory logical structure are described in the following table.

Domain and Forest Components

Component Description

Forest

A forest is the highest level of the logical structure hierarchy. An Active Directory forest represents a single self-contained directory. A forest is a security boundary, which means that administrators in a forest have complete control over all access to information that is stored inside the forest and to the domain controllers that are used to implement the forest.

Domain

Domains partition the information that is stored inside the directory into smaller portions so that the information can be more easily stored on various domain controllers and so that administrators have a greater degree of control over replication. Data that is stored in the directory is replicated throughout the forest from one domain controller to another. Some data that is relevant to the entire forest is replicated to all domain controllers. Other data that is relevant only to a specific domain is replicated only to domain controllers in that particular domain. A good domain design makes it possible to implement an efficient replication topology. This is important because it enables administrators to manage the flow of data across the network, that is, to control how much data is replicated and where that replication traffic takes place.

OU

OUs provide a means for administrators to group resources, such as user accounts or computer accounts, so that the resources can be managed as one unit. This makes it much easier to apply Group Policy to multiple computers or to control the access of many users to a single resource. OUs also make it easier to delegate control over resources to various administrators.

DNS Support for Active Directory

In Active Directory, DNS is the means by which directory clients locate, or discover, domain controllers. The primary components of the architecture for DNS support of Active Directory include the domain controller Locator, Active Directory domain names in DNS, and Active Directory DNS objects.

The following table describes the Active Directory components that help directory clients locate nearby domain controllers.

Active Directory DNS Support Components

Active Directory/DNS Component Description

Locator

Locator, which is implemented in the Net Logon service, enables a client to locate a domain controller. Locator contains Internet Protocol (IP)/DNS–compatible and Windows NT 4.0–compatible locators, which provide interoperability in a mixed Active Directory environment.

Active Directory domain names in DNS

Every Active Directory domain has a DNS domain name (for example, cohovineyard.com), and every domain joined computer has a DNS name (for example, server1.cohovineyard.com). Architecturally, domains and computers are represented both as objects in Active Directory and as nodes in DNS.

Active Directory DNS objects

When DNS data is stored in Active Directory, each DNS zone is an Active Directory container object (class dnsZone). The dnsZone object contains a DNS node object (class dnsNode) for every unique name in that zone. The dnsNode object has a dnsRecord multivalued attribute that contains a value for every resource record that is associated with that DNS name.

For more information about DNS support for Active Directory, see “DNS Support for Active Directory Technical Reference.”

Active Directory Schema

Everything that is stored in Active Directory is stored in an object. A definition for every type of object is stored in the schema. The definitions themselves consist of two types of objects: class objects and attribute objects. Classes define groups of attributes that are used to describe common objects. New object definitions are created by combining various class objects and attribute objects to make new combinations that contain the necessary attributes to meet the storage requirements of the new object type. The two main types of object definitions that are stored in the Active Directory schema are described in the following table.

Schema Components

Component Description

classSchema objects

classSchema objects are object definitions that are stored in the schema, and they are used to define classes. classSchema objects define groups of attributes that have something in common. For example, an object that is used to store a user account needs to store the user’s logon name, first name, last name, and password. It is possible to create a user class that has a logon name attribute, a first name attribute, a last name attribute, and a password attribute. Anytime a new user account is created, the directory uses the user class as the definition, and every user account object that is created uses those attributes. classSchema objects can be nested to create more complex objects.

attributeSchema objects

attributeSchema objects define the individual attributes of a single object. For example, a user account object has a number of attributes that are used to store and define various pieces of data that are related to a user account, such as a logon name attribute and a password attribute. Each of these attributes also has its own attributes that specify the type of data that it stores, the syntax of the data that it stores, and whether or not the attribute is required or optional. The directory service uses attributeSchema objects to store data and verify that the stored data is valid.

Active Directory Data Store

The Active Directory data store is implemented on every domain controller in the forest. The data store consists of components that store and retrieve data inside the directory. The components of the Active Directory data store are described in the following table.

Data Store Components

Component Description

Interfaces (LDAP, REPL, MAPI, SAM)

The data store interfaces provide a way for directory clients and other directory servers to communicate with the data store.

DSA (Ntdsa.dll)

The DSA (which runs as Ntdsa.dll on each domain controller) provides the interfaces through which directory clients and other directory servers gain access to the directory database. In addition, the DSA enforces directory semantics, maintains the schema, guarantees object identity, and enforces data types on attributes.

Database layer

The database layer is an application programming interface (API) that resides in Ntdsa.dll and provides an interface between applications and the directory database to protect the database from direct interaction with applications. Calls from applications are never made directly to the database; they go through the database layer. In addition, because the directory database is flat — with no hierarchical namespace — the database layer provides the database with an abstraction of an object hierarchy.

ESE (Esent.dll)

The ESE (which runs as Esent.dll) communicates directly with individual records in the directory database on the basis of an object’s relative distinguished name attribute.

Database files

The data store stores directory information in a single database file. In addition, the data store also uses log files, to which it temporarily writes uncommitted transactions.