Active Directory Overview

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This is part of the Microsoft Active Directory Management Pack Technical Reference guide

Active Directory consists of a number of interdependent components that run on each domain controller, along with several components that are external to Active Directory but on which Active Directory relies heavily. To maintain a healthy Active Directory directory service, all of these components should be monitored. The following figure illustrates the major Active Directory components and external components running on a domain controller.


Figure 2: Active Directory and External Components
On This Page

Active Directory Components
External Components

Active Directory Components

This section describes the purpose of each of the major components of Active Directory that are monitored by Active Directory Management Pack.


The following sections describe the interfaces that are used for communication with Active Directory.


Messaging clients, such as Microsoft Outlook, use the Microsoft Messaging API (MAPI) interface to gain access to data (for example, telephone numbers) held by Active Directory.

LDAP and Global Catalog

Lightweight Directory Access Protocol (LDAP) is the standard protocol that is used by directory clients to gain access to data held by directory servers. LDAP supports a relatively simple set of operations: bind, unbind, read, modify, and so on. LDAP is the primary interface to Active Directory, and it is responsible for packaging and interpreting LDAP packets over the network.

Directory clients use the global catalog interface to perform forest-wide searches by querying a single server.

Replication Subsystem

The replication subsystem is used to maintain data consistency across all domain controllers in a domain or forest. Active Directory uses the replication remote procedure call (RPC) interface over Internet Protocol (IP) or Simple Mail Transfer Protocol (SMTP) to replicate data between domain controllers.

The Knowledge Consistency Checker (KCC), which is part of the replication subsystem, automatically computes the most efficient replication topology for the network, based on information that you provide to Active Directory about your network topology. In addition, the KCC regularly recalculates the replication topology to adjust for any network changes that occur.


The Security Accounts Manager (SAM) is used for verifying passwords and for checking passwords against any existing password policies that are in effect on a domain controller. In addition, SAM provides legacy support for Microsoft® Windows NT® 4.0 users and groups.

Intersite Messaging

The Intersite Messaging service is required by domain controllers running Windows 2000 Server. It enables multiple transports, including SMTP, to be used in intersite messaging. The Intersite Messaging service provides services to the KCC in the form of queries for available replication paths. It also enables messaging communication that can use SMTP servers other than those that are dedicated to processing e-mail applications.


From the perspective of CPU utilization, Active Directory is represented on a domain controller by the Local Security Authority Subsystem (LSASS) process.


The directory information tree (DIT) is the storage area for Active Directory database and log files. Active Directory Management Pack monitors the database and log files for possible problems, such as unrestrained growth in file size and the availability of disk space on the logical drives where these files are stored.

Operations Masters (FSMOs)

Active Directory uses a multimaster architecture, which means that all domain controllers are equally authoritative. However, certain domain controller operations must be performed by a single domain controller, or else conflicts can occur. The domain controllers that perform these operations are called operations master role holders (also known as flexible single master operations (FSMO) role holders). There are two forest-wide operations masters and three domain-wide operations masters. The forest and domain operations masters are described in the following tables.

Forest Operations Masters

Operations Master


Schema operations master

Controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema operations master. There can be only one schema operations master in the entire forest.

Domain naming operations master

Controls the addition or removal of domains in the forest. There can be only one domain naming operations master in the entire forest.

Domain Operations Masters

Operations Master


Relative ID (RID) operations master

Allocates sequences of RIDs to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID operations master in each domain in the forest.

Primary domain controller (PDC) emulator operations master

Acts as a Windows NT PDC. The PDC emulator operations master processes password changes from clients, and it replicates updates to the backup domain controllers (BDCs). At any time, there can be only one domain controller acting as the PDC emulator operations master in each domain in the forest. By default, the PDC emulator operations master is also responsible for synchronizing the time on all domain controllers throughout the domain. The PDC emulator of a domain sets its clock to the clock on an arbitrary domain controller in the parent domain.

Infrastructure operations master

Updates references from objects in its domain to objects in other domains. The infrastructure master compares its data with the data of a global catalog. Global catalogs receive regular updates for objects in all domains through replication; therefore; the global catalog data is always up to date. If the infrastructure operations master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure operations master then replicates that updated data to the other domain controllers in the domain.

External Components

This section describes the purpose of each of the external components on which Active Directory depends that are monitored by Active Directory Management Pack.


SYSVOL is the shared directory on domain controllers that contains Group Policy and logon script information. SYSVOL is important because it is a prerequisite for the NetLogon service to advertise Domain Name System (DNS) records in Active Directory–integrated DNS. Replication of SYSVOL is handled by the File Replication service (FRS).

NetLogon Service and DC Locator

The NetLogon service is used by Active Directory to establish a secure channel between domain controllers and directory clients. The NetLogon service also contains DC Locator.

DC Locator is used by Active Directory to advertise the availability of domain controllers in DNS, so that clients can locate the nearest domain controller.


Active Directory advertises its directory services with DNS, using service (SRV) and host address (A) records. Directory clients use this DNS information to locate the closest available domain controller.

W32Time (Time Synchronization)

The Kerberos authentication protocol gets its time from the domain controller on which it is running, and it uses that time to determine ticket expiration times and to resolve replication conflicts. If a time skew of greater than five minutes exists between domain controllers, Kerberos authentication fails, which causes problems in Active Directory. W32Time synchronizes the time clock between domain controllers, which prevents time skews from occurring.

Kerberos and NTLM

Kerberos is a standards-based authentication protocol that is the preferred authentication method for Windows 2000 and later clients. Kerberos is more secure than NTLM, and it offers delegation abilities not offered by NTLM. The Kerberos authentication protocol is implemented by the Kerberos Distribution Center (KDC) service.

NTLM is a legacy authentication protocol that is used by Microsoft® Windows 98 and earlier clients and by Windows NT clients.


Trusts are relationships, established between domains or forests, that enable users in one domain or forest to be authenticated by a domain controller in another domain or forest. Trusts allow users in one domain or forest to access resources in a different domain or forest. The proper functioning of trusts depends on the availability of Kerberos and NTLM.