Directory data store

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Directory data store

The Active Directory directory service uses a data store for all directory information. This data store is often referred to as the directory. The directory contains information about objects such as users, groups, computers, domains, organizational units, and security policies. This information can be published for use by users and administrators.

The directory is stored on domain controllers and can be accessed by network applications or services. A domain can have one or more domain controllers. Each domain controller has a copy of the directory for the entire domain in which it is located. Changes made to the directory on one domain controller are replicated to other domain controllers in the domain, domain tree, or forest. Active Directory uses four distinct directory partition types to store and copy different types of data. Directory partitions contain domain, configuration, schema, and application data. This storage and replication design provides directory information to users and administrators throughout the domain.

Directory data is stored in the Ntds.dit file on the domain controller. It is recommended that you store this file on an NTFS partition. For more information about the tool used to manage the Active Directory database and log files, see Files in Ntdsutil. Private data is stored securely, and public directory data is stored on a shared system volume where it can be replicated to other domain controllers in the domain. For more information about replication, see Replication overview.

Directory data replicated between domain controllers includes the following:

  • Domain data

    The domain data holds information about objects within a domain. This is information such as e-mail contacts, user and computer account attributes, and published resources that are of interest to administrators and users.

    For example, when a user account is added to your network, a user account object and attribute data are stored in the domain data. When changes to your organization's directory objects occur, such as object creation, deletion, or attribute modification, this data is stored in the domain data.

  • Configuration data

    The configuration data describes the topology of the directory. This configuration data includes a list of all domains, trees, and forests and the locations of the domain controllers and global catalogs.

  • Schema data

    The schema is the formal definition of all object and attribute data that can be stored in the directory. Domain controllers running Windows Server 2003 include a default schema that defines many object types, such as user and computer accounts, groups, domains, organizational units, and security policies. Administrators and programmers can extend the schema by defining new object types and attributes or by adding new attributes for existing objects. Schema objects are protected by access control lists, ensuring that only authorized users can alter the schema.

    For more information, see Schema.

  • Application data

    Data stored in the application directory partition is intended to satisfy cases where information needs to be replicated but not necessarily on a global scale. Application directory partitions are not part of the directory data store by default; they must be created, configured, and managed by the administrator.

    For more information, see Application directory partitions.

Note

  • If a domain controller is also a global catalog, it stores a subset of the directory data for all other domains in the forest. For more information about domain controllers, see Domain controllers. For more information about the global catalog, see The role of the global catalog.

Quotas and directory partitions

Quotas, a new feature with domain controllers running Windows Server 2003 , determine the number of objects that can be owned in a given directory partition by a security principal. (The owner of an object is usually, but not always, the creator of the object.) Quotas can help prevent the denial of service that can occur if a security principal accidentally, or intentionally, creates objects until the affected domain controller runs out of storage space.

Quotas are specified and administered for each directory partition separately. The schema partition, however, has no quotas. On a given directory partition, you can assign quotas for any security principal, including users, inetOrgPersons, computers, and groups. Members of the Domain Admins and Enterprise Admins groups are exempt from quotas. In some cases, a security principal might be covered by multiple quotas. For example, a user might be assigned an individual quota, and also belong to one or more security groups that also have quotas assigned to them. In such cases, the effective quota is the maximum of the quotas assigned to the security principal.

If a security principal is not assigned a quota either directly or through a group membership, a default quota on the partition governs the security principal. If you do not explicitly set the default quota on a given partition, the default quota of that partition is unlimited (ie, there is no limit).

Tombstone objects owned by a security principal are also counted as part of the quota consumption of that security principal. For each partition, you can specify a tombstone quota factor to determine the percentage weight given to a tombstone object in quota accounting. For example, if the tombstone quota factor for a given partition is set to 25 (or 25%), then a tombstone object on the partition is counted as 0.25 (or ¼) of a normal object. If a quota of 100 is specified for a user on this partition, then the user could own a maximum of 100 normal objects, or a maximum 400 tombstone objects. The default tombstone quota factor for each partition is initially set to 100 (or 100%), meaning that normal and tombstones objects are weighted equally.

The following example illustrates how quotas can be used. Consider the domain "sales.northwindtraders.com." Because this domain supports a lot of printing activity, the domain contains several print servers that each support 1,000 or more print queues. Initially, the default quota of the sales.northwindtraders.com domain partition is set to unlimited. To help control the number of objects created and owned, the administrator specifies a default quota of 500. Now, each user can own a maximum of 500 objects on the partition. Because print queues are directory objects that are created and owned by the respective print servers, the new default quota of 500 limits each print server to 500 print queues. To remove this constraint, the administrator creates a group called "Print Servers" and adds the computer account of each print server to the group. The administrator then specifies a quota of 2,000 for the Print Servers group. Now, each print server can support its original number of print queues, while the default quota continues to prevent excess object creation by all other security principals.

Only domain controllers running Windows Server 2003 can enforce quotas. Quotas are enforced only on originating directory operations; quotas are not enforced on replicated operations. In order for quotas to be fully effective for any given directory partition, all domain controllers that contain a writable copy of that partition must be running Windows Server 2003 . Therefore, for quotas to be effective on a domain directory partition, all domain controllers in that domain must be running Windows Server 2003 . For quotas to be effective on the configuration partition, all domain controllers in the forest must by running Windows Server 2003 .

For information about creating, modifying, and querying quotas, default quotas, and tombstone quota factors, see Dsadd, Dsmod, and Dsquery.