Physical Architecture

Microsoft® Windows® 2000 Scripting Guide

An important aspect of managing Active Directory with ADSI scripts is understanding the two primary parts of Active Directory, the Active Directory store and the components (DLLs) that make the directory accessible. These two parts of Active Directory work together to provide the foundation of Windows 2000 Server family distributed networks.

The Active Directory store provides secure, searchable, hierarchical storage of objects contained in a network, including users, computers, printers, and applications. The objects in the Active Directory store contain identity and location information to describe network resources. The Active Directory store is contained in a file named the Windows NT® Directory Services Directory Information Tree, Ntds.dit.

The Active Directory components that make the information in the store accessible to users and applications are the:

  • Extensible Storage Engine. Writes and reads data from the Active Directory store (Ntds.dit). The Extensible Storage Engine (ESE) performs each write operation as a discrete transaction. ESE protects Ntds.dit by using Active Directory log files to provide transaction rollback and database recovery capabilities.

  • Database Layer. Provides an object-oriented, hierarchical view of the data contained in the Active Directory store.

  • Directory System Agent. ADSI providers and other interface components use the Directory System Agent (DSA) to establish a connection with the database layer and ultimately the Active Directory store. The DSA acts as a gatekeeper by ensuring that client operations on the objects in the Active Directory store comply with the rules that define each object. For example, the DSA will not allow script operations that attempt to write a value that is too long for a field or a script operation that does not specify all mandatory attributes of an object when it is created.

    The DSA is also integral to directory replication from one domain controller to another.

  • Lightweight Directory Access Protocol. The protocol layer to LDAP-compliant directory services such as Active Directory. LDAP is the language used by the client and the server to communicate with LDAP-compliant directories. The Active Directory store is compliant with both version 2 and version 3 of the LDAP protocol (LDAP v2 and LDAP v3). The LDAP layer component in Active Directory is LDAP v3.