Export (0) Print
Expand All

Active Directory Logical Structure and Data Storage

Updated: December 5, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Effective delegation of Active Directory management tasks requires that you understand the nature of Active Directory data and where the data is stored. Since delegation of administration involves authorizing the ability to perform low-level operations on data, understanding where the data on which these operations is stored is essential to authorizing the ability to perform low-level operations on this data. This section provides descriptions of the major logical components of Active Directory as well as descriptions and locations of the top-level domain and configuration containers.

Forests and Domains

An Active Directory forest represents an instance of Active Directory. A forest is a collection of one or more domains with a shared configuration and schema, represented by a single logical global catalog, and connected by a spanning tree of transitive trusts. From a data perspective, Active Directory stores data for an entire forest. “Directory” and “forest” can be considered as synonymous. Although there is a single directory, data storage is distributed among one or more domains. Servers that host the Active Directory directory service are called domain controllers.

Directory Partitions

In Active Directory, data storage is partitioned into logical segments called directory partitions, and each directory partition replicates its changes separately among those domain controllers in the forest that store copies (replicas) of the same directory partitions.

One specific directory partition stores forest-wide configuration information essential to the proper functioning of the forest. Another specific directory partition stores the Active Directory schema. Other directory partitions store information, such as users, groups, and OUs, that is specific to individual domains. Directory partitions that store domain information are replicated to domain controllers in that domain only. Directory partitions that store configuration and schema information are replicated to domain controllers in all domains. In this way, Active Directory provides a data repository that is logically centralized but physically distributed.

There is a distinction between a directory partition and a database partition. The Active Directory database is not partitioned. Only the directory tree, which is the logical representation of the data that is stored on a domain controller, is partitioned

Because all domain controllers store forest-wide configuration and schema information, a domain controller in one domain can reference a domain controller in any other domain if the information that a user requests is not stored locally. In addition, domain controllers that are global catalog servers store a full replica of one domain directory partition plus a partial replica of every other domain in the forest. Thus, a domain controller that is a global catalog server can be queried to find any object in the forest.

Configuration Directory Partition

There is only one configuration directory partition per forest, and it stores forest-wide configuration data that is required for the proper functioning of Active Directory as a directory service. For example, all information required to ensure the proper functioning of replication is stored in the configuration partition, which also houses information pertaining to the site topology. Information that Active Directory uses to construct the directory tree hierarchy is also stored in the configuration directory partition, as is network-wide, service-specific information that applications use to connect to instances of services in the forest. Every domain controller has one fully writeable copy of the configuration directory partition.

Schema Directory Partition

Similarly, there is only one schema directory partition per forest. The schema directory partition contains the definitions of all objects that can be instantiated in Active Directory. It also stores the definitions of all attributes that can be a part of objects in Active Directory. Every domain controller has one fully writeable copy of the schema directory partition, although schema updates are allowed only on the domain controller that is the schema operations master.

The schema directory partition root object contains one child object for each class of objects that can be instantiated in the Active Directory forest and contains one object for each attribute that can be part of an object in the Active Directory forest.

Domain Directory Partitions

Every domain is represented by a domain directory partition. The domain directory partition stores users, computers, groups, and other objects for that domain. All domain controllers that are joined to the domain share a full writeable copy of the domain directory partition. Additionally, all domain controllers in the forest that host the global catalog also host a partial read-only copy of every other domain directory partition in the forest. For the most part, domain directory partitions store domain content – that is, user, group, and computer information. However, some domain-specific configuration data is also stored in the System container of the domain directory partition.

Active Directory Hierarchy

Every Active Directory object can be referenced by a unique and unambiguous name known as a distinguished name (also known as DN). The distinguished name identifies the complete path through the container hierarchy by which the object is reached.

Every forest has one configuration directory partition, one schema directory partition, and at least one domain directory partition that represents the forest root domain. Every additional domain that belongs to a forest adds one domain directory partition to the forest.

The three default Active Directory partitions have the following distinguished names:

  • Forest-root domain directory partition: DC=ForestRootDomain

  • Configuration directory partition: CN=configuration,DC=ForestRootDomain

  • Schema directory partition: CN=schema,CN=configuration,DC=ForestRootDomain

For more information about the default container hierarchy of all Active Directory partitions, see Appendix I: Default Container Hierarchy for Active Directory Partitions in Best Practices for Delegating Active Directory Administration: Appendices, which accompanies this document.

Data Storage from a Management Perspective

From a management perspective, it is helpful to identify where configuration data is stored in Active Directory and where domain content is stored. This information is essential in delegating administration because it helps identify where permissions need to be specified to delegate service and data administration tasks.

Location of Active Directory Service Configuration Data

Active Directory stores service configuration data primarily in the configuration directory partition. From a service management perspective, schema management is also a part of service management and therefore the schema, which is stored in the schema directory partition, is also a part of configuration data. Additionally, certain domain-specific configuration settings are also stored in the System container in the domain directory partition, and thus this data is also a part of configuration data. Finally, because some domain controller-specific configuration data is stored in the registry and the file system on domain controllers, this data is also a part of service configuration data.

From a management perspective, configuration data can be found in the following places:

  • Configuration directory partition

  • Schema directory partition

  • System container in domain directory partitions

  • File system and registry on domain controllers

Location of Active Directory Content

Active Directory content is stored in domain directory partitions. Content in directory partitions is typically stored in one of two kinds of containers – objects of a generic object class container and objects of a special-purpose object class called organizationalUnit as defined in the schema. Objects of the generic class container are ordinary containers and are also used in the Configuration partition. Objects of the class OrganizationalUnit are intended to be the primary containers for domain content such as user, computer, and group accounts.

OUs differ from regular containers in that unlike regular container objects, OUs can have Group Policy applied to them. The Group Policy distribution mechanism ensures that a Group Policy object that is applied to an OU applies directly to all users and computers in the OU and, by inheritance, to all users and computers in OUs (and in generic Active Directory containers) further down the Active Directory subtree rooted at an OU.

In addition to OUs, certain default Active Directory containers also contain domain content. These containers are created during installation and contain default administrative groups, users and other required data. The Builtin container stores built-in groups. The Users container is the default storage area for new user accounts that are created through legacy APIs that are not Active Directory–aware. The Computers container is the default storage area for new computer objects that were originally created through legacy APIs that are not Active Directory–aware

From a management perspective, Active Directory content can be found in the following places:

  • OUs in domain directory partitions

  • Builtin container in directory domain partitions

  • Users container in directory domain partitions

  • Computers container in directory domain partitions

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft