Configuration Naming Context


Topic Last Modified: 2005-04-18

There is only one configuration naming context per forest, and it stores forest-wide configuration data that is required for the proper functioning of Active Directory as a directory service. For example, all information required to ensure the proper functioning of replication is stored in the configuration partition, which also houses information pertaining to the site topology. Information that Active Directory uses to construct the directory tree hierarchy is also stored in the configuration directory partition, as is network-wide, service-specific information that applications use to connect to instances of services in the forest. Every domain controller has one fully writeable copy of the configuration directory partition.

Exchange 2000 Server and Exchange Server 2003 store their configuration within this naming context, specifically within cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<root domain>. Data stored by Exchange within the Configuration naming context is protected from unauthorized access by the security permissions configured within the Exchange System Manager using the Exchange Delegation Wizard.

Enterprise Administrators and root domain Domain Administrators can perform Exchange-related functions without being granted rights using the Exchange Delegation Wizard. Although these administrators do not have Full Control, they do have many rights. The only permissions that they do not have are Full Control, Delete Children, Delete Tree, and No Special Permissions. So, for example, Domain Administrators from the root domain and Enterprise Administrators can dismount and mount Exchange stores.