Professional Documents
Culture Documents
• Related Information
The Active Directory directory service is a distributed database that stores and manages information about network
resources, as well as application-specific data from directory-enabled applications. Active Directory allows administrators to
organize objects of a network (such as users, computers, and devices) into a hierarchical collection of containers known as
the logical structure. The top-level logical container in this hierarchy is the forest. Within a forest are domain containers, and
within domains are organizational units.
Understanding domains and forests requires understanding the possible relationships they might have in Active Directory.
The relationships between these logical containers might be based on administrative requirements, such as delegation of
authority, or they might be defined by operational requirements, such as the need to provide for data isolation. Service
administrators can use domain and forest containers to meet a number of specific requirements, including:
• Implementing an authentication and authorization strategy for sharing resources across a network
• Providing an information repository and services to make information available to users and applications
Organizing objects of a network (such as users, computers, devices, resources, and application specific data from
•
directory-enabled applications) into a non-physical hierarchical structure
To learn more about domains and forests, you must first understand the logical and physical structures of Active Directory.
This section describes how those structures differ, and defines domains and forests in terms of the logical structure.
Top of page
The Logical Structure of Active Directory
Active Directory stores network object information and implements the services that make this information available and
usable to users. Active Directory presents this information through a standardized, logical structure that helps you establish
and understand the organization of domains and domain resources in a useful way. This presentation of object information is
referred to as the logical structure because it is independent of the physical aspects of the Active Directory infrastructure,
such as the domain controllers required for each domain in the network.
Component Description
Organizational Organizational units are container objects. You use these container objects to arrange other objects in a
Units manner that supports your administrative purposes. By arranging objects in organizational units, you make it
easier to locate and manage them. You can also delegate the authority to manage an organizational unit.
Organizational units can be nested in other organizational units.
You can arrange objects that have similar administrative and security requirements into organizational units.
Organizational units provide multiple levels of administrative authority, so that you can apply Group Policy
settings and delegate administrative control. This delegation simplifies the task of managing these objects
and enables you to structure Active Directory to fit your organization’s requirements.
Domains Domains are container objects. Domains are a collection of administratively defined objects that share a
common directory database, security policies, and trust relationships with other domains. In this way, each
domain is an administrative boundary for objects. A single domain can span multiple physical locations or
sites and can contain millions of objects.
Domain Trees Domain trees are collections of domains that are grouped together in hierarchical structures. When you add a
domain to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached
is called the parent domain.
A child domain might in turn have its own child domain. The name of a child domain is combined with the
name of its parent domain to form its own unique Domain Name System (DNS) name such as
Corp.nwtraders.msft. In this manner, a tree has a contiguous namespace.
Forests A forest is a complete instance of Active Directory. Each forest acts as a top-level container in that it houses
all domain containers for that particular Active Directory instance. A forest can contain one or more domain
container objects, all of which share a common logical structure, global catalog, directory schema, and
directory configuration, as well as automatic two-way transitive trust relationships. The first domain in the
forest is called the forest root domain. The name of that domain refers to the forest, such as Nwtraders.msft.
By default, information in Active Directory is shared only within the forest. In this way, the forest is a security
boundary for the information that is contained in that instance of Active Directory.
Site Objects Sites are leaf and container objects. The sites container is the topmost object in the hierarchy of objects that
are used to manage and implement Active Directory replication. The sites container stores the hierarchy of
objects that are used by the Knowledge Consistency Checker (KCC) to effect the replication topology. Some
of the objects located in the sites container include NTDS Site Settings objects, subnet objects, connection
Component Description
objects, server objects, and site objects (one site object for each site in the forest). The hierarchy is
displayed as the contents of the Sites container, which is a child of the Configuration container.
By understanding the purpose and hierarchical structure of these components, you can complete a variety of tasks, including
installing, configuring, managing, and troubleshooting Active Directory. Although the logical structure of Active Directory is a
hierarchical organization of all users, computers, and other physical resources, the forest and domain form the basis of the
logical structure.
Forests, which are the security boundaries of the logical structure, can be structured to provide data and service autonomy
and isolation in an organization in ways that can both reflect site and group identities and remove dependencies on the
physical topology. Domains can be structured within a forest to provide data and service autonomy (but not isolation) and to
optimize replication with a given region.
This separation of logical and physical structures improves manageability and reduces administrative costs because the
logical structure is not impacted by changes in the physical structure, such as the addition, removal, or reorganization of
users and groups.
Note
You can view and manage components of the logical structure by using the Active Directory Users and Computers, Active
•
Directory Domains and Trusts, and Active Directory Schema Microsoft Management Console (MMC) snap-ins, and other
tools.
Top of page
The Physical Structure of Active Directory
The physical structure of Active Directory is represented by a set of physical components which, when configured correctly,
can help optimize the transmission of network replication and authentication in ways specifically tailored to fit your physical
network. Physical network components, such as domain controllers and physical subnets, are used to facilitate network
communication and to set physical boundaries around network resources. More specifically, the physical structure of Active
Directory represents all of the physical subnets in your enterprise network, the domain controllers in those physical subnets
(commonly referred to as Sites in Active Directory) and the replication connections between the domain controllers.
Sites and subnets are represented in Active Directory by site and subnet objects. Computers on TCP/IP networks are
assigned to site objects based on their location in a physical subnet or a set of physical subnets. Physical subnets group
computers in a way that identifies their physical proximity on the network. Each site object is associated with one or more
subnet objects. Subnet objects are used during the process of domain controller location to find a domain controller in the
same site as the computer that is logging on. This information also is used during Active Directory replication to determine
the best routes between domain controllers. This enables you to use network bandwidth more efficiently. For example, it
ensures that when users log on to the network they are authenticated by the authentication authority nearest to the user,
thus reducing the amount of network traffic.
The physical domain controller contains the directory partitions that are replicated. Although the logical and physical
structures are defined and configured independently, they have interdependencies that affect replication.
Note
You can view the physical structure of Active Directory by using Active Directory Sites and
•
Services.
For more information about the network components associated with the physical structure of Active Directory, see the
“Active Directory Replication Topology Technical Reference.”
Top of page
What Are Domains?
Domains are logical directory components that you create to manage the administrative requirements of your organization.
The logical structure is based on the administrative requirements of an organization, such as the delegation of administrative
authority, and operational requirements, such as the need to control replication. In general, domains are used to control
where in the forest replication of domain data occurs and organizational units are used to further organize network objects
into a logical hierarchy and delegate control to appropriate administrative support personnel.
A domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it
is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. Domains can
also be defined as:
• Containers within a forest
• Units of Policy
• Units of Replication
• Units of Trust
Each domain has a domain administrators group. Domain administrators have full control over every object in the domain.
These administrative rights are valid within the domain only and do not propagate to other domains.
Organizational Units
The organizational unit is a particularly useful type of directory object contained within domains. Each organizational unit is
an Active Directory container within a domain into which users, groups, computers, and other organizational units of the
domain can be placed. An organizational unit cannot contain objects from other domains.
An organizational unit is the smallest scope or unit to which Group Policy settings can be assigned or to which administrative
authority can be delegated. A hierarchy of organizational units can be extended as necessary to model the hierarchy of an
organization within a domain. The administrative model of the organizational unit can be scaled to any size. For more
information about Group Policy, see “How Core Group Policy Works.”
Administrative authority can be delegated for individual organizational units or for multiple organizational units.
Organizational units can be nested to create a hierarchy within a domain and form logical administrative units for users,
groups, and resource objects, such as printers, computers, applications, and file shares. The organizational unit hierarchy
within a domain is independent of the structure of other domains: Each domain can implement its own hierarchy. Likewise,
domains that are managed by the central authority can implement similar organizational unit hierarchies. The structure is
flexible, which allows organizations to create an environment that mirrors the administrative model, whether it is centralized
or decentralized.
Objects
Active Directory objects represent the physical entities that make up a network. An object stores an instance of a class. A
class is defined in the Active Directory schema as a specific set of mandatory and optional attributes — that is, an attribute
can be present in an object in Active Directory only when that attribute is permitted by the object’s class. Classes also
contain rules that determine which classes of objects can be superior to (parents of) a particular object of the class. Each
attribute is also defined in the directory schema. The attribute definitions determine the syntax for the values the attribute
can have.
Creation of an Active Directory object requires specification of values for the attributes of the object in its particular class,
consistent with the rules of the directory schema. For example, creating a user object requires specification of alphanumeric
values for the user’s first and last names and the logon identifier, which are mandatory according to the directory schema.
Other non-mandatory values can also be specified, such as telephone number and address.
Applications that create or modify objects in Active Directory use the directory schema to determine what attributes the
object must and might have, and what those attributes can look like in terms of data structures and syntax constraints. The
directory schema is maintained forest-wide so that all objects created in the directory conform to the same values.
Objects are either container objects or leaf objects. A container object stores other objects, and as such occupies a specific
level in a subtree hierarchy. An object class is a container if at least one other class specifies it as a possible superior, so any
object class defined in the schema can become a container. A leaf object does not store other objects, so it occupies the
endpoint of a subtree. For more information about Active Directory Objects, see “How Domains and Forests Work” and “How
the Active Directory Schema Works.”
• Password policy. Determines the rules, such as password length, that must be met when a user sets a password.
• Account lockout policy. Defines rules for intruder detection and account deactivation.
Kerberosticket policy. Determines the lifetime of a Kerberos ticket. A Kerberos ticket is obtained during the logon process
•
and is used for network authentication. A particular ticket is only valid for the lifetime specified in the policy.
Because organizational units provide multiple levels of administrative authority, you can use them to systematically apply
Group Policy settings and delegate administrative control. Delegation simplifies the task of managing these objects and
enables you to structure Active Directory to fit the requirements of your organization. Using delegated authority in
conjunction with GPOs and group memberships allows one or more administrators to be assigned rights and permissions to
manage objects in an entire domain or in one or more organizational units within the domain.
For more information about Group Policy, see “How Core Group Policy Works.”
All domain controllers in the forest are also updated with changes to forest-wide data. For more information about replication
at the Forest level, see “Forests as Units of Replication” later in this section Domain-wide replication relies on three
components of the Active Directory physical structure to be in place for optimal performance, these include:
Domain Controllers
The physical domain controller contains the domain partition data that is replicated to other domain controllers in that same
domain. A domain partition stores only the information about objects located in that domain. All domain controllers in a
domain receive changes and replicate those changes to the domain partition stored on all other domain controllers in the
domain. In this way, all domain controllers are peers in the domain and manage replication as a unit.
Domain controllers also have two non-domain directory partitions that store forest-wide data, which includes the directory
schema and configuration data. Optionally, on Windows Server 2003 domain controllers, application partitions can be
configured to be located on designated domain controllers anywhere in a forest. Unlike the schema and configuration
partitions, application partitions are not located on every domain controller in a forest. For more information about the
replication of forest-wide data, see “Forests as Units of Replication” later in this section.
Partitioning Active Directory data into three physical partitions on each domain controller helps to control replication so that
data is replicated only to where it is needed. In this way, Active Directory can scale globally over a network that has limited
available bandwidth.
Sites
Within the scope of a forest, sites are a representation of the physical network topology. This includes physical subnet and
site definitions. Replication of updates to domain data occurs between multiple domain controllers to keep replicas
synchronized. Multiple domains are common in large organizations, as are multiple sites in disparate locations. In addition,
domain controllers for the same domain are commonly placed in more than one site.
Therefore, replication must often occur both within sites and between sites to keep domain and forest data consistent among
domain controllers that store the same directory partitions. Replication within sites generally occurs at typical LAN speeds
between domain controllers that are on the same network segment. Replication between sites usually occurs over WAN links
that might be costly in terms of bandwidth. To accommodate the differences in distance and cost of replication within a site
and between sites, the intrasite replication topology is used to optimize speed, and the intersite replication topology is used
to minimize cost based on a configurable replication schedule.
The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain controller and is
responsible for creating the connections between domain controllers that collectively form the replication topology. The KCC
uses Active Directory data to determine where to create connections between source domain controllers and destination
domain controllers.
Intersite replication is optimized for bandwidth efficiency, and directory updates between sites occur automatically based on
a configurable schedule.
• “Access to resources” in any discussion of trust relationships always assumes the limitations of access control.
Within a forest, trust relationships are automatically created between the forest root domain and any tree root domains on
the one hand, and all child domains that are subordinate to the forest root domain on the other. Because trust relationships
are two-way and transitive by default, users and computers can be authenticated between any domain containers in the
forest, as shown in the following figure.
Domains as Units of Trust and the Authentication Paths they Provide
In accordance with DNS naming standards, Active Directory domains within a single forest are created in an inverted tree
structure, with the forest root domain at the top. This tree structure requires that trusts exist between domains to facilitate
security of communications. Adding a domain tree to a forest requires specification of the forest root domain, which results in
the establishment of a trust relationship between the root domain of the new tree and the forest root domain. For more
information about trusts and root domains, see “Forests as Collections of Domain Containers that Trust Each Other” later in
this section.
• Units of Replication
• Security Boundaries
• Units of Delegation
Partition Description
Schema The schema partition contains the forest-wide schema. Each forest has one schema so that the definition of
each object class is consistent. The schema is the formal definition of all object and attribute data that can be
stored in the directory. Active Directory domain controllers include a default schema that defines many object
types, such as user and computer accounts, groups, domains, organization units, and security policies.
Administrators and programmers can extend the schema by defining new object types and attributes or by
adding new attributes for existing objects. Schema objects are protected by access control lists, ensuring that
only authorized users can alter the schema. The schema partition is replicated to each domain controller in the
forest.
Configuration The configuration partition describes the topology of the forest as well as other forest, domain and domain
controller settings. This configuration data includes a list of all domains, trees, and forests and the locations of
the domain controllers and global catalogs. The configuration partition is replicated to each domain controller in
the forest.
Application Applications and services can use application directory partitions to store application-specific data. Data stored
Partition Description
in the application directory partition is intended to satisfy cases where information needs to be replicated but
not necessarily on a global scale. Application directory partitions can contain any type of object, except security
principals. Application directory partitions are usually created by the applications that will use them to store and
replicate data. One of the benefits of an application directory partition is that, for redundancy, availability, or
fault tolerance, the data in it can be replicated to different domain controllers in a forest. The data can be
replicated to a specific domain controller or any set of domain controllers anywhere in the forest. This differs
from a domain directory partition in which data is replicated to all domain controllers in that domain.
Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
Application directory partitions are created, configured, and managed by the administrator.
All forest replication is Multi-Master with the exception of the three domain-wide and two forest-wide operations master
roles. Forest-wide replication requires domain controllers and three other components of the Active Directory physical
structure to be in place for optimal performance. These components are forest-wide operations master roles, sites, and
global catalogs.
Sites
Sites in Active Directory represent the physical structure, or topology, of the network. Within the scope of a forest, sites are
a representation of the physical network topology, including physical subnet and site definitions. When you establish sites,
domain controllers within a single site communicate frequently. This communication minimizes the latency within the site;
that is, the time required for a change that is made on one domain controller to be replicated to other domain controllers.
You create sites to optimize use of the bandwidth between domain controllers in different locations. For more information
about sites, see “How Active Directory Replication Topology Works.”
Global Catalogs
The global catalog stores a full copy of all Active Directory objects in the directory for its host domain and a partial copy of all
objects for all other domains in the forest. Users in a forest do not need to be aware of directory structure because all users
see a single directory through the global catalog. Applications and clients can query the global catalog to locate any object in
a forest. The global catalog is hosted on one or more domain controllers in the forest. It contains a partial replica of every
domain directory partition in the forest. These partial replicas include replicas of every object in the forest, including the
attributes most frequently used in search operations and the attributes required to locate a full replica of the object. A global
catalog is created automatically on the first domain controller in the forest. Optionally, other domain controllers can be
configured to serve as global catalogs.
A global catalog serves the following roles:
• Enables user searches for directory information about objects throughout all domains in the forest
Resolves user principal names (UPNs) during authentication, when the authenticating domain controller does not have
•
information about the account
• Supplies universal group membership information in a multiple domain environment
A forest is the only component of the Active Directory logical structure that is a security boundary. By contrast, a domain is
not a security boundary because it is not possible for administrators from one domain to prevent a malicious administrator
from another domain within the forest from accessing data in their domain. A domain is, however, the administrative
boundary for managing objects, such as users, groups, and computers. In addition, each domain has its own individual
security policies and trust relationships with other domains.
• To secure data within each forest. Sensitive data can be protected so that only users within that forest can access it.
To isolate directory replication within each forest. Schema changes, configuration changes, and the addition of new
•
domains to a forest have forest-wide impact only within that forest, not on a trusting forest.
Because the forest is a security boundary, each forest does not trust or allow access from any other forest by default.
However, in Windows Server 2003 Active Directory, transitive trust relationships can be manually established between
forests to establish cross-forest access to resources, so that users in one forest can access resources in another forest.
Forest trusts help you to manage a segmented Active Directory infrastructure within your organization by providing support
for accessing resources and other objects across multiple forests. By using forest trusts, you can link two different Windows
Server 2003 forests to form a one-way or two-way transitive trust relationship. A forest trust allows administrators to
federate two Active Directory forests with a single trust relationship to provide a seamless authentication and authorization
experience across the forests.
When two forests are connected by a forest trust, authentication requests made using the Kerberos V5 or NTLM protocols can
be routed between forests to provide access to resources in both forests. Trust security settings and firewalls can be
configured between domains in different forests that are joined by trust relationships to limit cross-forest connectivity to
specific users or applications. For more information about trust security settings, see “Security Considerations for Trusts.”
A forest trust can be created only between a forest root domain in one Windows Server 2003 forest and a forest root domain
in another Windows Server 2003 forest. Forest trusts can be created between two forests only and cannot be implicitly
extended to a third forest. This means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust
is created between Forest 2 and Forest 3, Forest 1 does not have an implicit trust with Forest 3. The following figure shows
two separate forest trust relationships between three Windows Server 2003 forests in a single organization.
Two Forest Trusts Between Three Windows Server 2003 Forests
Top of page
Related Information
The following resources contain additional information that is relevant to this section.
How Active Directory Replication Topology
•
Works
• How Core Group Policy Works
• Related Information
Active Directory stores data for an entire forest. A forest is a distributed database, which is made up of directory partitions
spread across multiple computers. A domain is one partition of the database; each domain contains Active Directory objects,
such as security principal objects (users, computers, and groups) to which you can grant or deny access to network
resources. All domain data stored in the domain directory partition is replicated to domain controllers in that domain only.
The directory partitions that store configuration and schema information are replicated to domain controllers in all domains.
In this way, Active Directory provides a data repository that is logically centralized but physically distributed. Because all
domain controllers store forest-wide configuration and schema information, a domain controller in one domain can reference
a domain controller in any other domain if the information that it is requesting is not stored locally.
This section details how domains and forests work, discusses the various components of domains and forests, describes
several common processes that depend on domains and forests, and lists the network ports related to domains and forests.
Top of page
Domain and Forest Structure
A forest consists of a hierarchical structure of domain containers that are used to categorically store information about
objects on the network. Domain containers are considered the core functional units in the forest structure. This is because
each domain container in a forest is used primarily to store and manage Active Directory objects, most of which have a
physical representation (such as people, printers, or computers). Forests also provide the structure by which domain
containers can be segregated into one or more unique Domain Name System (DNS) namespace hierarchies known as domain
trees.
In addition, the domain tree hierarchy is based on trust relationships — that is, the domain containers are linked by intra-
forest trust relationships. When it is necessary for domain containers in the same organization to have different namespaces,
you can create a separate tree for each namespace. In Active Directory, the roots of trees are linked automatically by two-
way, transitive trust relationships. Trees linked by trust relationships form a forest. A single tree that is related to no other
trees constitutes a forest of one tree. The domain and forest structure is made up of the following components:
• Cross-References
• Trust Relationships
• Forest Root
Domain Trees and Child
•
Domains
• Domain Names
For more information about Active Directory Domains and DNS, see “How DNS Support for Active Directory Works.”
This section describes the structure and function of these components, and describes how this structure helps administrators
manage the network so that users can accomplish business objectives.
Cross-References
Cross-references enable every domain controller to be aware not only of the partitions that it holds, but of all directory
partitions in the forest. The information contained within cross-references form the glue that holds the pieces of the domain
and forest structure together. Because Active Directory is logically partitioned, and directory partitions are the discrete
components of the directory that replicate between domain controllers, either all objects in a directory partition are present
on a particular domain controller or no objects in the directory partition are present on the domain controller. For this reason,
cross references have the effect of linking the partitions together, which allows operations such as searches to span multiple
partitions.
Cross-references are stored as directory objects of the class crossRef that identify the existence and location of all directory
partitions, irrespective of location in the directory tree. In addition, these objects contain information that Active Directory
uses to construct the directory tree hierarchy. Values for the following attributes are required for each cross-reference:
nCName. The distinguished name of the directory partition that the crossRef object references. (The prefix nC stands for
•
naming context, which is a synonym for directory partition.) The combination of all of the nCName properties in the forest
defines the entire directory tree, including the subordinate and superior relationships between partitions.
dNSRoot. The DNS name of the domain where servers that store the particular directory partition can be reached. This
•
value can also be a DNS host name.
External Cross-References
An external cross-reference is a cross-reference object that can be created manually to provide the location of an object that
is not stored in the forest. If your Lightweight Directory Access Protocol (LDAP) clients submit operations for an external
portion of the global LDAP namespace against servers in your forest, and you want servers in your forest to refer the client to
the correct location, you can create a cross-reference object for that directory in the Partitions container. There are two ways
that external cross-references are used:
To reference external directories by their disjoint directory name (a name that is not contiguous with the name of this
•
directory tree). In this case, when you create the cross-reference, you create a reference to a location that is not a child of
any object in this directory.
To reference external directories by a name that is within the Active Directory namespace (a name that is contiguous with
•
the name of this directory tree). In this case, when you create the cross-reference, you create a referenceto a location
that is a child of a real object in this directory.
Because the domain component (dc=) portion of the distinguished names of all Active Directory domains matches their DNS
addresses, and because DNS is the worldwide namespace, all domain controllers can generate external referrals to each
other automatically.
Trust Relationships
Active Directory provides security across multiple domains through intra-forest trust relationships. When there are trust
relationships between domains in the same forest, the authentication mechanism for each domain trusts the authentication
mechanism for all other trusted domains. If a user or application is authenticated by one domain, its authentication is
accepted by all other domains that trust the authenticating domain. Users in a trusted domain have access to resources in
the trusting domain, subject to the access controls that are applied in the trusting domain.
Note
Default intra-forest trust relationships are created at the time the domains are created. The number of trust relationships
•
required to connect n domains is n–1, whether the domains are linked in a single, contiguous parent-child hierarchy or
constitute two or more separate contiguous parent-child hierarchies.
A trust relationship is a relationship established between two domains that allows users in one domain to be recognized by a
domain controller in the other domain. Trusts let users access resources in the other domain, and also let administrators
manage user rights for users in the other domain. Account authentication between domains is enabled by two-way, transitive
trust relationships. All domain trusts in an Active Directory forest are two-way and transitive and are have the following
attributes:
Two-way. When you create a new child domain, the child domain automatically trusts the parent domain, and vice versa.
•
At the practical level, this means that authentication requests can be passed between the two domains in both directions.
Transitive. A transitive trust reaches beyond the two domains in the initial trust relationship. For example, if Domain A
•
and Domain B (parent and child) trust each other, and if Domain B and Domain C (also parent and child) trust each other,
Domain A and Domain C also trust each other (implicitly), even though no direct trust relationship between them exists.
At the level of the forest, a trust relationship is created automatically between the forest root domain and the root domain of
each domain tree added to the forest, with the result that complete trust exists between all domains in an Active Directory
forest. At the practical level, because trust relationships are transitive, a single logon process lets the system authenticate a
user (or computer) in any domain in the forest. As shown in the following figure, this single logon process lets the account
access resources on any domain in the forest.
Transitive Trusts Facilitate Cross-Domain Access to Resources With a Single Logon
Note
Single logons enabled by trusts do not necessarily imply that the authenticated user has rights and permissions in all
•
domains in the forest. This is because in any discussion of trust relationships, access to resources always assumes the
limitations of access control.
Domain Trees
A domain tree is a DNS namespace: it has a single root domain and is built as a strict hierarchy; each domain below the root
domain has exactly one superior, or parent, domain. The namespace created by this hierarchy, therefore, is contiguous —
each level of the hierarchy is directly related to the level above it and to the level below it, if any. In Active Directory, the
following rules determine the way that trees function in the namespace:
• A tree has exactly one name. The name of the tree is the DNS name of the domain at the root of the tree.
The names of domains created beneath the root domain (child domains) are always contiguous with the name of the tree
•
root domain.
The DNS names of the child domains of the tree root domain reflect this organization; therefore, the children of a tree root
•
domain called Somedomain are always children of that domain in the DNS namespace (for example, Child1.somedomain,
Child2.somedomain, and so forth).
Note
Tree and forest hierarchies are specific to Active Directory domains. A Windows NT 4.0 domain that is configured to trust
•
or to be trusted by a Active Directory domain is not part of the forest to which the Active Directory domain belongs.
The forest structure provides organizations with the option of constructing their enterprise from separate, distinct,
noncontiguous namespaces. Having a separate namespace is desirable under conditions where, for example, the namespace
of an acquired company should remain intact. If you have business units with distinct DNS names, you can create additional
trees to accommodate the names.
Note
Before creating a new domain tree when you want a different DNS namespace, consider creating another forest. Multiple
•
forests provide administrative autonomy, isolation of the schema and configuration directory partitions, separate security
boundaries, and the flexibility to use an independent namespace design for each forest.
When you create a new domain tree, you specify the root domain of the initial tree, and a trust relationship is established
between the root domain of the new tree (the second tree) and the forest root domain. If you create a third tree, a trust
relationship is established between the root domain of the third tree and the forest root domain. Because a trust relationship
is transitive and two-way, the root domain of the third tree also has a two-way trust relationship with the root domain of the
second tree. The following operations occur when you create a new tree root domain in an existing forest:
Location of a source domain controller in the forest root domain and synchronization of domain system time with the
•
system time of the source domain controller.
Creation of a tree-root trust relationship between the tree root domain and the forest root domain, and creation of the
•
trusted domain object (TDO) in both domains. The tree-root trust relationship is two-way and transitive.
Child Domains
Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within
the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the
needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide
a means for creating domain names that do not change. Changes in the overall domain architecture, such as domain
collapses and domain re-creation, create difficult and potentially IT-intensive support requirements. A good namespace
design should be capable of withstanding reorganizations without the need to restructure the existing domain hierarchy.
Each time you create a new child domain, a two-way transitive trust relationship (known as the parent-child trust) is
automatically created between the parent and new child domain. In this way, transitive trust relationships flow upward
through the domain tree as it is formed, creating transitive trusts between all domains in the domain tree. The parent-child
relationship is a naming and trust relationship only. Administrators in a parent domain are not automatically administrators
of a child domain. Likewise, policies set in a parent domain do not automatically apply to child domains.
The following operations occur when you create a child domain in an existing tree:
• Verification of the name that you provide as a valid child domain name.
Location of a source domain controller in the parent domain and synchronization of the system time of the child domain
•
with the system time of the source domain controller.
Creation of parent-child TDOs in the System folder on both the parent domain and the child domain. The TDO objects
•
identify two-way transitive trust relationships between the child domain and the parent domain.
Replication of the Active Directory Schema container and the Configuration container from a domain controller in the
•
parent domain.
Domain Names
Active Directory uses DNS naming standards for hierarchical naming of Active Directory domains and computers. For this
reason, domain and computer objects are part of both the DNS domain hierarchy and the Active Directory domain hierarchy.
Although these domain hierarchies have identical names, they represent separate namespaces.
The domain hierarchy defines a namespace. A namespace is any bounded area in which standardized names can be used to
symbolically represent some type of information (such as an object in a directory or an Internet Protocol [IP] address) and
that can be resolved to the object itself. In each namespace, specific rules determine how names can be created and used.
Some namespaces, such as the DNS namespace and the Active Directory namespace, are hierarchically structured and
provide rules that allow the namespace to be partitioned. Other namespaces, such as the Network Basic Input/Output
System (NetBIOS) namespace, are flat (unstructured) and cannot be partitioned.
The main function of DNS is to map user-readable computer names to computer-readable IP addresses. Thus, DNS defines a
namespace for computer names that can be resolved to IP addresses, or vice versa. In Windows NT 4.0 and earlier, DNS
names were not required; domains and computers used NetBIOS names, which were mapped to IP addresses by using the
Windows Internet Name Service (WINS). Although DNS names are required for Active Directory domains and
Windows 2000–, Windows XP–, and Windows Server 2003–based computers, NetBIOS names also are supported in Windows
Server 2003 for interoperability with Windows NT 4.0 domains and with clients that are running Windows NT 4.0 or earlier,
Windows for Workgroups, Windows 98, or Windows 95.
Note
WINS and NetBIOS are not required in an environment where computers run only Windows 2000, Windows XP or Windows
•
Server 2003, but WINS is required for interoperability between Windows 2000 Server– and Windows Server 2003–based
domain controllers, computers that are running earlier versions of Windows, and applications that depend on the NetBIOS
namespace — for example, applications that call NetServerEnum and other so-called Net* application programming
interfaces (APIs) that depend on NetBIOS.
Active Directory domains have both DNS names and NetBIOS names. In general, both names are visible to end users. The
DNS names of Active Directory domains include two parts, a prefix and a suffix. The DNS prefix is the first label in the DNS
name of the domain. The suffix is the name of the Active Directory forest root domain. For example, the first label of the
DNS name for the Child1.wingtiptoys.com domain is Child1 and is referred to as the DNS prefix. The name of the forest root
domain in that same forest is wingtiptoys.com and is referred to as the DNS suffix.
Object Uniqueness
Each object in Active Directory is associated with at least one identifier that identifies that object as unique in an enterprise.
This object identifier is referred to as a globally unique identifier (GUID). Another identifier, referred to as a security ID
(SID), is used on security-enabled objects so that authentication and authorization services can determine its origin and
validity within the domain or forest. Active Directory objects that are security-enabled are referred to as security principals.
A security principal is an object managed by Active Directory that is automatically assigned a SID for logon authentication
and for access to resources. A security principal can be a user account, computer account, or a group, and is unique within a
single domain. A security principal object must be authenticated by a domain controller in the domain in which the security
principal object is located, and it can be granted or denied access to network resources.
GUIDs
Every object in Active Directory has a GUID, a 128-bit number assigned by the Directory System Agent when the object is
created. The GUID, which cannot be altered or removed, is stored in an attribute that is required for every object, not just
security principal objects. The GUID of each object is stored in its Object-GUID (objectGUID) property. When storing a
reference to an Active Directory object in an external store (for example, a Microsoft SQL Server database), the objectGUID
value should be used.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of the properties of an object that is
published in the global catalog. Searching the global catalog for the GUID of a User object will yield results if the user has an
account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of
finding the object you want to find. This is because the values of other object properties can change, but the Object-GUID
never changes. When an object is assigned a GUID, it always keeps that value.
Object Names
Object names are used to identify accounts in an Active Directory network. Objects have both LDAP-related names and logon
names. Each object name represents a unique attribute for that object.
LDAP-Related Names
Active Directory is a Lightweight Directory Access Protocol (LDAP)-compliant directory service. In the Windows 2000 Server
and Windows Server 2003 operating systems, all access to Active Directory objects occurs through LDAP. LDAP defines what
operations can be performed in order to query and modify information in a directory, and how information in a directory can
be accessed in compliance with established security requirements. Therefore, you can use LDAP to find or enumerate
directory objects and to query or administer Active Directory.
It is possible to query by LDAP distinguished name (which is itself an attribute of the object), but because these names are
difficult to remember, LDAP also supports querying by other attributes (for example, by using the attribute “color” to find
“color” printers). This lets you find an object without having to know the distinguished name. If your organization has several
domains, it is possible to use the same user name or computer name in different domains.
Like some other types of object names, LDAP-related names can change. The SID, globally unique ID, LDAP distinguished
name, and canonical name generated by Active Directory uniquely identify each user, computer, or group in the forest. If the
security principal object is renamed or moved to a different domain, the SID, LDAP relative distinguished name, LDAP
distinguished name, and canonical name change, but the globally unique ID generated by Active Directory does not change.
Top of page
Distinguished Name
Objects are located within Active Directory domains according to a hierarchical path, which includes the labels of the Active
Directory domain name and each level of container objects. The full path to the object is defined by the distinguished name
(also known as a DN). The name of the object itself, separate from the path to the object, is defined by the relative
distinguished name.
The distinguished name is unambiguous (identifies one object only) and unique (no other object in the directory has this
name). By using the full path to an object, including the object name and all parent objects to the root of the domain, the
distinguished name uniquely and unambiguously identifies an object within a domain hierarchy. It contains sufficient
information for an LDAP client to retrieve information the about the object from the directory.
For example, a user named Samantha Smith works in the marketing department of a company as a promotions coordinator.
Therefore, her user account is created in an organizational unit that stores the accounts for marketing department employees
who are engaged in promotional activities. The user identifier for Samantha Smith is Ssmith, and she works in the North
American branch of the company. The root domain of the company is wingtiptoys.com, and the local domain is
noam.wingtiptoys.com. The following distinguished name is of the user object Ssmith in the noam.wingtiptoys.com domain.
cn=Ssmith,ou=Promotions,ou=Marketing,dc=noam,dc=wingtiptoys,dc=com
Note
Active Directory tools do not display the LDAP abbreviations for the naming attributes domain component (dc=),
•
organizational unit (ou=), common name (cn=), and so forth. These abbreviations are shown only to illustrate how LDAP
recognizes the portions of the distinguished name. Most Active Directory tools display object names in canonical form, as
described later in this section. Because distinguished names are difficult to remember, it is useful to have other means for
retrieving objects. Active Directory supports querying by attribute (for example, the building number where you want to
find a printer), so an object can be found without having to know the distinguished name.
Top of page
Relative Distinguished Name
The relative distinguished name of an object is the part of the name that is an attribute of the object itself — the part of the
object name that identifies this object as unique from its siblings at its current level in the naming hierarchy. Using the
distinguished name mentioned earlier, the relative distinguished name of the object is SSmith. The relative distinguished
name of the parent object is Promotions. The maximum length allowed for a relative distinguished name is 255 characters,
but attributes have specific limits imposed by the directory schema. For example, in the case of the common name (cn),
which is the attribute type often used for naming the relative distinguished name, the maximum number of characters
allowed is 64.
Active Directory relative distinguished names are unique within a specific parent — that is, Active Directory does not permit
two objects with the same relative distinguished name under the same parent container. However, two objects can have
identical relative distinguished names but still be unique in the directory because within their respective parent containers,
their distinguished names are not the same. (For example, the object cn=SSmith,dc=noam,dc=wingtiptoys,dc=com is
recognized by LDAP as being different from cn=SSmith,dc=wingtiptoys,dc=com.)
The relative distinguished name for each object is stored in the Active Directory database. Each record contains a reference
to the parent of the object. By following the references to the root, the entire distinguished name is constructed during an
LDAP operation.
Top of page
Canonical Name
By default, the user interface in Windows 2000, Windows XP, and Windows Server 2003 displays object names that use the
canonical name, which lists the relative distinguished names from the root downward and without RFC 1779 naming attribute
descriptors; it uses the DNS domain name (the form of the name where domain labels are separated by periods). For the
LDAP distinguished name in the previous example, the respective canonical name would appear as follows:
noam.wingtiptoys.com/marketing/promotions/ssmith
Note
If the name of an organizational unit contains a forward slash character (/), Active Directory requires an escape character
•
in the form of a backslash (\) to distinguish between forward slashes that separate elements of the canonical name and
the forward slash that is part of the organizational unit name. The canonical name that appears in Active Directory Users
and Computers properties pages displays the escape character immediately preceding the forward slash in the name of the
organizational unit. For example, if the name of an organizational unit is Promotions/Northeast and the name of the
domain is Wingtiptoys.com, the canonical name is displayed as Wingtiptoys.com/Promotions\/Northeast.
Logon Names
A unique logon name is required for user security principals to gain access to a domain and its resources. Security principals
are objects to which Windows security is applied in the form of authentication and authorization. Users are security
principals, and they are authenticated (their identity is verified) at the time they log on to the domain or local computer.
They are authorized (allowed or denied access) when they use resources.
In the Windows 2000, Windows XP and Windows Server 2003 operating systems, user security principals require a unique
logon name to gain access to a domain and its resources. Security principal objects might be renamed, moved, or contained
within a nested domain hierarchy. The names of security principal objects must conform to the following guidelines:
The name cannot be identical to any other user, computer, or group name in the domain. It can contain up to 20
•
uppercase or lowercase characters except for the following:" / \ [ ] : ; | = , + * ? <>
• A user name, computer name, or group name cannot consist solely of periods (.) or spaces.
The two types of logon names are user principal name and Security Account Manager account names.
Organizational Units
Active Directory allows administrators to create a hierarchy within a domain that meets the needs of their organization. The
object class of choice for building these hierarchies is the organizationalUnit, a general-purpose container that can be used
to group most other object classes together for administrative purposes. An organizational unit in Active Directory is
analogous to a directory in the file system; it is a container that can hold other objects. You can use organizational units for
purposes such as creating an administrative hierarchy, applying Group Policy, and delegating control of administration.
Administrative Hierarchy
Organizational units can be nested to create a hierarchy within a domain and form logical administrative units for users,
groups, and resource objects, such as printers, computers, applications, and file shares. The organizational unit hierarchy
within a domain is independent of the structure of other domains; each domain can implement its own hierarchy. Likewise,
domains that are managed by a central authority can implement similar organizational unit hierarchies. The structure is
completely flexible, which allows organizations to create an environment that mirrors the administrative model, whether it is
centralized or decentralized.
Group Policy
Group Policy can be applied to organizational units to define the abilities of groups of computers and users that are contained
within the organizational units. Levels of control range from complete desktop lockdown to a relatively autonomous user
experience. Group Policy can affect functionality, such as what applications are available to a group of users, what features
within an application are accessible on a particular computer, where documents are saved, and can affect access and user
permissions. Group Policy also affects where, when, and how application and operating system updates or special scripts are
applied.
Group Policy settings are stored as Group Policy objects in Active Directory. A Group Policy object can be associated with one
or more Active Directory containers, such as a site, domain, or organizational unit.
Delegation of Control
The Active Directory object-based security model implements default access control that is propagated down a subtree of
container objects. You can use this technology to determine the security for an entire group of objects according to the
security that you set on the organizational unit that contains the objects. By default, most Active Directory objects inherit
ACEs from the security descriptor on their parent container object. If necessary, you can change the inherited permissions.
However, as a best practice, you should avoid changing the default permissions or inheritance settings on Active Directory
objects unless you have additional security requirements.
Note
Because Active Directory is indexed, you can organize the tree to match your administrative model, instead of having to
•
organize it for ease of browsing.
Inheritance enables the access control information defined at a container object in Active Directory to apply to the security
descriptors of any subordinate objects, including other containers and their objects. One benefit this provides is that it
eliminates the need to apply permissions each time a child object is created. You can apply or delegate administrative control
over directory objects to organizational units by setting access control.
This inheritance of access effectively delegates administrative control to individuals in the organization. The best way to take
full advantage of delegation and inherited control on directory objects is to organize the hierarchy to match the way that the
directory is administered.
User Authorization
In addition to securing network access through user authentication, Active Directory protects shared resources by facilitating
user authorization. Once a user logon has been authenticated by Active Directory, the user rights assigned to the user
through security groups and the permissions assigned on the shared resource determine if the user will be authorized to
access that resource. This authorization process protects shared resources from unauthorized access and permits access to
only authorized users or groups.
Administrators can use access control to manage user access to shared resources for security purposes. In Active Directory,
access control is administered at the object level by setting different levels of access, or permissions, to objects, such as Full
Control, Write, Read, Delete, or No Access. Access control in Active Directory defines how users can use Active Directory
objects. By default, most permissions on objects in Windows Server 2003 Active Directory are at the most secure setting.
The elements that define access control permissions on Active Directory objects include security descriptors and the concept
of object inheritance.
Security Descriptors
Access control permissions are assigned to securable objects and Active Directory objects to control how different users can
use each object. A securable object, or shared resource, is an object that is intended to be used over a network by one or
more users, and includes files, printers, folders, and services. All securable objects and Active Directory objects store access
control permissions in security descriptors.
A security descriptor contains two access control lists (ACLs) used to assign and track security information for each object:
these are the discretionary access control list (DACL) and the system access control list (SACL).
Discretionary access control lists (DACLs). DACLs identify the users and groups that are assigned or denied access
permissions on an object. If a DACL does not explicitly allow access to a user, or to any group that a user is a member of,
the user is implicitly denied access to that object. By default, a DACL is controlled by the owner of an object or the person
who created the object (In Windows, the creator of an object is also the owner). The DACL contains access control entries
(ACEs) that determine user access to the object.
System access control lists (SACLs). SACLs identify the users and groups that you want to audit when they successfully
access or fail to access an object. Auditing is used to monitor events related to system or network security, to identify
security breaches, and to determine the extent and location of any damage. By default, a SACL is controlled by the owner of
an object or the person who created the object. A SACL contains ACEs that determine whether to record a successful or
failed attempt by a user to access an object using a given permission, for example, Full Control or Read.
Active Directory allows you to apply access control permissions to objects at very low levels, including the ability to assign
permissions on a per-attribute basis. To view DACLs and SACLs on Active Directory objects using Active Directory Users and
Computers, on the View menu, click Advanced Features to access the Security tab for each object. You can also use the
DSACLS support tool to manage access control lists in Active Directory.
By default, DACLs and SACLs are associated with every Active Directory object, which helps reduce attacks to your network
by malicious users or any accidental mistakes made by domain users.
Computer Accounts
Each computer account created in Active Directory has a relative distinguished name, a pre-Windows 2000 computer name
(Security Accounts Manager account name), a primary DNS suffix, a DNS host name, and a service principal name (SPN).
The administrator enters the computer name when creating the computer account. This computer name is used as the LDAP
relative distinguished name.
Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative distinguished name. The
administrator can change the pre-Windows 2000 name at any time.
The DNS name for a host is called a full computer name and is a DNS fully qualified domain name (FQDN). The full computer
name is a concatenation of the computer name (the first 15 bytes of the SAM account name of the computer account without
the $ character) and the primary DNS suffix (the DNS domain name of the domain in which the computer account exists). It
is listed on the Computer Name tab in System Properties in Control Panel.
By default, the primary DNS suffix portion of the FQDN for a computer must be the same as the name of the Active Directory
domain where the computer is located. To allow different primary DNS suffixes, a domain administrator might create a
restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the domain object container. This
attribute is created and managed by the domain administrator using Active Directory Service Interfaces (ADSI) or LDAP.
The SPN is a multivalue attribute. It is usually built from the DNS name of the host. The SPN is used in the process of mutual
authentication between the client and the server hosting a particular service. The client finds a computer account based on
the SPN of the service to which it is trying to connect. The SPN can be modified by members of the Domain Admins group.
Top of page
Domain and Forest Protocols and Programming Interfaces
The primary protocol that is used by domain controllers in every domain throughout the forest is LDAP, which runs on top of
TCP/IP. LDAP is both a protocol and an API. In addition, the secured communications between domain controllers must use
the remote procedure call (RPC) protocol for Messaging Application Programming Interface (MAPI), replication, domain
controller management, and SAM-related operations.
LDAP
LDAP is a directory service protocol that specifies directory communications. It runs directly over TCP/IP, and it can also run
over User Datagram Protocol (UDP) connectionless transports. Clients can use LDAP to query, create, update, and delete
information that is stored in a directory service over a TCP connection through the TCP default port 389. Active Directory
supports LDAP v2 (RFC 1777) and LDAP v3 (RFC 3377). LDAP v3 is an industry standard that can be used with any directory
service that implements the LDAP protocol. LDAP is the preferred and most common way of interacting with Active Directory.
Historically, LDAP is a simplified (lightweight) version of Directory Access Protocol (DAP), which is the original protocol that
was used to interact with X.500 directories. X.500 defines an earlier set of standards that was developed by the International
Organization for Standardization (ISO). LDAP is simpler than DAP in two key ways:
Rather than using its own protocol stack according to the Open Systems Interconnection (OSI) networking model, LDAP
•
communicates over Internet Protocol (IP) by using either UDP or TCP.
• LDAP syntax is easier to use than DAP syntax.
For these reasons, LDAP is widely used and accepted as the standard protocol for directory service access. The following key
aspects characterize LDAP:
The protocol is carried directly over TCP for connection-oriented transport (receipt of data is acknowledged) and over UDP
•
for connectionless transport (sent or received data is not acknowledged).
• Most protocol data elements can be encoded as ordinary strings, for example, as distinguished names.
• The protocol can be extended to support new operations, and controls can be used to extend existing operations.
• The schema is published through an attribute on the directory root object (rootDSE) for use by clients.
For more information about LDAP, see “How Active Directory Searches Work.”
RPC
Active Directory uses remote procedure call (RPC) for replication (REPL) and domain controller management
communications, MAPI communications, and SAM-related communications. RPC is a powerful, robust, efficient, and secure
interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality located in a
different process. That different process can be on the same computer, on the local area network (LAN), or across the
Internet.
Authentication Protocols
Domain controllers authenticate users and applications by using one of two protocols: either the Kerberos version 5
authentication protocol or the NTLM authentication protocol. When two Active Directory domains or forests are connected by
a trust, authentication requests made using these protocols can be routed to provide access to resources in both forests.
NTLM
The NTLM protocol is the default protocol used for network authentication in the Windows NT 4.0 operating system. For
compatibility reasons, it is used by Active Directory domains to process network authentication requests that come from
earlier Windows-based clients and servers. Computers running Windows 2000, Windows XP or Windows Server 2003 use
NTLM only when authenticating to servers running Windows NT 4.0 and when accessing resources in Windows NT 4.0
domains.
When the NTLM protocol is used between a client and a server, the server must contact a domain authentication service on a
domain controller to verify the client credentials. The server authenticates the client by forwarding the client credentials to a
domain controller in the client account domain.
• The user who is logging on uses a security account in an Active Directory domain.
• The computer that is being logged on to is a Windows 2000, Windows XP or Windows Server 2003–based computer.
• The computer account and the user account are in the same forest.
The computer from which the user is trying to access resources is located in a non-Windows-based operating system
•
Kerberos version 5 realm.
If any computer involved in a transaction does not support the Kerberos version 5 protocol, the NTLM protocol is used.
The authentication protocol of choice for Active Directory authentication requests is Kerberos V5. In contrast to NTLM, when
the Kerberos protocol is used, the server does not have to contact the domain controller. Instead, the client gets a ticket for
a server by requesting one from a domain controller in the server account domain; the server validates the ticket without
consulting any other authority.
For more information about Kerberos, see “How the Kerberos Version 5 Authentication Protocol Works.”
• REPL
• MAPI
• SAM
ADSI
Active Directory Service Interfaces (ADSI) provides a simple, powerful, object-oriented interface to Active Directory. ADSI
makes it easy for programmers and administrators to create directory programs by using high-level tools, such as Microsoft
Visual Basic, without having to worry about the underlying differences between the different namespaces.
ADSI is supplied as a software development kit that enables you to build or buy programs that give you a single point of
access to multiple directories in your network environment, whether those directories are based on LDAP or another protocol.
ADSI is fully scriptable for ease of use by administrators.
ADSI also enables access to Active Directory by exposing objects stored in the directory as Component Object Model (COM)
objects. A directory object is manipulated using the methods available on one or more COM interfaces. ADSI has a provider-
based architecture that allows COM access to different types of directories for which a provider exists.
LDAP C
The LDAP C API, defined in Internet standard RFC 1823, is a set of low-level C-language APIs to the LDAP protocol. Microsoft
supports LDAP C APIs on all Windows platforms.
Developers have the choice of writing Active Directory-enabled applications using LDAP C APIs or ADSI. LDAP C APIs are
most often used to ease portability of directory-enabled applications to the Windows platform. ADSI is a more powerful
language and is more appropriate for developers writing directory-enabled code on the Windows platform.
LDAP is the primary interface for the data store. Directory clients use LDAP v3 to connect to the DSA through the LDAP
interface. The LDAP interface is part of Wldap32.dll. LDAP v3 is backward compatible with LDAP v2.
REPL
The REPL management interface provides functionality for finding data about domain controllers, converting the names of
network objects between different formats, manipulating SPNs and DSAs, and managing replication of servers.
MAPI
Messaging clients gain access to the Microsoft Exchange Server directory service by using MAPI address book providers. For
compatibility with existing messaging clients, Active Directory supports the MAPI-RPC address book provider, which provides
access to Active Directory, for example, to find the telephone number of a user.
SAM
Security Accounts Manager (SAM) is a proprietary interface for connecting to the DSA on behalf of clients that use
Windows NT 4.0 or earlier. These clients use Windows NT 4.0 networking APIs to connect to the DSA through SAM.
Replication with Windows NT 4.0 backup domain controllers (BDCs) goes through the SAM interface as well.
Top of page
Domain and Forest Processes and Interactions
Many network related operations depend on domains and forests in order to complete various tasks. This section describes
some of the processes and interactions that commonly occur within the boundaries of domains or forests.
Logging on to a Domain
When a user with an account in an Active Directory domain logs on at the keyboard of a computer running Windows 2000,
Windows XP or Windows Server 2003, the logon request is processed in three stages:
1. The user requests admission to the ticket-granting service for the domain.
This is accomplished through an Authentication Service (AS) Exchange between the Kerberos security support provider
(SSP) on the computer and the Key Distribution Center (KDC) in the domain in which the user account exists. The result
is a ticket-granting ticket (TGT) that the user can present in future transactions with this KDC.
2. The user requests a ticket for the computer.
This is accomplished through a Ticket-Granting Service (TGS) Exchange between the Kerberos SSP on the computer and
the KDC for the domain in which the computer account exists. The result is a session ticket that the user can present
when he or she requests access to system services on the computer.
3. The user requests admission to Local System services on the computer.
This is accomplished when the Kerberos SSP on the computer presents a session ticket to the LSA on the computer.
If the account domain of the computer is different from the account domain of the user, an extra step is involved. Before the
Kerberos SSP can request a session ticket for the computer, it must ask the KDC in the domain where the user account
exists for a TGT that is good for admission to the KDC in the domain where the computer account exists. The SSP can then
present the TGT to the KDC in the domain of the computer and get a session ticket for the computer.
The precise steps in the logon process depend on how the computer is configured. With standard configurations of Windows,
interactive users log on with a password. In another optional configuration of Windows, users log on with a smart card.
Although the basic process is the same for both configurations, there are some differences. For more information about the
domain logon process, see “How Interactive Logon Works.”
• A domain controller in the domain is located through a call to the DsGetDcName API.
A session is established with the domain controller under the security context of the passed-in credentials that are
•
supplied in the Network Identification tab under System Properties in Control Panel.
The computer account is enabled. If the flags so specify (NETSETUP_ACCT_CREATE), the APIs create the computer
•
account on the domain controller.
• The local password for this account is created in the Local Security Authority (LSA).
The local primary domain information LSA policy is set to refer to the new domain. This includes the domain name and the
•
domain SID.
Note
For clients running Windows 2000, Windows XP and Windows Server 2003 only, the LSA policy consists of the domain
•
name, domain SID, DNS domain name, DNS forest name, and domain GUID.
• The DNS name assigned to the local computer is updated.
The local group membership is changed to add members of the Domain Admins group to the Local Accounts
•
Administrators group.
• The Net Logon trusted domain cache is initialized to the trusted domains domain list.
For clients running Windows 2000, Windows XP and Windows Server 2003 only, the Windows Time Service is enabled and
•
started.
• The Net Logon service is started.
To join a workstation or member server to a domain, you can use the Netdom tool. For example, to join a workstation to the
Wingtiptoys.com domain in the engineering organizational unit, type the following command at the workstation:
Netdom join /d:wingtiptoys.com /OU:OU=engineering,DC=wingtiptoys,DC=com
When a computer joins a domain, the following changes occur on domain controllers running Windows NT 4.0, Windows 2000
Server and Windows Server 2003:
A computer object is created. The name of this object is generated by appending a dollar sign ($) to the name (uppercase
•
letters) of the client.
On Windows 2000 Server– and Windows Server 2003–based domain controllers only, the Net Logon service creates SPNs
•
on the computer object.
Netsetup.log
When joining a computer to an Active Directory domain, the Networking Setup (NetSetup) utility installs all the necessary
Microsoft supported networking components. The Netsetup.log file provides information about attempts to join domains and
records any errors that might prevent the join operation from succeeding.
Registering DNS Names and Locating Domain Controllers
When a Windows 2000 Server–based server or Windows Server 2003–based member server is promoted to a domain
controller by installing Active Directory, the Net Logon service registers the DNS resource records necessary for network
hosts and services to locate the domain controller on the network. When network hosts and services attempt an operation
(such as joining a domain) that requires a domain controller, the locator mechanism attempts to locate the domain controller
through DNS.
DNS is used because every Active Directory–based domain controller dynamically registers SRV records in DNS. The SRV
records enable servers to be located by service type (for example, LDAP) and protocol (for example, TCP). Because domain
controllers are LDAP servers that communicate over TCP, SRV records can be used to find the DNS computer names of
domain controllers. In addition to registering LDAP-specific SRV records, Net Logon also registers Kerberos v5 authentication
protocol–specific SRV records to enable locating servers that run the Kerberos Key Distribution Center (KDC) service.
Domain controllers not only register their DNS domain names on a DNS server, but also register their NetBIOS names by
using a transport-specific mechanism (for example, WINS). Thus, a DNS client locates a domain controller by querying DNS,
and a NetBIOS client locates a domain controller by querying the appropriate transport-specific name service. The domain
controller locator service consists of two main parts:
• Locator finds which domain controllers are registered with a DNS server.
Locator submits a DNS query to the DNS server to locate a domain controller in the specified
•
domain.
After this query is resolved, an LDAP User Datagram Protocol (UDP) lookup is sent to one or more of the domain controllers
listed in the response to the DNS query to ensure their availability. Finally, the Net Logon service caches the discovered
domain controller to aid in resolving future requests.
For more information about the DC Locator process, see “How DNS Support for Active Directory Works.”
Kerberos 88 88
Port Assignments for Raising Active Directory Searches
Kerberos 88 88
DNS 53 53
Kerberos 88 88
DNS 53 53
Kerberos 88 88
DNS 53 53
Kerberos 88 88
DNS 53 53
Kerberos 88 88
Port Assignment for DC Locator
Set up trusts on both sides from the LDAP (389 UDP and TCP) N/A Internal domain domain
internal forest Microsoft SMB (445 TCP) controllers–External domain
Kerberos (88 UDP) domain controllers (all ports)
Endpoint resolution —
Task Outbound Ports Inbound Ports From–To
Trust validation from the internal forest LDAP (389 UDP) N/A Internal domain domain
domain controller to the external forest Microsoft SMB (445 TCP) controllers–External domain
domain controller (outgoing trust only) Endpoint resolution — domain controllers (all ports)
portmapper (135 TCP) Net
Logon fixed port
Use Object picker on the external forest N/A LDAP (389 UDP and TCP) External server–Internal
to add objects that are in an internal Windows NT Server 4.0 domain PDCs (Kerberos)
forest to groups and DACLs directory service fixed port External domain domain
Net Logon fixed port controllers–Internal domain
Kerberos (88 UDP) domain controllers (Net Logon)
Endpoint resolution
portmapper (135 TCP)
Set up trust on the external forest from N/A LDAP (389 UDP and TCP) External domain domain
the external forest Microsoft SMB (445 TCP) controllers–Internal domain
Kerberos (88 UDP) domain controllers (all ports)
Use Kerberos authentication (internal Kerberos (88 UDP) N/A Internal client–External domain
forest client to external forest) domain controllers (all ports)
Use NTLM authentication (internal N/A Endpoint resolution – External domain domain
forest client to external forest) portmapper (135 TCP) Net controllers–Internal domain
Logon fixed port domain controllers (all ports)
Join a domain from a computer in the LDAP (389 UDP and TCP) N/A Internal client–External domain
internal network to an external domain Microsoft SMB (445 TCP) domain controllers (all ports)
Kerberos (88 UDP)
Endpoint resolution —
portmapper (135 TCP) Net
Logon fixed port
Windows NT Server 4.0
directory service fixed port
Top of page
Related Information
The following resources contain additional information that is relevant to this section.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
ADSI Edit is a Microsoft Management Console (MMC) tool that uses Active Directory Service Interfaces (ADSI), which
ultimately uses the LDAP protocol. This tool can be used to view and modify directory objects in the Active Directory
database.
To find more information about ADSI Edit, see “Adsiedit Overview.”
Csvde.exe: Csvde
Category
Csvde is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
You can use Csvde to import and export data from Active Directory by using files that store data in the comma-separated
value (CSV) file format. Csvde also supports batch operations that are based on CSV.
To find more information about Csvde, see Command-Line References in the “Tools and Settings Collection.”
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
Can Be Run From Can Be Run Against
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
You can set security settings for a domain controller in Domain Controller Security Policy.
For more information about Domain Controller Security Policy, see Help and Support Center in Windows Server 2003.
Dcpromo.exe: Active Directory Installation Wizard
Category
An Active Directory wizard that is included with Windows Server 2003 and is available from the command line or from the
Configure Your Server Wizard on any computer running Windows Server 2003.
Version compatibility
This tool is compatible with computers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise
Edition, and Windows Server 2003, Datacenter Edition.
The Active Directory Installation Wizard provides a graphical user interface for setting up a domain controller by installing
Active Directory and, optionally, DNS. The Active Directory Installation Wizard can also be used on a Windows NT 4.0
primary domain controller (PDC) when upgrading it to Windows Server 2003 and forming a new forest, to raise the forest
functional level to Windows Server 2003 interim, if appropriate.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
Security settings for a domain are set in Domain Security Policy. Group Policy settings can be applied to lock-down which
users are allowed to log on to the server as well as who can access the server from the network.
For more information about Domain Security Policy, see Help and Support Center in Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
Can Be Run From Can Be Run Against
Dsadd.exe: Dsadd
Category
Dsadd is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
You can use Dsadd to add specific types of objects to the directory.
To find more information about Dsadd, see Command-Line References in the “Tools and Settings Collection.”
Dsget.exe: Dsget
Category
Dsget is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
You can use Dsget to display the selected properties of a specific object in the directory.
To find more information about Dsget, see Command-Line References in the “Tools and Settings
•
Collection.”
Dsmod.exe: Dsmod
Category
Dsmod is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
You can use Dsmod to modify an existing object of a specific type in the directory.
To find more information about Dsmod, see Command-Line References in the “Tools and Settings Collection.”
Dsmove.exe: Dsmove
Category
Dsmove is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
You can use Dsmove to move a single object in a domain from its current location in the directory to a new location. You can
also use Dsmove to rename a single object without moving it in the directory tree.
To find more information about Dsmove, see Command-Line References in the “Tools and Settings Collection.”
Dsquery.exe: Dsquery
Category
Dsquery is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
Can Be Run From Can Be Run Against
• Windows XP Professional
You can use Dsquery to perform searches against Active Directory according to specified criteria. To find more information
about Dsquery, see Command-Line References in the “Tools and Settings Collection.”
Dsrm.exe: Dsrm
Category
Dsrm is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
You can use Dsrm to delete an object of a specific type, or any general object, from the directory.
To find more information about Dsrm, see Command-Line References in the “Tools and Settings Collection.”
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
Can Be Run From Can Be Run Against
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
Ldifde.exe: Ldifde
Category
Ldifde is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
You can use Ldifde to create, modify, and delete directory objects on domain controllers. You can also use Ldifde to extend
the schema, export Active Directory user and group information to other applications or services, and populate
Active Directory with data from other directory services.
To find more information about Ldifde, see Command-Line References in the “Tools and Settings Collection.”
Ldp.exe: Ldp
Category
Ldp is included when you install Windows Server 2003 Support Tools.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
Ldp is a Lightweight Directory Access Protocol (LDAP) graphical user interface (GUI) tool that you can use to perform
operations such as connect, bind, search, modify, add, and delete against any LDAP-compatible directory, such as
Active Directory. You can also use Ldp to view objects that are stored in Active Directory, along with their metadata, such as
security descriptors and replication metadata.
To find more information about Ldp, see “Windows Support Tools.”
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
Can Be Run From Can Be Run Against
Version compatibility
This tool is compatible with computers running Windows XP Professional, Windows Server 2003, Standard Edition; Windows
Server 2003, Web Edition, Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition.
Netdom is a command-line tool that allows you to create and manage Active Directory trust relationships (except forest
trusts) and can help reduce the number of steps needed to create a trust by using Active Directory Domains and Trusts. You
can also use the Netdom command line tool to complete batch management of trusts, join computers to domains, verify
trusts (including forest trusts) and secured channels, and obtain information about the status of trusts.
Netdom can be targeted at all Active Directory domain controllers and can verify all Active Directory trust types. Verification
is accomplished between two domains by enumerating the domain controllers in each domain. If you choose to have Netdom
create both sides of the trust at once the trust password is automatically generated.
To find more information about Netdom, see “Windows Support Tools.”
Nltest.exe: NLTest
Category
The NLTest command-line tool is included when you install Windows Server 2003 Support Tools.
Version compatibility
This tool is compatible with computers running Windows XP Professional, Windows Server 2003, Standard Edition; Windows
Server 2003, Web Edition, Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition.
You can use the NLTest command-line tool to perform trust-related network administrative tasks such as testing the trust
relationship between a Windows–based computer that is a member of a domain and the domain controller on which its
computer account is located. In domains where an external trust is defined, NLTest can be used to test the trust relationship
between all domain controllers in the trusting domain and a domain controller in the trusted domain. Nltest can also be used
to verify any secured channel.
To find more information about NLTest, see “Windows Support Tools.”
Ntdsutil.exe: Ntdsutil
Category
Ntdsutil is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Ntdsutil.exe provides management capabilities for Active Directory. You can use Ntdsutil.exe to perform Active Directory
database maintenance, manage and control single-master operations, and remove replication metadata left behind by
domain controllers that are removed from the network without uninstalling Active Directory. You can also use Ntdsutil to
create application directory partitions and perform authoritative restore operations. This tool is intended for use by
experienced administrators.
To find more information about Ntdsutil, see Command-Line References in the “Tools and Settings Collection.”
Repadmin: Repadmin
Category
Repadmin is included when you install Windows Server 2003 Support Tools.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
Administrators can use Repadmin to monitor and manage replication between domain controllers. You can determine the last
successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current
bridgehead servers, view object metadata, and generally manage Active Directory replication topology. You can use
Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a
site.
To find more information about Repadmin, at a command prompt type repadmin /? or see Command-Line References in the
Tools and Settings Collection.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
Setspn.exe: Setspn
Category
Setspn is included when you install Windows Server 2003 Support Tools.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
Can Be Run From Can Be Run Against
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
Administrators can use this command-line tool to read, modify, and delete values in the servicePrincipalNames attribute
on an Active Directory service account object.
To find more information about Setspn, see “Windows Support Tools.”
Top of page
Domains and Forests Registry Entries
The following registry entries are associated with domains and forests.
• For data store related registry entries, see “Data Store Tools and Settings.”
• For global catalog related registry entries, see “Global Catalog Tools and Settings.”
For replication related registry entries, see “Active Directory Replication Tools and
•
Settings.”
• For logon related registry entries, see “Interactive Logon Tools and Settings.”
• For Kerberos related registry entries, see “Kerberos Authentication Tools and Settings.”
• For Access Token related registry entries, see “Access Tokens Tools and Settings.”
Top of page
Domains and Forests Group Policy Settings
The following tables list and describe the Group Policy settings that are associated with domains and forests.
Group Policy Settings Associated with Data Store
Audit Directory When it is enabled, this Group Policy setting causes successful and failed directory access events to
Services Access be logged in the Directory Service event log.
Group Policy Settings Associated with Active Directory Searches
Maximum size of Specifies the maximum number of objects that the system displays in response to a command to
Active Directory browse or search Active Directory.
searches This policy affects all browse displays that are associated with Active Directory, such as those in Local
Users and Groups, Active Directory Users and Computers, and dialog boxes that are used to set
permissions for user or group objects in Active Directory.
If you enable this policy, you can use it to limit the number of objects that are returned from an
Active Directory search.
If you disable this policy or if you do not configure it, the system displays up to 10,000 objects.
Enable filter in Find Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons
dialog box for applying additional filters to search results.
Group Policy Description
Setting
If you enable this policy, the filter bar appears when the Active Directory Find dialog box opens, but
users can hide it.
Hide Active Directory Hides the Active Directory folder in My Network Places.
folder The Active Directory folder displays Active Directory objects in a browse window.
If you enable this policy, the Active Directory folder does not appear in the My Network Places folder.
If you disable this policy or if you do not configure it, the Active Directory folder appears in the My
Network Places folder.
Group Policy Settings Associated with Global Catalogs
Automated Site Determines whether domain controllers dynamically register DC Locator site-specific SRV resource
Coverage by the DC records for the closest sites where no domain controller for the same domain exists (or no global
Locator DNS SRV catalog server for the same forest exists). These DNS records are dynamically registered by the Net
Records Logon service, and they are used to locate domain controllers.
Sites Covered by the Specifies the sites for which global catalog servers should register the site-specific GC Locator SRV
GC Locator DNS SRV resource records in DNS. These records are registered in addition to the site-specific SRV resource
Records records registered for the site where the global catalog server is located and, if the global catalog
server is appropriately configured, for the sites without a global catalog server in the same forest for
which this global catalog server is the closest global catalog server. These records are registered by
Net Logon service.
If this policy is not configured, it is not applied to any global catalog servers and global catalog
servers use their local configuration.
Group Policy Settings Associated with Replication
Account Lockout Policy: Changes to these settings in the Domain Security Policy trigger urgent replication.
Password Policy: Changes to these settings in the Domain Security Policy trigger urgent replication.
• Enforce password
history
Contact PDC on logon Account lockout and domain password changes rely on contacting the primary domain controller
failure (PDC) emulator urgently to update the PDC emulator with the change. If Contact PDC on logon
failure is disabled, replication of password changes to the PDC emulator occurs non-urgently.
Group Policy Settings Associated with Interactive Logon
• Enforce password history • The strength and complexity required of the password of every
user
• Maximum password age
• Minimum password age
• Minimum password length
• Password must meet complexity requirements
• Store password using reversible encryption for all
users in the domain
• Access the computer from the network • Which users are allowed or disallowed to log on to perform
different tasks, including logging on as a batch job and a service
• Deny logon as a batch job
• Which users are allowed or disallowed to logon locally or through
terminal services, as well as who can or cannot access the
• Deny logon as a service
computer from the network
• Deny logon locally
• Deny logon through terminal services
• Logon as a batch job
• Logon as a service
• Logon locally
Security Options: Changes to the Security Options settings control:
• Accounts: Limit local accounts use of blank • Message text and title displayed by the GINA during an interactive
passwords to console logon only logon
• Audit policy change • Generate audits when rights are assigned with one of the tools discussed
earlier.
• Audit privilege use
• Enable audit privilege use. Will log when SeAssignPrimaryTokenPrivilege was
used.
• Audit process tracking
• Create an audit for assigning a primary token that contains the two
processes involved and the identity of the token assigned.
Security Options: Changes to this setting affect whether Everyone is in the token for anonymous
users.
• Network access: Let Everyone
permissions apply to anonymous users
Impersonate a client Windows 2000 security setting that was first introduced in Windows 2000 SP4. When you assign this
after authentication user right to a user, you permit programs that run on behalf of that user to impersonate a client. This
security setting helps to prevent unauthorized servers from impersonating clients that connect to it
through methods such as remote procedure calls (RPC) or named pipes.
Group Policy Description
Setting
By default, members of the Administrators group and the System account are assigned this user right.
The following components also are assigned this user right:
Enforce user logon Determines whether the KDC validates every request for a session ticket against the user rights
restrictions policy on the target computer. When this policy is enabled, the user requesting the session ticket
must have the right to either Log on locally or to Access this computer from network. Validation of
each request is optional because the extra step takes time and might slow network access to
services. By default, this policy is enabled.
Maximum lifetime for Determines the maximum amount of time (in minutes) that a ticket granted for a service (that is, a
service ticket session ticket) can be used to access the service. If the setting is zero minutes, the ticket never
expires. Otherwise, the setting must be greater than ten minutes and less than the setting for
Maximum lifetime for user ticket. By default, the setting is 600 minutes (10 hours).
Maximum lifetime for Determines the maximum amount of time (in hours) that a ticket-granting ticket (TGT) for a user
user ticket can be used. When a TGT expires, a new one must be requested or the existing one must be
renewed. By default, the setting is ten hours.
Maximum lifetime for Determines the longest period of time (in days) that a TGT can be used if it is repeatedly renewed.
user ticket renewal By default, the setting is seven days.
Maximum tolerance for Determines the maximum difference (in minutes) that the Kerberos V5 protocol tolerates between
computer clock the clock time on a client and the clock time on a server while still considering the two clocks
synchronization synchronous. By default, the setting is five minutes.
To find more information about these Group Policy settings, see Group Policy Settings Reference in the “Tools and Settings
Collection” or see “Account Policy Settings.”
Top of page
Domains and Forests WMI Classes
Windows Management Instrumentation (WMI) provides access to information about certain objects in a Windows 2000
Server or Windows Server 2003 operating system. WMI providers and classes represent the managed resources on a
computer and are used by administrators and developers for scripting and monitoring purposes. The following tables list and
describe the WMI classes that are associated with Active Directory domains and forests.
WMI Classes Associated with Data Store, Service Principal Names (SPNs) and Active Directory Searches
Kerberos 88 88
Port Assignments for Raising Active Directory Searches
Kerberos 88 88
DNS 53 53
Kerberos 88 88
DNS 53 53
Kerberos 88 88
DNS 53 53
Kerberos 88 88
DNS 53 53
Kerberos 88 88
Port Assignment for DC Locator
Set up trusts on both sides from the LDAP (389 UDP and TCP) N/A Internal domain domain
internal forest Microsoft SMB (445 TCP) controllers–External domain
Kerberos (88 UDP) domain controllers (all ports)
Endpoint resolution —
portmapper (135 TCP) Net
Logon fixed port
Trust validation from the internal forest LDAP (389 UDP) N/A Internal domain domain
domain controller to the external forest Microsoft SMB (445 TCP) controllers–External domain
domain controller (outgoing trust only) Endpoint resolution — domain controllers (all ports)
Task Outbound Ports Inbound Ports From–To
Use Object picker on the external forest N/A LDAP (389 UDP and TCP) External server–Internal
to add objects that are in an internal Windows NT Server 4.0 domain PDCs (Kerberos)
forest to groups and DACLs directory service fixed port External domain domain
Net Logon fixed port controllers–Internal domain
Kerberos (88 UDP) domain controllers (Net Logon)
Endpoint resolution
portmapper (135 TCP)
Set up trust on the external forest from N/A LDAP (389 UDP and TCP) External domain domain
the external forest Microsoft SMB (445 TCP) controllers–Internal domain
Kerberos (88 UDP) domain controllers (all ports)
Use Kerberos authentication (internal Kerberos (88 UDP) N/A Internal client–External domain
forest client to external forest) domain controllers (all ports)
Use NTLM authentication (internal N/A Endpoint resolution – External domain domain
forest client to external forest) portmapper (135 TCP) Net controllers–Internal domain
Logon fixed port domain controllers (all ports)
Join a domain from a computer in the LDAP (389 UDP and TCP) N/A Internal client–External domain
internal network to an external domain Microsoft SMB (445 TCP) domain controllers (all ports)
Kerberos (88 UDP)
Endpoint resolution —
portmapper (135 TCP) Net
Logon fixed port
Windows NT Server 4.0
directory service fixed port
Top of page
Related Information
The following resources contain additional information that is relevant to this section.
• Command-Line References in the Tools and Settings Collection for information about DSQuery and Ntdsutil.
Microsoft Platform SDK on MSDN for more information about many WMI classes that are associated with the DNS Server
•
service.
Group Policy Settings Reference in the Tools and Settings Collection for information about Group Policy settings that are
•
associated with the DNS Client service.
• Registry Reference in the Tools and Settings Collection for information about registry entries that are associated with DNS.
• Related Information
The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to
store data.
Active Directory stores and retrieves information from a wide variety of applications and services. So that it can store and
replicate data from a potentially infinite variety of sources, Active Directory standardizes how data is stored in the directory.
By standardizing how data is stored, the directory service can retrieve, update, and replicate data while ensuring that the
integrity of the data is maintained.
The directory service uses objects as units of storage. All objects are defined in the schema. Each time that the directory
handles data, the directory queries the schema for an appropriate object definition. Based on the object definition in the
schema, the directory creates the object and stores the data.
Object definitions control the types of data that the objects can store, as well as the syntax of the data. Using this
information, the schema ensures that all objects conform to their standard definitions. As a result, Active Directory can store,
retrieve, and validate the data that it manages, regardless of the application that is the original source of the data. Only data
that has an existing object definition in the schema can be stored in the directory. If a new type of data needs to be stored, a
new object definition for the data must first be created in the schema.
Top of page
Using Objects to Store Data
Active Directory uses objects to store information. Objects are data structures that consist of multiple attributes that store
both data and its related metadata. Metadata is data that describes the properties of other data. For example, an object that
stores a user account has many attributes, including attributes that contain the user’s logon name, first name, last name,
and password. Each of those attributes has additional attributes that contain metadata about the information that the
attribute stores. The logon name attribute, for example, has multiple attributes of its own. One attribute that is associated
with the logon name specifies that the logon name is a required attribute, which means that the user object is not valid
unless it contains the logon name attribute. Another attribute that is associated with the logon name specifies the syntax of
the value that is stored in the logon name attribute. This ensures that the value that the logon name attribute contains is in a
valid format. Both of these attributes contain metadata for the logon name attribute; that is, they define the characteristics
of the logon name attribute.
The object definitions in the schema list all the object attributes and define how these attributes relate to each other. Some
objects are simple and contain only a few attributes, while other objects are quite complex and contain hundreds of
attributes. Attributes themselves are objects, and the schema contains a definition for each one. To define new objects,
smaller objects are associated with one another to define the necessary attributes of the new objects.
For a user object, the user’s logon name attribute is a smaller object that contains a number of attributes of its own. Among
them are attributes that define the syntax of the logon name and specify whether or not the logon name attribute is optional
or required. The first name and last name attributes are also smaller objects whose definitions can be found in the schema.
The object definition that defines the user object lists the logon name attribute object, the first name and last name attribute
objects, and many other attribute objects, and it defines how these objects relate to each other to store the data that
represents a user account.
Defining objects and attributes in this manner gives the schema the ability to efficiently define many different types of
objects while retaining the ability to add new types of objects when necessary. Many objects have some attributes in
common. For example, many objects have a security descriptor to define who is allowed to access and change their contents.
Rather than create a separate security descriptor definition for each object definition, the schema defines a single security
descriptor object, and all other object definitions refer to the single security descriptor definition. This makes it possible for
every object that needs a security descriptor to have one security descriptor while keeping only one definition for the security
descriptor in the schema.
Top of page
Building the Schema
The Active Directory installation process that creates the forest also generates the default schema. Thereafter, the default
schema replicates to each new domain controller during the installation of the directory on that new domain controller. The
default schema contains all the standard object definitions that are necessary for Active Directory to function in a standard
deployment of Windows Server 2003.
Active Directory uses a multimaster replication topology, which means that any domain controller in a forest can write a
change to the directory database and then replicate that change to other domain controllers in the same forest. For a domain
controller to create a new object and write it to the directory, the domain controller must have access to the object definition
that is needed to create the new object. Every domain controller in a forest maintains a copy of the schema, which makes it
possible for domain controllers to have access to the object definitions that they need to store and retrieve information in the
directory.
In some situations, the default attributes and object definitions in the schema are insufficient to create new object types that
are required by some applications or services that interoperate with the directory. In these situations, it is possible to
customize the schema by adding new object definitions to it. The process of adding definitions to the schema is referred to as
“extending the schema.”
It is important to plan the deployment of schema extensions carefully. The directory stores the schema and replicates
schema changes to every domain controller throughout the forest. Therefore, extending the schema creates replication
traffic, which can briefly affect network traffic. For more information about extending the schema, see “How the Active
Directory Schema Works.”
• Related Information
The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to
store data. The physical structure of the schema consists of the object definitions. The schema itself is stored in the
directory.
The schema is stored in its own partition (the schema partition) in the directory. The schema is replicated among all the
domain controllers in the forest, and any change that is made to the schema is replicated to every domain controller in the
forest. Because the schema dictates how information is stored, and because any changes that are made to the schema affect
every domain controller, changes to the schema should be made only when necessary — through a tightly controlled process
— after testing has been performed to ensure that there will be no adverse effects on the rest of the forest.
Top of page
Active Directory Schema Architecture
In Active Directory, the schema defines the following:
Schema Components
Objects, attributes, and classes are the basic components that are used to build object definitions in the schema.
Objects
Objects are structures that store both data that the objects represent and data that controls the content and structure of the
objects. For example, a user account object contains a user’s logon name as well as data that indicates the proper syntax for
storing the user’s logon name in the user object.
Active Directory uses objects to store data while the data is maintained in the directory. When the directory stores an object,
some associated data is also stored along with the object. The extra data is stored in the attributes of the object.
Attributes
Attributes contain data that defines the information that is stored in an object or in another attribute. For example, a user
account object has attributes that store user information, such as the user’s first name, last name, password, office number,
and telephone number. Different types of objects have different attributes. A printer object has attributes that store
information that is related to printers, such as the printer model, the number of paper trays, the current location of the
printer, and the port to which the printer is attached.
Some attributes contain information that relates to other attributes, such as syntax information or flags that label the
attribute as optional or required. Syntax attributes define the format that is used to store data in other attributes. For
example, because a telephone number comprises only digits, a syntax attribute might specify that the phone number
attribute can only store digits 0 through 9, and letters of the alphabet are prohibited. Active Directory uses syntax attributes
to ensure that information is stored in a legitimate format and that the information is a valid data type.
Attributes can be required or optional. A user account object requires a user name attribute and a password attribute,
although the office number attribute is optional. That is, a user account cannot be used without a user name; however, it can
be used without an office number. The office number attribute is included for convenience, and it is considered an optional
attribute.
An object definition is really an association of various attributes that are used to describe the characteristics of an object that
stores specific pieces of data. The kind of data that the object stores determines which attributes are needed to define the
object.
Large objects are made up of many smaller objects. In the user account object example, the user’s logon name attribute is a
smaller object that contains a number of attributes of its own, including attributes that define the syntax of the logon name
and that specify whether or not the logon name attribute is optional or required. The first name and last name attributes are
also smaller objects that are defined in the schema. The object definition for the user account object lists the logon name
attribute and the first name and last name attributes, as well as many other attributes, and it defines how these attributes
relate to each other to store the data that represents a user account.
Defining objects and attributes this way gives the schema the ability to efficiently define many different types of objects.
Many objects have some attributes in common. For example, many objects have a security descriptor to define who is
allowed to access and make changes to the contents of the object. Rather than create a separate security descriptor
definition for each object definition, the schema defines a single security descriptor object, and all other object definitions
refer to the single security descriptor definition. This makes it possible for every object that needs a security descriptor to
have one, while keeping only one definition for the security descriptor in the schema.
Classes
Object definitions are categorized into groups that are called classes. Classes act as blueprints that can be used each time a
new object is created. When a new object is created in the directory, the object’s class determines the attributes that are
associated with the new object, including which attributes are required and which attributes are optional.
Active Directory has predefined classes that define all of the different object type’s that the directory needs to function
properly. For example, when a new user account object is created in the directory, its definition comes from the classUser
class. The class dictates that the new account object is required to have a user name attribute and a password attribute, and
optionally it might have an office number attribute.
Object definitions are created by nesting classes inside one another. Nesting classes produces a parent/child relationship
between the classes. Classes that are nested inside another class are referred to as subclasses. The parent of a subclass is
referred to as a superclass. When one class is nested inside another, the nested class inherits the properties of the parent
superclass. When various classes that contain particular attributes are nested inside another object class, a new object
definition is created. Which classes are nested depends on which attributes are needed to define the new object type.
The schema stores class information, but it does not store the actual objects that are derived from a class. For example,
when a new user account object is created, it is not stored in the schema. Active Directory looks up the user class in the
schema. Active Directory then retrieves information regarding the object type and its associated attributes from the user
class in the schema and uses that information to create the new user account object. When the new account is created, the
data is stored in the new object, and Active Directory then writes the new account information into the directory database.
The schema is the master list of all classes and attributes that can be used in the directory. During the installation of Active
Directory, the Schema.ini file is used to build the default schema on the first domain controller in the forest. The default
schema provides all the necessary classes that Active Directory needs to function. Administrators or developers might want
to add their own classes or add their own attributes to an existing object type. They can do this through the process of
extending the schema. The schema should only be extended in special situations. For more information on extending the
schema, see “Modifying the Schema” later in this section.
Schema Objects
Active Directory uses objects to store and reference data in the directory. The schema defines the types of objects that are
available to the directory service. The schema is stored in the schema partition, which is also defined as an object in the
directory. The attributes and classes in Active Directory are stored in the schema partition as directory objects that are called
schema objects. The schema partition itself is represented in Active Directory by an object that is an instance of the Directory
Management Domain (dMD) class.
Storing the schema in the directory has many advantages. For example, when user applications locate the schema in the
directory, they can read the schema to discover what types of objects and properties are available. Because the schema is
stored in the directory — like the rest of the data in the directory — applications can locate the schema by using the same
process that they use to locate any other object in the schema.
A schema object, called a classSchema object, defines each class in the schema. Another schema object, called an
attributeSchema object, defines each attribute in the schema. Therefore, every class is actually an instance of the
classSchema class, and every attribute is an instance of the attributeSchema class, as shown in the following figure.
Schema Objects
Schema objects are used to define classes and attributes in the schema. Classes in the schema are used to define objects in
the directory.
attributeSchema Objects
Attributes describe the classes that are defined in the schema. Attributes are defined in the schema separately from classes,
which enables a single attribute definition to be applied to many classes.
Attributes are attributeSchema objects. Each attributeSchema object is an instance of the attributeSchema class. Like any
other object, the attributeSchema object has its own attributes. The attributes for the attributeSchema object store, among
other things, the following information:
• The Lightweight Directory Access Protocol (LDAP) display name of the attribute
attributeID Object Yes No Object identifier that uniquely identifies this attribute
identifier
lDAPDisplayName Unicode Yes, but No Name by which LDAP clients identify this attribute
automatic
rangeLower Integer No No Lower range of values that are allowed for this
attribute
rangeUpper Integer No No Upper range of values that are allowed for this
attribute
objectClass Object Yes Yes Class of this object, which is always attributeSchema
identifier
Linked attributes
Linked attributes make it possible to associate one attribute with another attribute. A linked attribute consists of a pair of
attributes for which the system calculates the values of one attribute based on the values that are set on the other attribute.
One attribute of the pair is referred to as the back link, and the other attribute is referred to as the forward link. The back
link is a multivalue attribute that contains the distinguished names of all the other objects that have an attribute linked to it.
The forward link is a single-value attribute that contains the distinguished name of the object to which it is linked.
For example, you can create an object to store information in the directory that is related to a specific project. Among other
things, the project object stores the names of the project team members. To store the names of the team members, you can
use the linked attributes ProjectName and TeamMembers. ProjectName is the forward link, and it is an attribute of the
team member’s user account object that stores the name of the project that the user works on. TeamMembers is the back
link, and it is an attribute of the project object that stores the list of team members who work on the project. Assume that
Mike and Amanda are members of the project team. If you store the distinguished name of the project object in the
ProjectName attribute of Mike’s user object and Amanda’s user object, the distinguished names of Mike’s user object and
Amanda’s user object appear in the TeamMembers attribute of the project’s object.
A linked pair is identified by the linkID values of two attributeSchema objects. The linkID of the forward link is an even,
positive, nonzero value, and the linkID of the associated back link is the value of the forward linkID, incremented by one.
For example, if the linkID for ProjectTeam is 37, the linkID for TeamMembers is 38.
Automated links
The linkIDs must be unique within the forest. In Windows 2000 Server, linkIDs are allocated by the applications that used
them, and it is up to application developers to make sure that the linkIDs for the applications do not conflict with linkIDs
that are already in use. Windows Server 2003 can generate link values automatically to ensure that there are no conflicts
within the forest. When new objects that use linked attributes are created, Active Directory automatically generates the
necessary linkIDs.
Indexed attributes
Directory searches for attributes that are indexed are more efficient than searches for attributes that are not indexed.
Attributes are indexed when the least significant bit in their searchFlags attribute is set to the value 1. Changing the value
of the bit to 1 dynamically builds an index; changing the value to 0 or deleting it removes an index for the attribute in
question. The index is built automatically by a background thread on the directory server.
The values for indexed attributes are stored in a sorted list. This makes searching much more efficient because the system
needs to search only until it locates the area in the list where the value should be, based on the sort. If the value is not
there, the system can assume it will not find the value anywhere else in the list, and it can terminate the search. When
attributes are not indexed, the entire list must be searched to determine whether or not a particular value actually exists.
Indexing requires more storage to maintain the lists, but it makes searching more efficient. Nonindexed attributes are less
efficient to search, but they require less storage to maintain. With this in mind, only attributes that are frequently referenced
should be indexed. Ideally, indexed attributes are single-value attributes with unique values that are evenly distributed
across the set of instances. Multivalue attributes can be indexed, but building the index requires more storage and updating.
Confidential attributes
On domain controllers running Windows Server 2003 with SP1, attributes whose attributeSchema objects are marked with
a specific search flag are interpreted as confidential. Attributes that are so marked can be read only by users to whom the
following access is granted:
• READ_PROPERTY
• CONTROL_ACCESS
The ability to mark attributes as confidential allows administrators to protect attributes from the read access that is granted
by default to most users. Rather than changing the defaults that are expected by existing applications, administrators can
create new attributes that can be read only by administrators or those to whom access is specifically granted. Because
domain controllers must be running Windows Server 2003 with SP1 to recognize the flag that marks the attribute as
confidential, protection of marked attributes is fully effective only in environments where all domain controllers have been
upgraded to Windows Server 2003 with SP1. In particular, the schema operations master (also known as the schema flexible
single-master operations (FSMO) role holder) must be upgraded to Windows Server 2003 with SP1.
By default, Active Directory performs a read-access check on an object in the following cases:
Syntaxes
The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property
types. The syntax defines whether the attribute value must be a string, a number, or a unit of time. Each attribute of every
object is associated with exactly one syntax. The syntaxes are not represented as objects in the schema, but they are
programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined. You cannot
add new syntaxes.
When you define a new attribute, you must specify both the attributeSyntax and the oMSyntax numbers of the syntax
that you want for that attribute. The attributeSyntax number is an object identifier, and the oMSyntax number is an
integer. oMSyntax is defined by the XOM specification. Using this model, the syntax can provide detailed syntax definitions.
For example, distinct oMSyntax attributes distinguish several types of printable strings, according to such factors as the
supported character set and whether case is significant. The following table lists the valid syntaxes for attributes in the
Active Directory schema.
Valid Syntaxes for Attributes in the Active Directory Schema
Object identifiers
Object identifiers are unique numeric values that are granted by various issuing authorities to identify data elements,
syntaxes, and other parts of distributed applications. Because they are globally unique, object identifiers ensure that the
objects that are defined by these issuing authorities do not conflict with one another when different directories, such as
Active Directory and Novell Directory Services, are used concurrently within a global directory namespace.
Object identifiers are found in Open Systems Interconnection (OSI) applications, X.500 directories, applications that use
Simple Network Management Protocol (SNMP), and other applications in which uniqueness is important. Object identifiers are
based on a tree structure in which a superior issuing authority allocates a branch of the tree to a subordinate authority,
which in turn allocates subbranches of the tree.
LDAP requires a directory service, such as Active Directory, to identify object classes and attributes with an object identifier
syntax. The object identifier is the value for the governsID attribute in a classSchema object and for the attributeID
attribute in an attributeSchema object. These are required attributes; therefore, object identifiers are necessary when you
create new classes or attributes.
Object identifiers in the Active Directory base schema include some object identifiers that are issued by the International
Organization for Standardization (ISO) for X.500 classes and attributes and some object identifiers that are issued by
Microsoft. Object identifier notation is a dotted string of nonnegative numbers, for example, 1.2.840.113556.1.5.4. The
components of this object identifier are shown in the following table.
Components of an Object Identifier (1.2.840.113556.1.5.4)
Numerical Values of the Object Identifier What the Numerical Values Mean
1 A branch called Active Directory that includes the following two identifiers.
classSchema Objects
The classSchema object specifies the various attributes of the class with which it is associated. Among other things, it defines
the following constraints for objects that are instances of the class:
mustContainattributes, which include mandatory attributes that must be present on any object that is an instance of this
•
class
• mayContain attributes, which include optional attributes that may be found on an object that is an instance of this class
• Hierarchy rules that determine the possible parents in the directory tree of an object that is an instance of the class
An object can have attributes that belong only to either the mustContain list or the mayContain list for the class.
The classSchema object is essentially a template that contains the rules for creating objects in an Active Directory class.
When a new object is created in a class, the classSchema object ensures that this new object has the same attributes as all
other objects in the class.
The classSchema object contains, among other things, the following information:
• The classes to which the parent of instances of this class may belong
governsID Object identifier Yes No The object identifier that uniquely identifies this
Attribute Syntax Mandatory? Multivalue? Description
class
lDAPDisplayName Unicode Yes No The name by which LDAP clients identify this class
schemaIDGUID String(Octet) Yes, but No The GUID that uniquely identifies this class
defaulted
subClassOf Object identifier Yes No The class from which this object inherits attributes
systemMustContain Object identifier No Yes The list of mandatory attributes for instances of
this class
This list cannot be changed.
mustContain2 Object identifier No Yes The mandatory attributes for instances of this
class
systemMayContain Object identifier No Yes The optional attributes for instances of this class
mayContain2 Object identifier No Yes The optional attributes for instances of this class
systemPossSuperiors2 Object identifier No Yes The classes that can be parents of this class in the
directory hierarchy
After the class is created, this property cannot be
changed.
possSuperiors2 Object identifier No Yes The classes that can be parents of this class in the
directory hierarchy
For an existing classSchema object, values can be
added to this property but not removed.
systemAuxiliaryClass2 Object identifier No Yes The Auxiliaryauxiliary classes from which this
class inherits its optional (mayContain) and
mandatory (mustContain) attributes
After creation of the class, this property cannot be
changed.
auxiliaryClass2 Object identifier No Yes The Auxiliaryauxiliary classes from which this
class inherits its optional (mayContain) and
mandatory (mustContain) attributes
This is a multivalue property that specifies the
auxiliary classes that this class inherits from. For
an existing classSchema object, values can be
added to this property but not removed.
Structural = 1
Abstract = 2
Auxiliary = 3
The 88 class type is included for compatibility with
older directories. Active Directory does not use
88 class type objects, and they should not be
used in defining new classes for Active Directory.
objectClass Object Yes Yes This object’s class, which is always classSchema
Identifier
Mandatory attributes
Mandatory attributes are object attributes for which you must specify values. If you do not specify a value for a mandatory
attribute, the attribute receives a default value or the object is not created until you specify a value for the attribute. The
object’s mandatory attributes are determined by the class to which the object belongs.
Some mandatory attributes are inherited. Because every classSchemaobject belongs to a superclass called Top in the class
hierarchy, each classSchema object inherits the mandatory attributes that belong to Top. The following table lists the
mandatory attributes that every object inherits from Top. To see a graphical representation of the Active Directory class
hierarchy, see the figure under “Object class hierarchy” later in this section.
Mandatory Attributes That All classSchemaObjects Inherit
nTSecurityDescriptor Set to a default value if not specified. The default value depends on the default security
descriptor for the classSchema object.
objectCategory Automatically set to the value of the default object category of the class, which is usually the
class itself. Can be changed after the class is created.
• mustContain/systemMustContain
• mayContain/systemMayContain
• possSuperiors/systemPossSuperiors
• auxiliaryClass/systemAuxiliaryClass
In each of these pairs, the value of the attribute that begins with the word “system” cannot be changed by administrators.
This enables Active Directory to protect certain key attributes of certain classes and to ensure that the schema stays
consistent and usable. System-only properties can be changed only by the Directory System Agent (DSA). System-only
properties are those properties on which Windows Server 2003 and Active Directory depend for normal operations. For
example, the attributeID attribute and the governsID attribute in the schema are system-only attributes. The values of
the other (nonsystem) attributes in each pair can be changed by administrators.
• Structural
• Abstract
• Auxiliary
A fourth category, which is referred to as 88 classes, is associated with object classes, although this category is not part of
the 1993 specification. The 88 class category is in the specification that existed before 1993, and it should not be used for
adding classes to Active Directory.
Structural classes
Structural classes are the only classes that can have instances in the directory. That is, you can create directory objects
whose class is one of the structural classes. A structural class:
Abstract classes
Abstract classes are templates that are used to derive new structural classes. Abstract classes cannot be instantiated in the
directory. This means that no object can belong only to an abstract class; each object of an abstract class also belongs to
some structural subclass of that class. A new abstract class can be derived from an existing abstract class. This type of class
is specified by a value of 2 in the objectClassCategoryattribute. Abstract classes only provide attributes for subordinate
classes, which are called subclasses. A subclass contains all mandatory and optional attributes of the class from which it is
derived (its superclass) in addition to those attributes that are specific to the class itself. Likewise, the subclass of that class
contains all attributes of both superclasses, and so forth.
Auxiliary classes
Auxiliary classes are like include files; they contain a list of attributes. Adding an auxiliary class to the definition of a
structural class or an abstract class’ adds the auxiliary classs attributes to the definition. An auxiliary class cannot be
instantiated in the directory, but new auxiliary classes can be derived from existing auxiliary classes. This type of class is
specified by a value of 3 in the objectClassCategory attribute. For example, the securityPrincipal class is an auxiliary
class, and it derives its attributes from the parent abstract class called Top. Although you cannot create a security principal
object in the directory (because auxiliary classes cannot have instances), you can create an object of the structural class
user, which has the securityPrincipal class as an auxiliary class. The attributes of the securityPrincipal class help the
system recognize the user object as a security account. Similarly, the group class has securityPrincipal as an auxiliary
class.
The behavior of auxiliary classes has changed in Windows Server 2003. In Windows 2000 Server, changes that are made to
an auxiliary class affect its parent class as well as all instances of the parent object. For example, adding an auxiliary class
called pager to the structural class user affects all instances of user, which is all of the user accounts that are created with
the user class.
In Windows Server 2003, auxiliary classes can be assigned dynamically to individual instances of classes, rather than being
applied automatically to all instances. For example, you can assign the pager auxiliary class to only those users who need it.
88 classes
Classes that were defined before 1993 are not required to fall into one of the preceding categories; assigning classes to
categories was not required in the X.500 1988 specification. Classes that were defined before the X.500 1993 standards are
assigned to the 88 class. This type of class is specified by a value of 0 in the objectClassCategory attribute. Do not use
88 classes or define new 88 classes.
All structural object classes are subclasses, directly or indirectly, of a single abstract object class, which is called Top. Every
object that is represented in the directory belongs to Top, and as a result every entry must have an objectClass attribute.
When you create a new class, you must specify the superclass. If you do not create a subclass of an existing class, the new
class is a subclass of Top.
A new class can inherit mandatory and optional attributes from more than one existing class. However, any additional classes
must be specified by the auxiliaryClass attribute.
Note
If you later add another attribute to a class that has subclasses or auxiliary subclasses, the new attribute is automatically
•
added to the subclasses after the schema cache has been updated.
Structure rules
Structure rules define the possible tree structures. When you create a new object, structure rules determine the validity of
the object class to which you designate the new object. You cannot create an object that belongs to a nonexistent class. You
must first create the new class.
Conversely, these rules do not allow you to delete or modify an object that has already been deleted. In Active Directory, the
structure rules are completely expressed by the possSuperiors and systemPossSuperiors attributes that are present on
each classSchema object. These attributes specify the possible classes that can be parents of an object instance of the class.
In other words, the possSuperiors and systemPossSuperiors attribute values determine the object classes and,
therefore, the location in the directory tree under which objects of the class can be instantiated.
Content rules
Content rules determine the mandatory and optional attributes of the class instances that are stored in the directory. New
objects must contain all the mandatory attributes that are specified by the classSchema object in the schema. New objects
can contain any of the optional attributes. In Active Directory, the content rules are completely expressed by the mustHave,
mayHave,mayContain, systemMustContain, and systemMayContain attributes of the schema definitions for each class.
In addition, there are some operational attributes that are read-only. These are identified by the first bit of the systemFlags
property for an attribute definition that is set to 1, for example, lastLogon.
For more information about mandatory and optional attributes, see Active Directory Schema in the Microsoft Platform SDK on
MSDN.
Top of page
Active Directory Schema Physical Structure
The schema exists as a set of directory objects, and it is stored in the directory. Active Directory partitions the information in
the directory to facilitate more efficient replication. The schema is stored in its own directory partition so that it can replicate
independently of other data that is stored in the directory.
Schema Location
The objects that are stored in Active Directory are arranged in a logical hierarchy called the directory tree. The directory tree
is divided into directory partitions. A directory partition is a tree of objects that forms a unit of replication in Active Directory.
The schema has its own directory partition to prevent potential dependency problems that can arise when new schema
classes and new instances of the class are replicated simultaneously. Because the schema has its own tree, it is possible to
replicate new schema changes to other domain controllers before replicating any new objects that may have been created
based on those changes. This is important because the other domain controllers must have access to the object definitions
that are stored in the schema before those domain controllers can properly store any new objects that are created by using
those definitions.
Active Directory includes a preconfigured database, commonly referred to as the base directory information tree (DIT), which
contains the information that is required to install and run Active Directory. The base DIT is created during a fresh
installation of a Windows Server 2003 domain controller. The base DIT is contained in a file named Ntds.dit. One section of
the base DIT is the base schema.
Schema Head
The schema head is the topmost object of the schema directory partition. Conceptually, the schema head functions like other
containers in the directory tree, which means that it contains all of the schema information. However, the schema head is not
a container in the sense of a special Active Directory object that contains other objects; rather, it is a special-purpose object
class. Therefore, it is referred to as the schema head rather than the Schema container. The schema head contains all of the
class definitions and attribute definitions that are required to locate objects in Active Directory and create new objects.
The relationships of the schema head, Configuration container, and Domain container are illustrated in the following figure.
Schema Head
Every Active Directory object can be referenced by a unique and unambiguous name known as the distinguished name. The
distinguished name identifies the domain that holds the object as well as the complete path through the container hierarchy
by which the object is reached. The distinguished name of the schema head can be expressed as follows:
cn=schema,cn=configuration,dc=forest rootdomainname
You can view the contents of the schema head by using the Active Directory Schema snap-in. You can also bind to the
schema directory partition and view schema objects by using the Active Directory Service Interfaces (ADSI) Edit snap-in or
the Ldp tool.
Note
ADSI Edit is not one of the default MMC snap-ins that are provided with Windows Server 2003. To use ADSI Edit and Ldp,
•
install the support tools that are located in the Support\Tools folder on the Windows Server 2003 operating system CD.
You can locate the schema head without knowing the domain name. Installation scripts and other applications can gain
access to the schema because they bind to a special entry at the top of the logical namespace, called the root DSA-specific
Entry (rootDSE), which provides the schema location. rootDSE represents the top of the logical namespace and, therefore,
the top of the LDAP search tree. The attributes of rootDSE identify, among other things, the directory partitions — that is,
the domain, schema, and configuration directory partitions — as well as the forest root domain directory partition. One
attribute, schemaNamingContext, provides the location of the schema so that applications that connect to any domain
controller can find and read the schema.
subSchema Subentry
rootDSE also carries a mandatory attribute called subSchemaSubEntry. The value of this attribute is the distinguished
name of a subSchema object in the directory that defines the attributes (in attributeTypes) and classes (in objectClasses)
that make up the Active Directory schema. This special object, which is an instance of the unique subSchema class, is used
for administering information about the schema, in particular, the object classes and attribute types that are supported. This
enables client applications to retrieve the schema information by querying the subSchema entry. Clients must only retrieve
attributes from a subSchemaentry by requesting a base object search of the entry, where the LDAP search filter is
(objectClass=subSchema). The following distinguished name describes the location of the SubSchemaSubEntry container:
CN=Aggregate,CN=Schema,CN=Configuration,DC=DomainName,DC=DomainRoot
For more information about LDAP searches, distinguished names, and containers, see “Data Store Technical Reference.”
Schema Files
Active Directory data is distributed among all domain controllers in the forest. No single domain controller stores all
Active Directory data for the entire forest, but every domain controller does hold a copy of the schema. The database that
stores the Active Directory data on a particular domain controller is in a file named Ntds.dit. The location of the Ntds.dit file is
an option that you can set during the domain controller promotion process while you create the directory. The default
location for Ntds.dit and the database log files is systemroot\Ntds. For more information about the Ntds.dit file, see “Data
Store Technical Reference.”
Another file, the Schema.ini initialization file, contains the information that is necessary for creating the default directory
objects and the default security for the directory tree, as well as the Active Directory display specifiers. Although this file is
named Schema.ini, the schema itself is actually stored in the Active Directory database, Ntds.dit. Schema.ini is only used by
the Active Directory Installation Wizard to build the initial schema structure in the directory during the domain controller
promotion process. The Schema.ini file must not be modified.
Top of page
Active Directory Schema Processes and Interactions
Normally, you do not interact directly with the schema on a daily basis. Active Directory uses the schema to help create
objects that are stored in the directory. You interact with those objects, not the schema. You interact directly with the
schema when you make modifications to the schema by adding definitions to it or by modifying existing definitions.
Schema changes can affect the entire directory. Before you make any changes to the schema, you should thoroughly test
those changes in an isolated environment to ensure that the directory continues to function as planned after the changes
have been deployed. Only members of the Schema Admins group can make changes to the schema.
The two most common reasons for modifying the schema are:
Installation of an application that needs to add customized object definitions so that it can store information in the
•
directory, for example, an e-mail program that stores the user’s e-mail names in the directory
Testing of the development of applications that use the directory for data storage in which customized object definitions
•
need to be added to the schema and modified throughout their lifetimes as the development process proceeds
• Full Control to the Domain Admins group and the System group and Read to the Authenticated Users group.
Read on all properties to the Everyone group. This permission provides backward compatibility for application
•
programming interfaces (APIs).
Replicating Directory Changes, Replication Synchronize, and Manage Replication Topology permissions to the Enterprise
•
Domain Controllers group. These permissions allow members of the Enterprise Domain Controllers group to manage
replication automatically.
Replicating Directory Changes, Replication Synchronize, and Manage Replication Topology permissions to the Builtin
•
Administrators group. Administrators of individual domain controllers can use these permissions to troubleshoot replication
problems.
Inheritable Full Control to the Enterprise Admins group. Enterprise Admins, by definition, have complete control of each
•
domain.
• Inheritable List Contents to the Pre–Windows 2000 Compatible Access group.
Inheritable Read Property on Remote Access Service (RAS) Information, General Information, Membership, User Account
•
Restrictions, and User Logon on all User Objects permissions to the Pre–Windows 2000 Compatible Access group.
• Inheritable Read on all Group objects.
Inheritable Auditing successful/failed writes to the Everyone group. Activating the auditing policy ensures that writes that
•
are performed on any object in the directory are audited immediately, without the need for extra user intervention.
Inheritable access control entries (ACEs) provide a convenient way to remove auditing policy.
• Full Control to the Domain Admins group and System and Read to the Authenticated Users group.
Replicating Directory Changes, Replication Synchronize, and Manage Replication Topology permissions to the Enterprise
•
Domain Controllers group. These permissions enable domain controllers in the forest to replicate from each other and
automatically reconfigure the replication topology on the basis of replication delays and latency for the configuration
directory partition.
Replicating Directory Changes, Replication Synchronize, and Manage Replication Topology permissions to the Builtin
•
Administrators group. These permissions enable administrators from individual domain controllers to synchronize
replication and topology management for the configuration directory partition.
Enable Inheritable Full Control to the Enterprise Admins group. This permission allows members of the Enterprise Admins
•
group exclusive control over the Configuration container. The Enable Inheritable Full Control permission is required to
control the Configuration container throughout the forest.
Enable Inheritable Auditing to the Writes by the Everyone group. Activating the auditing policy ensures that writes that are
•
performed on any object in the directory are audited immediately, without the need for extra user intervention. Inheritable
ACEs provide a convenient way to remove auditing policy.
Impact on replication
Because the schema is replicated across all domain controllers in the forest, a schema update that is performed at one
domain controller is propagated throughout the forest. This guarantees that the schema is consistent across the forest.
However, because of replication latencies, there can be temporary inconsistencies.
Active Directory solves this problem by explicitly replicating the schema head from the originating server when failures occur.
Additionally, the replication of the schema head triggers an immediate schema cache update on the target server.
Active Directory then replicates the failed object again.
• Related Information
When existing class and attribute definitions in the Active Directory schema do not meet the needs of your organization, you
can use schema-based administrative tools to modify or add schema objects. You can modify an existing attribute or add a
new class or attribute to the schema to store a new type of information in the directory. The process of modifying or
updating the schema is often referred to as “extending the schema.” In addition to using schema tools to extend the schema,
you can perform most schema extensions by using customized applications or Active Directory Service Interfaces (ADSI)
scripts.
Note
Extending the schema is a major change with implications for the entire directory. Extend the schema only when it is
•
absolutely necessary. Many schema modifications cannot be reversed; therefore, you must thoroughly plan and test
changes in an isolated environment before you deploy them in your production forest.
This section contains information about the tools that are associated with the Active Directory schema.
Top of page
Active Directory Schema Tools
Normally, you do not interact directly with the schema on a daily basis. Active Directory uses the schema to create objects
that are stored in the directory. You interact with those objects, not with the schema. You interact directly with the schema
when you make modifications to the schema by adding definitions to it or by modifying existing definitions.
Only members of the Schema Admins group can make changes to the schema. The two most common scenarios for
modifying the schema are as follows:
You install an application that adds customized object definitions so that it can store information in the directory; for
•
example, you install an e-mail program that stores user e-mail names in the directory.
You test the development of applications that use the directory for data storage. In this scenario, you add customized
•
object definitions to the schema and modify them throughout their lifetimes as the development process proceeds.
Note
Changes to the schema must be written only on the schema master. Although all domain controllers have a copy of the
•
schema in their Active Directory database, only the domain controller that holds the schema operations master role (also
known as flexible single master operations (FSMO)) is allowed to write changes to the schema.
The following tools are associated with the Active Directory schema.
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
ADSI Edit is a Microsoft Management Console (MMC) snap-in that uses ADSI, which uses the Lightweight Directory Access
Protocol (LDAP). You can use ADSI Edit to view and modify directory objects in the Active Directory database. You can also
use it to view schema directory partition objects and properties. When you open ADSI Edit, the Schema container is
displayed by default. You can expand the container to view schema classes and attributes.
To find more information about ADSI Edit, see “Support Tools Help” in Tools and Settings Collection.
Csvde.exe: Csvde
Category
Csvde is a command-line tool that ships with Windows Server 2003.
Version compatibility
Can Be Run From Can Be Run Against
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
The comma-separated value (CSV) file format is a simple format whose primary benefit is ease of use. In the CSV file
format, each line represents a discrete object in the directory, and the object’s attributes are separated by commas. The first
line of the file always contains all of the attribute names. Each subsequent line represents a different entry in the directory.
Values for multivalue attributes can also be specified, and they are delimited by semicolons (;).
Because this format is compatible with the Microsoft Excel CSV format, you can use Csvde.exe to export directory
information to an Excel spreadsheet or to import data from a spreadsheet into Active Directory. You can use this format only
for additions to the directory. Csvde.exe cannot be used to modify or delete objects. Csvde.exe also supports batch
operations that are based on CSV.
The parameters that are used for the Csvde.exe tool are the same as the parameters that are used for the Ldifde.exe tool.
However, unlike Ldifde.exe, Csvde.exe can export data from Active Directory into files that can be read by certain
applications. For example, if you want to view all Active Directory users in an Excel report, you can use Csvde.exe to export
the directory data into the CSV file format, which you can then read in Excel.
To find more information about Csvde.exe, see “Command-Line References” in Tools and Settings Collection.
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
Can Be Run From Can Be Run Against
Ldifde.exe: Ldifde
Category
Ldifde is a command-line tool that ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
Active Directory supports the use of files that are formatted with the LDAP Data Interchange Format (LDIF) for importing and
exporting information in the directory. This includes information that is stored in the schema, such as schema modifications.
After an LDIF file is created, a tool such as Ldifde.exe performs the import operation by using the LDIF file for input. You can
also use Ldifde.exe to add, modify, and delete directory objects; export Active Directory user and group information to other
applications or services; and populate Active Directory with data from other directory services.
To find more information about Ldifde.exe, see “Command-Line References” in Tools and Settings Collection.
Ntdsutil.exe: Ntdsutil
Category
Ntdsutil is a command-line tool that ships with Windows Server 2003.
Version Compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Ntdsutil.exe provides advanced management capabilities for Active Directory. For the Active Directory schema, you can use
Ntdsutil.exe to identify, transfer, or seize the schema operations master role. This tool is intended for use by experienced
administrators.
To find more information about Ntdsutil, see “Command-Line References” in Tools and Settings Collection.
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Related Information
In Active Directory, the data store contains database files and processes that store and manage directory information for
users, services, and applications. A copy of the data store runs on each domain controller in the forest. The Active Directory
data store is often referred to as the directory.
NTFS
The data store requires a disk volume that is formatted with the NTFS file system. NTFS is more powerful than FAT16 or
FAT32, and NTFS includes features that are required for hosting Active Directory. For more information about NTFS, see
“NTFS Technical Reference.”
Network Connectivity
So that users and computers can access the data store, and to support replication of the data store between domain
controllers, network connectivity with TCP/IP is required. For more information about networking and TCP/IP, see “TCP/IP
Technical Reference.”
FRS
The File Replication service (FRS) is a process that is associated with the Distributed File System (DFS). FRS is used by
Active Directory to replicate the system volume (SYSVOL) between domain controllers. SYSVOL holds certain kinds of Active
Directory information, including Group Policy objects (GPOs) and scripts. For more information about FRS, see “FRS Technical
Reference.”
Disk Space
There are no practical limits to the number of objects that can be stored in the Active Directory data store. The Active
Directory directory database has been tested for up to 40 million objects. Performance tests show logon performance for a
single LDAP client to be the same with 10,000 objects, 100,000 objects, and 1 million objects; that is, the directory service
does not slow measurably when the size of the database increases.
The minimum free disk space requirements for the directory database and log files depend on the size of the database. On
partitions that hold the database only (and not the database log files), free disk space must not fall below the greater of
20 percent of the disk space that is consumed by the database or 500 megabytes (MB). On disk volumes that hold the
database and the database log files, free disk space must not fall below the greater of 20 percent of the combined size of the
Ntds.dit and log files or 1 gigabyte (GB). For more information about the Ntds.dit and log files, see “How the Data Store
Works.”
• Related Information
In Active Directory, the data store contains database files and processes that store and manage directory information for
users, services, and applications. A copy of the data store runs on each domain controller in the forest. The Active Directory
data store is often referred to as the directory.
The ideal environment for the data store includes the following:
A domain controller running an operating system in the Windows Server 2003 family and containing hardware that meets
•
the minimum hardware requirements of the edition of the operating system (Windows Server 2003, Standard Edition;
Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition)
For environments consisting of multiple domain controllers, the presence of a fully functioning Active Directory replication
•
topology
For environments consisting of multiple domain controllers, the presence of a fully functioning File Replication service
•
(FRS) topology
• A regular backup schedule
Regular monitoring of Active Directory, either through manual review of event logs or through an automated monitoring
•
solution, such as Microsoft Operations Manager (MOM)
This section describes the elements of the Active Directory data store, including its architecture, protocols, interfaces, logical
structure, physical structure, processes and interactions, and network ports.
Component Description
Interfaces: Lightweight Directory Access The data store interfaces provide a way for directory clients and other directory
Protocol (LDAP), replication (REPL) and servers to communicate with the data store.
domain controller management interface,
Messaging API (MAPI), Security Accounts
Manager (SAM))
Directory System Agent (DSA) (Ntdsa.dll) The DSA, which runs as Ntdsa.dll on each domain controller, provides the
interfaces through which directory clients and other directory servers gain access
Component Description
Database layer The database layer is an application programming interface (API) that resides in
Ntdsa.dll and provides an interface between applications and the directory
database to protect the database from direct interaction with applications. Calls
from applications are never made directly to the database; they go through the
database layer. In addition, because the directory database is flat, with no
hierarchical namespace, the database layer provides the database with the
abstraction of an object hierarchy.
Extensible Storage Engine (ESE) (Esent.dll) The ESE, which runs as Esent.dll, manages the tables of records — each with
one or more columns — that make up the directory database.
Database files The data store stores directory information in a single database file called
Ntds.dit. In addition, the data store also uses log files, to which it temporarily
writes uncommitted transactions.
The DSA, database layer, and ESE are described in the following sections. For information about the interfaces, see “Data
Store Interfaces" later in this section. For information about the database files, see “Data Store Physical Structure” later in
this section.
DSA
The DSA runs on every domain controller as Ntdsa.dll, and it provides access to the directory database. The DSA runs as part
of the Local Security Authority (LSA) process (Lsass.exe), which manages authentication packages and authenticates users
and services. Running in Lsass.exe enables Active Directory to securely manage sensitive information, such as account
passwords.
Clients can use one of the supported interfaces to connect (bind) to the DSA and then search for, read, and write to Active
Directory objects and their attributes.
A forest-wide object in the directory, the NTDS Settings object (class nTDSDSA), represents the DSA on a domain controller,
and this object contains configuration information about the DSA on that domain controller.
In addition to providing the interfaces through which directory clients gain access to directory data, the DSA provides the
following functionality.
Object identification
Every object in Active Directory has a permanent globally unique identifier (GUID), which is associated with several string
forms of the object name (SAMAccountName, user principal name, and distinguished name), as well as a security identifier
(SID). The object names and the SID are not permanent; that is, they can be changed. All permanent references to the
object are kept in terms of the GUID. The object name is used for hierarchy navigation and display purposes, and the SID is
used for access control. The DSA maintains the GUID association with an object when the object’s string name or SID
changes, for example, when the object is moved to a different folder (the string name changes) or when the object is moved
to a different domain (the string name and the SID change).
Schema enforcement
The DSA ensures that data in the directory adheres to the data definitions that are provided by the directory schema. The
schema is the set of rules that determines what kind of data the directory can hold.
Note
In Windows 2000 Server and Windows Server 2003 forests, if an update does not produce a conflict with the schema at
•
the originating replica, the update is considered acceptable at all replicas. Therefore, replicated updates do not perform
schema checks, and you do not have to wait until the schema replicates before creating instances of a new object or
attribute. For more information about replication, see “Active Directory Replication Model Technical Reference”.
Access control enforcement
The DSA enforces security limitations in the directory by reading SIDs on the access token.
Referrals
The DSA manages the directory hierarchy information (referred to as knowledge), which it receives from the database layer.
The DSA is responsible for cross-references of Active Directory domain objects.
Functional levels
Beginning with Windows Server 2003 domain controllers, the DSA has a built-in numeric value that identifies its operating
system version — and therefore its functional capabilities — to other services. Services that rely on the DSA can use this
numeric value to determine which of their service features to enable.
Database Layer
The database layer is an API that resides in Ntdsa.dll and provides an object view of the directory database, making the data
accessible to the DSA as a set of hierarchical containers. By applying schema semantics to database records, the database
layer isolates the upper components of the directory service from the underlying database system. The database layer is an
internal interface. No database access calls are made directly to the ESE; instead, all database access is routed through the
database layer.
In the directory database, each object is identified by its relative distinguished name, which is unique in the object’s parent
container. The relative distinguished name and the chain of successive parent object names make up the object’s
distinguished name. The database stores the relative distinguished name for each object, as well as a reference to the parent
object. The database layer follows these parent references and concatenates the successive relative distinguished names to
form distinguished names, thereby defining the object hierarchy.
The database layer is also responsible for the creation, retrieval, and deletion of individual records (objects), attributes within
records, and values within attributes. To carry out these functions, the database layer uses the schema cache (an in-memory
structure in the DSA) to get the information about the attributes that it needs.
ESE
The Extensible Storage Engine (ESE) is a Windows component that is used by Active Directory, as well as by several other
Windows components, as an interface to the data that is stored in an indexed and sequential access method (ISAM)
database. (The Active Directory database is an ISAM database.) The ESE is responsible for indexing the data in the database
file and for transferring the data in and out of the database. Its purpose is to enable applications to store and retrieve data
by using the ISAM. The ESE provides applications with a consistent data state by means of transacted data update and
retrieval. A crash recovery mechanism maintains data consistency, even in the event of a system crash. Transactions in the
ESE are highly concurrent, making the ESE suitable for server applications. The ESE caches data intelligently to ensure high-
performance access to data. In addition, the ESE is resource efficient, making it suitable for applications that perform
auxiliary roles.
The version of the ESE that runs on domain controllers running Windows Server 2003 and Windows 2000 Server is
implemented in Esent.dll.
The following characteristics of the ESE make it well suited to the storage needs of Active Directory. The ESE:
• Supports databases of up to 16 terabytes (TB) in size, and it can hold many millions of objects per domain.
• Supports indexing.
• Supports update operations that are transacted for stability and integrity across system failures.
Protocol Description
LDAP LDAP is a directory service protocol that specifies directory communications. It runs directly over TCP/IP, and it can
also run over User Datagram Protocol (UDP) connectionless transports. Clients can use LDAP to query, create,
update, and delete information that is stored in a directory service over a TCP connection through the TCP default
port 389. Active Directory supports LDAP v2 (RFC 1777) and LDAP v3 (RFC 2251). LDAP v3 is an industry standard
that can be used with any directory service that implements the LDAP protocol. LDAP is the preferred and most
common way of interacting with Active Directory.
Historically, LDAP is a simplified (“lightweight”) version of Directory Access Protocol (DAP), which is the original
protocol that was used to interact with X.500 directories. X.500 defines an earlier set of standards that was
developed by the International Organization for Standardization (ISO). LDAP is simpler than DAP in two key ways:
• Rather than using its own protocol stack according to the Open Systems Interconnection (OSI) networking
model, LDAP communicates over Internet Protocol (IP) by using either UDP or TCP.
• The protocol is carried directly over TCP for connection-oriented transport (receipt of data is acknowledged)
and over UDP for connectionless transport (sent or received data is not acknowledged).
• Most protocol data elements can be encoded as ordinary strings, for example, as distinguished names.
• Referrals to other servers can be returned to the client.
• Simple Authentication and Security Layer (SASL) mechanisms can be used with LDAP to provide associated
security services. SASL Digest is supported in Windows Server 2003 as the authentication standard for LDAP.
• Attribute values and distinguished names can be internationalized through the use of the ISO 10646 character
set.
• The protocol can be extended to support new operations, and controls can be used to extend existing
operations.
• The schema is published through an attribute on the directory root object (rootDSE) for use by clients.
RPC The data store uses RPC for replication (REPL) and domain controller management communications, MAPI
communications, and SAM-related communications. RPC is a powerful, robust, efficient, and secure interprocess
communication (IPC) mechanism that enables data exchange and invocation of functionality residing in a different
process. That different process can be on the same computer, on the local area network (LAN), or across the
Internet.
SMTP The data store can use Internet-standard SMTP as the protocol for replication communications when a permanent,
Protocol Description
“always on” network connection does not exist between two domain controllers. SMTP is used to transport and
deliver messages based on specifications in Request for Comments (RFC) 821 and RFC 822. SMTP also includes
enhancements that build on the basic delivery functions of the protocol. There are SMTP options available that
provide control over the routing and delivery of messages and that provide secure communications.
Top of page
Data Store Interfaces
As shown in the “Data Store Architecture” figure earlier in this section, network clients and other directory servers obtain
access to Active Directory through one of the interfaces that are described in the following table.
Data Store Interfaces
Interface Description
LDAP LDAP is the primary interface for the data store. Directory clients use LDAP v3 to connect to the DSA through the
LDAP interface. The LDAP interface is part of Wldap32.dll. LDAP v3 is backward compatible with LDAP v2.
REPL The REPL management interface provides functionality for finding data about domain controllers, converting the
names of network objects between different formats, manipulating service principal names (SPNs) and DSAs, and
managing replication of servers.
MAPI Messaging clients gain access to the Microsoft Exchange Server directory service by using MAPI address book
providers. For compatibility with existing messaging clients, Active Directory supports the MAPI-RPC address book
provider, which provides access to Active Directory, for example, to find the telephone number of a user.
SAM SAM is a proprietary interface for connecting to the DSA on behalf of clients that use Windows NT 4.0 or earlier.
These clients use Windows NT 4.0 networking APIs to connect to the DSA through SAM. Replication with
Windows NT 4.0 backup domain controllers (BDCs) goes through the SAM interface as well.
Note
The MAPI interface is provided only for support of legacy Microsoft Outlook clients. Development against the MAPI
•
interface is no longer supported.
Top of page
Data Store Logical Structure
The Active Directory data store uses the LDAP information model as its model for organizing data. In addition, the data store
is organized into logical partitions that can each be replicated independently, so that individual domain controllers only need
to store data that is pertinent to the domain in which they reside.
Directory Tree
Active Directory organizes objects into a hierarchical tree structure. The directory tree represents the hierarchy of
Active Directory objects for a given forest. The structure of the hierarchy is derived from the schema, and the directory
service implements the hierarchy. The hierarchy provides the basis both for using names for navigation and for defining the
scope of search requests.
Every object in Active Directory has exactly one parent, and a reference to the parent object is stored with the object. As a
result of these parent references, the hierarchy of objects that are managed by Active Directory forms a tree structure. The
objects that populate the directory create this tree structure according to the rules of the schema. For example, the schema
might dictate that a given class of object can be the child of one class but not the child of another class.
The architectural restrictions and requirements in the directory tree are as follows:
Domain objects, which are containers, can be children only of other domain objects. For example, a domain cannot be the
•
child of an organizational unit (OU).
The root object of the directory tree is called the DSA-specific Entry (DSE), or rootDSE. The rootDSE object has no
•
hierarchical name or schema class, but it does have a set of attributes that identify the contents of the domain controller
on which it resides. Therefore, rootDSE constitutes the root of the directory tree from the perspective of the domain
controller to which you are connected.
Below the rootDSE, every directory has a root domain, which is the first domain that is created in a forest. This domain
•
always has a child container called Configuration, which contains configuration data for the forest.
rootDSE
In the LDAP information model, one or more directory servers can jointly provide access to a directory tree. The servers that
host directories are known in LDAP terminology as Directory System Agents (DSAs). In Active Directory, the DSAs are always
domain controllers.
At the root of a directory tree is a DSE, which is not part of any directory partition. TherootDSE represents the top of the
logical namespace for one domain controller. The rootDSE attributes contain information about the directory server, including
its capabilities and configuration.
There is only one root for a given directory, but the information that is stored in the root is specific to the domain controller
to which you connect. Among other things, the attributes of rootDSE identify the following key information:
The directory partitions (the domain, schema, and configuration directory partitions) that are specific to one domain
•
controller.
• The forest root domain directory partition.
In this way, the rootDSE provides a “table of contents” for a given domain controller.
supportedLDAPVersion
LDAP versions that the server implements. Domain controllers running Windows Server 2003 and Windows 2000 Server
support LDAP v2 and LDAP v3.
namingContexts
Naming contexts (directory partitions) that this server masters (stores as a writable replica) or shadows (stores as a read-
only replica). A client uses this attribute to choose suitable base objects for searching when the client contacts a server.
subschemaSubentry
The name of a subschema entry, which is used to administer information about the schema, in particular, the object classes
and attribute types that are supported.
altServer
Uniform Resource Locators (URLs) of other servers that can be contacted when this server becomes unavailable. If the server
does not know of any other servers, this attribute is absent. Clients can cache this information in case their preferred LDAP
server becomes unavailable. This attribute is absent by default for Active Directory servers.
supportedExtension
Object identifiers that identify the supported extended LDAP operations that the server supports. LDAP extensions include
operations such as different query types, paging operations, and sorting methods, which each have a different object
identifier. This attribute is absent by default for Active Directory servers.
Note
A new extended LDAP operation on domain controllers running Windows Server 2003 enables client refresh of a dynamic
•
entry in the directory. Object identifier = 1.3.6.1.4.1.1466.101.119.1 is defined and published in the
supportedExtension attribute of the rootDSE object.
supportedControl
Object identifiers that identify the LDAP controls that the server supports. If the server does not support any controls, this
attribute is absent. Server controls extend LDAP functionality; examples include a control to move objects across domains
and a control to delete an entire subtree of a container object.
supportedSASLMechanisms
The names of the SASL mechanisms that the server supports. SASL is a standard for negotiating an authentication
mechanism and, optionally, an encryption mechanism to provide client authorization for accessing Active Directory. By
default, Generic Security Service API (GSSAPI) is supported.
currentTime
The current time in the generalized time format.
dsServiceName
The distinguished name of the NTDS settings object that represents this domain controller in the configuration directory
partition.
defaultNamingContext
The default naming context (directory partition) for a particular server. This value is the distinguished name of the domain
directory partition for which this domain controller is authoritative.
schemaNamingContext
The naming context (directory partition) for the forest schema.
configurationNamingContext
The naming context (directory partition) for the forest Configuration container.
rootDomainNamingContext
The distinguished name for the domain naming context (directory partition) of the first domain that is created in this forest.
This domain functions as the forest root domain.
supportedLDAPPolicies
Supported LDAP administrative query policies, such as the maximum size of a result set (MaxResultSetSize) and maximum
page size (MaxPageSize).
highestCommittedUsn
Highest update sequence number (USN) that is committed to the database on this domain controller.
dnsHostName
The DNS name of this domain controller.
serverName
The fully qualified distinguished name for this domain controller.
supportedCapabilities
The object identifier value (1.2.840.113556.1.4.800) that indicates the additional capabilities of an Active Directory server,
such as dynamic update, integrated DNS zones, and LDAP policies.
LdapServiceName
The SPN for the LDAP server, which is used for mutual authentication.
isSynchronized
A Boolean indicator for whether the domain controller has completed its initial synchronization with replica partners.
isGlobalCatalogReady
A Boolean indicator for whether the domain controller is prepared to advertise itself as a global catalog.
domainControllerFunctionality
The numeric level of Active Directory functionality for the domain controller.
Domain-
wide data
• Domain-specific data is stored in a domain directory partition.
• A full, writable replica of the domain directory partition is replicated to every domain controller in the
domain.
Forest-wide
data
• Forest-wide data is stored in two directory partitions: the configuration directory partition and the schema
directory partition. The Configuration container is the topmost object of the configuration directory
partition; the Schema container is the topmost object of the schema directory partition.
• A full, writable replica of the configuration directory partition is replicated to every domain controller in the
forest.
• A read-only replica of the schema directory partition is replicated to every domain controller in the forest.
The schema is writable on only the domain controller that holds the schema operations master role, and
writing to the schema requires first adding a registry entry on the schema master. Schema updates
replicate to every domain controller in the forest.
• In addition to a full, writable replica of a single domain (the domain for which the domain controller is
authoritative), special domain controllers that are designated as global catalog servers also store partial,
read-only replicas of every other domain directory partition in the forest. (The read-only replicas in the
global catalog are “partial” because they store only some of the attributes for each object.) A domain
controller that is a global catalog server can be queried to find any object in the forest.
Data Type Description
Application
data
• Applications can use a new type of directory partition in Windows Server 2003 Active Directory, called an
application directory partition, to store application-specific data that has a scope of interest that is smaller
than the entire forest or domain. This data can be characterized as either changing frequently (dynamic) or
having a short useful lifetime (volatile). For example, Windows Server 2003 DNS can use application
directory partitions to store dynamically updated DNS zone data on only those domain controllers that are
DNS servers rather than on all domain controllers in the domain, as is required for Windows 2000
Active Directory–integrated zones.
Additional directory partitions are possible in the form of application directory partitions, but these partitions are not stored
by default on every domain controller.
Directory Partitions
The Active Directory data store holds three default directory partitions:
DisplaySpecifiers
Contains the objects that define different user interfaces (UIs) for each object class in the schema that requires a graphical
user interface (GUI), for example, context menus and property pages. The display specification system uses the information
that is stored in the display specifiers to form different UIs for administrators and end users. One set of elements can be
associated with administrative applications, and a different set of elements can be associated with end-user applications.
What you see and what the user sees are different, even though in both cases the UI references the same objects. The
display specification system stores information for property sheets, context menus, icons, creation wizards, and localized
class and attribute names.
This UI specification occurs at the level of each object class as defined in the schema in classSchema objects. Each
classSchema object can have UI display specification information that is uniquely associated with it.
The DisplaySpecifiers container stores other containers that correspond to each locale that is supported. A locale is either a
language or a language in combination with a country/region. Windows supports more than 150 locales, such as French
(Belgium), Arabic (Saudi Arabia), and so forth. The names of locale containers are the hexadecimal representations of the
locale identifiers (LCIDs). For example, the English (United States) locale container is 409.
Display-specifier objects (class displaySpecifier) are named by appending the LDAP Display Name of the class object with
the string -“-Display.”. For example, the user class has a corresponding display-specifier object called user-Display.
Therefore, when an Active Directory administrative tool displays an object of a particular class, the object is displayed
according to information that is contained in the display-specifier object whose name contains the same name as the
respective class in the container for the current locale.
Because the Active Directory schema can be modified by creating new classes and attributes or by modifying existing
classes, display-specifier objects can be modified to reflect any new UI elements that schema modifications require.
Extended-rights
Stores objects of the class controlAccessRight that can be used by applications to extend standard access control.
ForestUpdates
Stores operation objects that are generated by forest preparation tasks (when you run adprep /forestprep) so that the
system can check for the tasks that have and have not been completed when you upgrade the first domain controller in the
forest to Windows Server 2003. The child object CN=Operations contains the objects that represent each update operation.
These objects are named for the GUID of the operation. The child object CN=Windows2003Update is created to indicate that
all adprep operations have run.
LostAndFoundConfig
Provides storage for configuration directory partition objects that are being created in containers that are simultaneously
being deleted on another domain controller in the same forest. If, before replication, an object is created in or moved to a
location that no longer exists after replication, the “lost” object is added to the LostAndFoundConfig container. A
LostAndFound container in each domain directory partition serves the same purpose for domain-specific objects.
NTDS Quotas
Stores objects (class msDS-QuotaControl) that contain object ownership quota assignments for the configuration directory
partition. Quotas limit the number of objects that a user (including inetOrgPerson), group, computer, or service can own in a
domain directory partition, configuration directory partition, or application directory partition.
Partitions
Stores the cross-references to every directory partition in the forest, including the configuration partition, the schema
partition, and all domain directory partitions. These cross-references to directory partitions make referrals to other domains
possible during LDAP searches.
Physical locations
Not used in this version of Windows but reserved for future use.
Services
Stores data for various networking services and applications, such as Message Queuing (MsmqServices), public key
services, and Routing and Remote Access. In the Windows NT container, the Directory Service object (nTDSService) has
attributes that you can use to manage garbage collection intervals and dynamic object Time to Live (TTL). For the most part,
however, objects in the Services container do not require administration. Specifically, do not publish application services in
this container. Such services are best published in the Program Data container in the domain directory partition.
Sites
Identifies all of the sites in the network, the domain controllers in those sites, and the replication topology. The contents take
the form of replication transports, subnets, and the first site and site link that are created, called Default-First-Site-Name and
Default-First-Site-Link, respectively.
Builtin
Default local group accounts, such as Administrators and Users, that are installed whenever a new workstation, server, or
domain controller is set up.
Computers
A default storage area for “new” computer objects that were originally created through legacy APIs. When a Windows NT 4.0
domain or a Windows NT 3.51 domain is upgraded to Windows 2000, or when a Windows NT 4.0 domain is upgraded to
Windows Server 2003, the computer accounts are moved automatically to the Computers container. The Computers
container also supports the Windows NT 4.0 tool User Manager (Usrmgr). This container cannot be renamed, but when a
Windows Server 2003 domain has a domain functional level of Windows Server 2003, the default location for computer
accounts can be specified as an OU to redirect the location of newly created computer objects.
Domain Controllers
The default container for new domain controllers. The Domain Controllers container cannot be renamed.
ForeignSecurityPrincipals
Proxy objects for security principals that are from Windows NT 4.0 domains or Windows NT 3.51 domains, or that are from
different forests, and that have been added to Windows 2000 or Windows Server 2003 groups.
Users
A default storage area for new user accounts created through legacy APIs that are not Active Directory–aware. When a
Windows NT 4.0 domain or a Windows NT 3.51 domain is upgraded to Windows 2000, or when a Windows NT 4.0 domain is
upgraded to Windows Server 2003, the user accounts and groups are moved automatically to the Users container. The Users
container also supports the Windows NT 4.0 tool User Manager (Usrmgr). This container cannot be renamed, but when a
Windows Server 2003 domain has a domain functional level of Windows Server 2003, the default location for user and group
accounts can be specified as an OU to redirect the location of newly created user objects.
Note
The Users and Computers containers and several other special containers, called “well-known” containers, can be located
•
dependably by applications.
Deleted Objects
A special container, which is not visible in the UI, to which objects are moved when they are deleted. The deleted objects are
stored as tombstones, which are eventually removed by garbage collection. The contents of the Deleted Objects container
are visible if you search by using the 1.2.840.113556.1.4.417 control, which enables you to see deleted objects.
Infrastructure
An object of class infrastructureUpdate that identifies the NTDS Settings object of the domain controller that holds the
infrastructure operations master role for the domain.
AdminSDHolder
Administrator security descriptor holder. Windows Server 2003 implements protection of administrative groups through a
background task that computes the set of memberships and checks whether their security descriptors are well-known
protected security descriptors. If the security descriptor of any administrative account does not match that of
AdminSDHolder, the security descriptor is overwritten with the security descriptor of AdminSDHolder. This task is executed
only on the domain controller that holds the primary domain controller (PDC) emulator operations master role.
COMPartitions
A namespace that is used by Component Services to allow multiple versions of the same COM+ application to exist on the
same physical computer.
ComPartitionSets
A conceptual collection of COM+ partitions.
Dfs-Configuration
Lists the fault-tolerant Distributed File System (DFS) configuration and DFS volume information.
DomainUpdates
Stores operation objects that are generated by domain preparation tasks (when you run adprep /domainprep) so that the
system can check for tasks that have and have not been completed when you upgrade the first domain controller in the
domain to Windows Server 2003. The child Operations object contains the objects that represent each update operation.
These objects are named for the GUID of the operation. The child Windows2003Update object is created to indicate that all
adprep operations have run.
FileLinks
Used by the Distributed Link Tracking Server service (TrkSvr) to store information about linked files that have moved across
NTFS volumes. Includes ObjectMoveTable, which tracks moved files, and VolumeTable, which maps volume IDs to
computer IDs.
IP Security
Contains the Internet Protocol security (IPSec) policies that are applied to local computers, domain member servers,
domains, OUs, or any GPO in Active Directory. Depending on your organization’s guidelines, IPSec policies can store multiple
security specifications, called rules, so that one policy can be applied to multiple computers. These rules apply to all users
who log on to the computer
Meetings
A folder that is used by Microsoft NetMeeting to publish network meeting objects.
MicrosoftDNS
A container in which Active Directory–integrated zone database records are created when the scope of replication is all
domain controllers in the domain. When DNS data is stored in Active Directory, each DNS zone is an Active Directory
container object (dnsZone). The dnsZone object contains a dnsNode object for every unique name in that zone. The dnsNode
object has a dnsRecord multivalue attribute that contains a value for every resource record that is associated with an
object’s name. When the scope of replication of DNS data is all DNS servers in the domain or all DNS servers in the forest,
DNS zone data is stored in application directory partitions, not in the domain directory partition.
Policies
Contains GPOs, which specify user and computer configurations for groups of users and computers. This container stores the
default domain policy (lists the security groups and default permissions for the domain); default domain controller policy;
and policy for passwords, lockouts, Kerberos, EFS data recovery, and trusted root certificates. Each GPO in the Policies
container is identified by a GUID, and each GPO includes the following:
Version information that is used to ensure that information is synchronized with Group Policy template
•
information
• Status information that indicates whether the GPO is enabled or disabled
RpcServices
Includes the RPC name service lookup for domains using versions of Windows earlier than Windows 2000.
WinsockServices
Winsock services that publish themselves by using the registration and resolution (RnR) APIs are published in this container.
WMIPolicy
Stores Windows Management Instrumentation (WMI) filters. A WMI filter is a query based on configuration and event
information that is made available by WMI providers. By associating a WMI filter with a specific GPO, that WMI filter
determines which computers process policy settings in that GPO. Computers that meet all of the conditions that are specified
in the WMI filter return a value of TRUE and then process the GPO.
• Global catalog: Application directory partitions are not replicated to the global catalog.
Volatility: Whereas domain data should be relatively static, application directory partition data can be volatile, such as the
•
real-time data that is used by Microsoft Telephony API (TAPI) voice conferencing applications.
Stored objects
Any type of object, with the exception of security principals, can be stored in an application directory partition. In addition,
objects that reside in an application directory partition:
Can maintain distinguished-name references to other objects in the same application directory partition, objects in the
•
configuration and schema directory partitions, and any directory partition root object.
Cannot maintain distinguished-name references to objects in other application directory partitions or in domain directory
•
partitions.
• Cannot be moved to other Active Directory partitions outside the application directory partition in which they were created.
Applications can be programmed to store their dynamic data in application directory partitions. The following are examples of
applications and the kinds of dynamic objects that they store:
Real-time communication applications: These types of applications typically maintain rendezvous information about active
•
users (user name, computer, and IP address) and conferences in progress (conference name, description, time, and
originator).
Network services: Routing and Remote Access, Remote Authentication Dial-In User Service (RADIUS), Dynamic Host
•
Configuration Protocol (DHCP), and Common Open Policy Service (COPS) servers need to store dynamically changing
forms of data in a directory so that they can be accessed using one uniform method: LDAP. This data generally does not
require global replication, and it is also shared by many applications in the proximity of a single directory. (In this case,
the data is shared between RAS, RADIUS, DHCP, and COPS servers in a particular site.) The object types include
information about user sessions and bandwidth used.
Directory-enabled networking: For implementing policy-based networking, there is a large amount of nonstatic, or volatile,
•
information that must be maintained, including information about the state of network links, the flows that are active
through a router, and the data rate for each flow. Policy servers might need access to such information to make a decision
based on policies that are predicated on dynamic network state in addition to static data that is stored in the directory.
The application directory partition, with its controlled replication scope, can accommodate transient data needs in
Active Directory by providing network applications with uniform and consistent access through LDAP to both static and
dynamic data.
Component Description
NTDS.DIT The physical database file in which all directory data is stored. This file consists of three internal tables: the
data table, link table, and security descriptor (SD) table.
EDB.LOG The log file into which directory transactions are written before being committed to the database file.
EDB.CHK The file that is used to track the point up to which transactions in the log file have been committed.
RES1.LOG, Files that are used to reserve space for additional log files if EDB.LOG becomes full.
RES2.LOG
Data Table
The data table contains all the information in the Active Directory data store: users, groups, application-specific data, and
any other data that is stored in Active Directory after its installation. The data table can be thought of as having rows (each
representing an instance of an object, such as a user) and columns (each representing an attribute in the schema, such as
GivenName). For each attribute in the schema, the table contains a column, called a field. Field sizes can be fixedor
variable. Fixed-size fields contain an integer or long integer as the data type. Variable-size fields typically hold string types,
for example, Unicode strings. The database allocates only as much space as a variable-size field needs: 16 bits for a 1-
character Unicode string, 160 bits for a 10-character Unicode string, and so on.
The database space that is used to store an object depends on the number of attributes for which values are set and the size
of the values. For example, if the administrator creates two user objects (User1 and User2), sets only the minimum
attributes on them, and then later adds a 10-character description to User2, the User2 space is approximately 80 bytes
bigger than the User1 space (20 bytes for the 10 characters, plus metadata on the newly generated attribute).
Database records cannot span database pages; therefore, each object is limited to 8 kilobytes (KB). However, some attribute
values of an object do not count fully against this limit. Long, variable-length values can be stored on a different page than
the object record, leaving behind only a 9-byte reference. In this way, an object and all its attribute values can be much
larger than 8 KB.
Link Table
The link table contains data that represents linked attributes, which contain values that refer to other objects in
Active Directory. An example is the MemberOf attribute on a user object, which contains values that reference groups to
which the user belongs. The link table is much smaller than the data table.
SD Table
The SD Table contains data that represents inherited security descriptors for each object. With the introduction of the SD
table in Windows Server 2003, inherited security descriptors no longer have to be duplicated on each object that inherits
security descriptors. Instead, inherited security descriptors are stored in the SD table and linked to the appropriate objects.
Log Files
The Active Directory data store includes the log files that are described in the following table. For information about how
these log files are used, see “Logging Transactions to Enable Log-based Recovery” later in this section.
Log Files
File Description
Edb.log This file stores directory transactions before they are written to the Ntds.dit directory
database file. This file has a fixed size of 10 megabytes (MB).
Edb00001.log, Edb00002.log, Active Directory creates additional log files as necessary as existing log files fill up. Each
Edb00003.log, and so on log file has a fixed size of 10 MB.
Edb.chk This file keeps track of the point up to which transactions in the log file have been
committed.
Static Data
Active Directory is appropriate for the storage of static data that has the following characteristics:
The data is globally useful information in the domain that needs to be replicated to each Active Directory domain
•
controller.
• The data has well-defined object attributes and semantics.
The data has a useful life that is at least two times the maximum replication latency for the forest, including replication of
•
data that is marked to replicate to the global catalog. In general, if data can become outdated before the completion of a
replication cycle or shortly thereafter, it should not be stored in Active Directory. Clients should be able to tolerate the
inability to update data for at least as long as it takes for the data to be replicated throughout the domain.
The data-per-attribute value is not so large that it affects performance. Most attribute values are replicated as a single
•
block of data; therefore, an attribute that is x MB in size requires an equivalent amount of buffer space in the sending
domain controller and in the receiving domain controllers. If the amount of required buffer space is large, the performance
of the domain controllers can be affected adversely.
Attributes can have large values when the attribute is multivalued and linked. For these attributes, only the values that
change are replicated, not the entire attribute.
Dynamic Data
An object that has a TTL value is considered to be dynamic data. Windows Server 2003 introduces a new auxiliary class,
dynamicObject, that can be attached to object instances for the storage of TTL values. For an object containing a TTL
value, when the time that is specified by the TTL value is reached, the object is automatically removed from Active Directory
by garbage collection. Dynamic data typically changes faster than the replication latency that is required for propagating the
change to all replicas of the data.
The following characteristics apply to dynamic data:
• A dynamic object that is deleted as a result of expiration of its TTL does not leave a tombstone.
Dynamic objects are treated in the same manner as nondynamic objects during search, compare, add, delete, and modify
•
(including rename) operations.
A nondynamic object, after it is created, cannot be changed to a dynamic object. Likewise, a dynamic object, after it is
•
created, cannot be changed to a nondynamic object.
• A nondynamic object cannot be added in a subordinate position to a dynamic object.
Dynamic objects with TTL values are supported in the following directory partitions:
•
• Domain directory partitions at the Windows Server 2003 forest functional level
Application directory partitions on a Windows Server 2003–based domain controller, irrespective of domain or forest
•
functional level
• Dynamic objects are not supported in configuration directory partitions or schema directory partitions.
DynamicObjectMinTTLSeconds=NNNN
By configuring these values, you can set TTL values that enforce a low level of refresh traffic or, conversely, provide a highly
up-to-date directory.
Top of page
Data Store Processes and Interactions
The Active Directory data store performs a number of processes and interactions that are important to the functioning of
Active Directory. The following sections describe these processes and interactions.
These descriptions make the following assumptions regarding the environment in which the Active Directory data store is
running:
The disk volume on which the directory database is stored contains ample free
•
space.
• Network connectivity on the domain controller is functioning properly.
Database Operations
Data operations (such add, modify, and delete) are committed to the Active Directory database as transactions, which are
the units of work that are performed by a database. Transactions are atomic; that is, they are either completed in full or not
applied at all. If for any reason an error occurs and a transaction is unable to complete all of its steps, the system is returned
to the state that existed before the transaction began. An example of an atomic transaction is an account transfer
transaction in which money is removed from account A and placed into account B. If the system fails after it removes the
money from account A and before it places the money into account B, the transaction processing system puts the money
back into account A and returns the system to its original state; that is, the transaction processing system rolls back the
transaction.
In Active Directory, operations on a single object cannot be applied across multiple objects. Active Directory writes a
transaction synchronously to the transaction log file and then to the database. First, a change is made to an in-memory copy
of the object. Then, the change is written to the log file, which ensures that the change takes effect, even if the database
shuts down after that point. The database engine continually updates the database file with recent changes. The database
update works from memory — not from the log files — and it keeps pace with the updates, rather than waiting for the server
to be available. This method of performing updates is referred to as “advancing the checkpoint,” where the checkpoint is the
point in time at which all changes that have been made so far have been fully written to the database.
LDAP Functional Model
Database operations in Active Directory are based on the LDAP functional model. The LDAP functional model includes support
for common database operations, such as connecting to a directory database, searching for data, and modifying data. An
LDAP client connects to Active Directory and requests information or performs an operation. Active Directory performs the
operation or provides the information, or it refers the client to another LDAP server that might be able to do so.
Nine operations form the LDAP functional model. These operations are grouped into three areas:
Authentication. Enables the client to prove its identity to the DSA:
•
• Bind
• Unbind
• Abandon
Interrogation. Enables the client to interrogate the directory and retrieve
•
information:
• Search
• Compare
Update. Enables the client to update information in the directory tree:
•
• Add
• Delete
• Modify
Modify relative distinguished
•
name
A typical LDAP client application interacts with Active Directory through the operations that are described in the following
sections.
For more information about LDAP, see “Lightweight Directory Access Protocol (LDAP)” in the Microsoft Platform SDK on
MSDN.
Establishing a connection
When an LDAP client connects to Active Directory, an LDAP session is established. Options are available to affect the way in
which the connection is established. These options include setting a time-out value, connecting to a secure LDAP server, and
verifying that a server is available.
For the purposes of protocol exchanges, all protocol operations are encapsulated in a common envelope. LDAPMessageis
encapsulated in the Protocol Data Unit (PDU) format. LDAPMessage consists of protocol operations, such as LDAP Bind
Request, LDAP Bind Response, LDAP Search Request, and LDAP Search Response operations.
LDAPMessage PDUs are mapped directly to the TCP data stream. Active Directory clients use the following LDAP ports:
Port 389. In accordance with RFC 2251, Active Directory uses port 389 as the default port for domain controller
•
communications.
• Port 636. Active Directory supports port 636 for LDAP Secure Sockets Layer (SSL) communications.
Port 3268 and port 3269. The global catalog monitors port 3268 for LDAP communications and port 3269 for LDAP SSL
•
communications.
Space Allocation
Space is allocated hierarchically in the directory database, with the database at the top of the hierarchy. Object tables are
children of the database. Each table has a child long-value table, and each table can have child indexes. The long-value table
stores values that are too large for the main object table. Security descriptors are examples of values that are often large
enough to require storage in the long-value table.
As objects are deleted and values are replaced with smaller values, free space is returned to the database. However, there is
no optimum or target amount of white space to be maintained. The amount of unused space in the directory database is of
concern only when monitoring indicates that free disk space is becoming limited. You can configure a domain controller to log
an event that reports the amount of unused space in the directory database that can be reclaimed by offline
defragmentation.
Requesting space
The database can use free space if the space is available to the table or index that needs it and if the space occurs in blocks
that are large enough to accommodate the transaction. When an index or table requires additional space, it can request
space only from its parent. For example, the available space in an index cannot be used by another index. If the parent table
requires space, it must request space from the database. If space is not available at the database level to complete the
request, the database increases its size to accommodate the transaction.
Storing data
Objects are stored in records that are written to 8-KB data pages. The maximum record size is 8110 bytes, with the
exception of long-value columns, which can be up to 2 GB. As values are deleted, space that is freed by transactions is
returned to the table that owns the space. Free space is returned gradually in small segments, and it is periodically
reorganized into contiguous pages through an automatic process called online defragmentation.
Data pages are filled with records in an ordered fashion. For example, all records beginning with A must be stored in the
page that is designated as storing the values that range from A to some other value. For example, given pages A-E and F-J,
if a value corresponds to the A-E page and that page is full, the value cannot be stored in the F-J page, even if space is
available. Instead, one or more new pages are added. When a table grows, it grows in increments equal to one-fourth its
initially allocated size.
In this way, Active Directory data storage optimizes lookup speed as opposed to storage space. However, because of the
hierarchical means of allocating free space and the order that is required for filling data pages, free space that is present in
the database is not always available for use.
• Deletes tombstones.
Defragments the database file to compact data and optimize free space (triggers online
•
defragmentation).
Garbage collection runs independently on each domain controller. When the garbage collection process occurs, the process
finds the set of tombstones whose originating deletion occurred more than a tombstone lifetime ago, and then it deletes each
tombstone in that set.
Two attributes of the Directory Service object (nTDSService) in the configuration container (CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration, DC=forestRootDomain) control how garbage collection runs and
what it removes, as follows:
The tombstone lifetime determines the amount of time that a deleted object lives as a tombstone in the directory before
•
being collected as garbage. This amount of time is set in the tombstoneLifetime attribute. The minimum setting is
2 days. The default setting for this attribute varies according to operating system and forest creation or upgrade, as
follows:
Forests that were created on a domain controller running Windows Server 2003 with no service pack installed or any
•
version of Windows 2000 Server: 60 days.
Forests that were upgraded from Windows Server 2003 with no service pack installed or any version of
•
Windows 2000 Server: 60 days.
• Forests that were created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1): 180 days.
Note
You cannot purge tombstones before the expiration of the tombstone
•
lifetime.
The garbage collection interval determines how often a domain controller examines its database for expired tombstones
•
that can be collected. This interval is set in the garbageCollPeriod attribute. The default setting is 12 hours, and the
minimum setting is 1 hour.
Note
The default value for each of these two attributes applies if the attribute is not set (which is the initial state of the
•
system). The minimum value applies if the attribute is set to a value that is below the minimum (that is, if the minimum
is not declared in the schema).
The maximum garbage collection interval is one-third of the tombstone lifetime (in hours). For example, if you set
tombstoneLifetime to 30 days and garbageCollPeriod to 300 hours, the actual garbage collection period is only 10 days
or 240 hours.
• Object: DC=DomainName
• Attribute: msDS-LogonTimeSyncInterval
• NTLM
• Kerberos
Security protocols notify the directory database of a successful logon so that the account can be marked appropriately in the
lastLogon and lastLogonTimeStamp attributes. Therefore, to use stale account detection effectively, it is important that
administrators are aware of the security protocols that are in use in their environments.
For example, in Windows Server 2003 environments, the following security protocols request that the system validate a user
password:
• Kerberos authentication
• Digest authentication
• Third-party Security Support Provider Interfaces (SSPIs) when using the LSA APIs
The following security protocols can reference an account for a security operation:
Database Defragmentation
As described earlier in this section, the database system uses the quickest way to fill database pages. Although this system is
efficient in searching and updating the database quickly, it does not make the most efficient use of space in the database. As
write operations occur and data pages fill, a certain amount of space often remains in a page that cannot be used by other
transactions because the space is not large enough. In addition, space that is freed by version store cleanup is returned to
the owning indexes or tables in noncontiguous chunks. Therefore, free space that exists in the database is not always
available for use because it is fragmented.
Defragmentation rearranges how the data is stored in the database, compressing the data and making free space available in
contiguous pages. Free space is managed automatically during database defragmentation.
Database defragmentation can take place online (while the computer is running as a domain controller) or offline (while the
computer is running in Directory Services Restore Mode). Defragmentation has different effects on database size, depending
on whether defragmentation is run while the domain controller is online or offline:
Online defragmentation: Occurs automatically by default. Online defragmentation compacts data and optimizes free space
•
for database use, thereby maintaining the file size of the database.
Offline defragmentation: Occurs only manually in Directory Services Restore Mode. Offline defragmentation compacts data
•
and returns free space to the file system, thereby decreasing the file size of the database.
Online Defragmentation
During online defragmentation, space in partially filled data pages is reorganized to consolidate it into full 8-KB pages. In
addition, any pages that have been skipped by version store cleanup are reclaimed for use by the database. Online
defragmentation returns a freed page directly to the part of the tree (database, object table, index, or long-value table) that
owns the page that is being freed. When a sufficient number of contiguous free pages (approximately 16) exist in a given
child tree, the space is released to the parent tree.
Note
On domain controllers running Windows 2000 Server, online defragmentation does not reclaim free space that is deleted
•
from long-value tables.
Offline Defragmentation
Offline defragmentation rebuilds the directory database and releases unneeded space back to the file system. Offline
defragmentation must be performed in Directory Services Restore Mode, which restarts the computer as a stand-alone
server, that is, as a computer that is not acting as a domain controller. In Directory Services Restore Mode, you can use the
ntdsutil command-line tool to defragment the Ntds.dit file. Offline defragmentation produces a defragmented version of the
database file in a separate directory. You can archive the original Ntds.dit file and move the defragmented file into the
current directory.
Only offline defragmentation provides a clear picture of the amount of space that is consumed by the database file. You can
use offline defragmentation to test database growth by comparing the defragmented version of the file with the fragmented
version. For example, on a newly installed domain controller, if you perform a bulk load of objects and then defragment the
database file offline, the difference between the two files is the space that is occupied by the new objects. There is no
standard or optimal value for the percentage of free space that might exist in the database at any given time. If you are
concerned about database size, set the DSA to log a message in the Directory Service event log during garbage collection
that states how much disk space could be freed up through offline defragmentation.
• The term “user” in this discussion of security principals indicates both the user and inetOrgPerson classes of objects.
By default, quotas are not set, so there are no limits to the number of objects that can be owned by any security principal.
For each target directory partition, you can set different limits for different security principals or you can set limits that apply
to all security principals, or you can do both.
Quotas can be set per directory partition, except for the schema directory partition, which does not support quotas. You can
set quotas to apply to security principals for a directory partition by using the command line. Use the following commands to
manage quotas:
Quota Containers
The NTDS Quotas container (class msDS-QuotaContainer) is a special system container that the quota system uses. The
NTDS Quotas container has the following characteristics:
It is a child object of the root of a parent directory partition (including domain, configuration, and application directory
•
partitions).
• It cannot be deleted, but it can be renamed.
• It is tracked by the parent container through the wellKnownObjects attribute on the parent container.
Each directory partition has exactly one well-known NTDS Quotas container that stores explicit quota assignment objects for
the partition.
Two attributes of this well-known container specify a default quota value and how quotas are computed for that directory
partition:
msDS-DefaultQuota: A default quota that applies to any security principal that creates objects in the directory partition
•
and for which no explicit quota assignment exists. If no value is set for this attribute or if the attribute has the value -1,
there is no default quota for the directory partition. In this case, security principals that do not have explicit quotas
assigned have the ability to create unlimited objects in that directory partition, subject to access control. The default value
for msDS-DefaultQuota on a directory partition is unlimited (not set). To manage this value, use the dsmod partition
command.
msDS-TombstoneQuotaFactor: The percentage factor by which tombstone object count should be reduced for the
•
purpose of quota accounting. By default, the setting is 100, which means that a tombstone (a deleted object) that was
originally created by a security principal is equal to 1 object of that user’s quota. If the percentage factor were set to 50,
each tombstone would represent only half an object rather than an entire object. Likewise, a tombstone quota factor of
25 means that four tombstones are the equivalent of 1 owned object. In this way, the quota for a security principal is
computed relative to objects and tombstones. To manage this value, use the dsmod partition command.
Tracking Object Ownership
To enforce compliance with Active Directory quotas, object ownership is tracked by each domain controller running
Windows Server 2003. After a domain controller is upgraded to Windows Server 2003, the system determines the number of
objects that are owned by each security principal and for each directory partition that the domain controller hosts, and the
system generates a tracking table for internal object ownership to track quota consumption. Thereafter, when objects are
created, deleted, or reanimated or their ownership is transferred in a directory partition that the domain controller hosts, the
quota tracking data is suitably updated.
Enforcing Quotas
Quotas are enforced only on originating updates and only by domain controllers running Windows Server 2003. When an
update originates on a Windows Server 2003 domain controller, quotas are enforced. At the time of the operation, if the
requestor is not exempt from quotas, the effective quota limit for the requestor is computed on the basis of the default quota
setting for the directory partition or any explicit quota assignments. Further, the requestor’s current quota consumption is
computed using the object ownership tracking data and the tombstone quota factor. If the pending object transaction
(create, delete, reanimate, or transfer of ownership) causes the quota limit to be exceeded, the transaction fails.
If an originating update occurs on a domain controller running Windows 2000 Server, quotas are not enforced. However, as
Windows Server 2003 domain controllers receive replicated updates, regardless of their origin, they update object ownership
tracking data for the respective security principal.
Thus, although Windows Server 2003 domain controllers can always update quota tracking data, quotas are effectively
enforced at the domain level only when all domain controllers in the domain are running Windows Server 2003 and at the
forest level (for the configuration directory partition) only when all domain controllers in the forest are running
Windows Server 2003.
Effective quota
Multiple quota assignments can exist for a given security principal through an individual quota assignment or through quota
assignments for one or more security groups of which the principal is a member, or both. When multiple quota assignments
exist for a security principal, the effective quota is computed to be the maximum of the applicable quota assignments that
are specified. For example, if a user belongs to two groups that have different quotas specified for the same directory
partition, the higher of the two quota values applies to the user.
If no quota assignments are specified for a security principal or for any of the security groups of which the security principal
is a member, the effective quota is the default quota that is specified for the directory partition in the msDS-DefaultQuota
attribute on the NTDS Quotas container.
Quota exemptions
Members of the Domain Admins and Enterprise Admins groups are exempted from all quota-imposed limits.
Using Quotas
You can use quotas in combination with security groups to manage objects that are created in Active Directory. The following
examples illustrate using a default quota, with exceptions to set explicit quota assignments for those groups that need the
ability to create large numbers of objects.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
ADSI Edit is a Microsoft Management Console (MMC) tool that you can use to view and modify directory objects.
To find more information about ADSI Edit, see Support Tools Help in Tools and Settings Collection.
Csvde.exe: Csvde
Category
This tool ships with Windows Server 2003.
Version compatibility
Can Be Run From Can Be Run Against
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
You can use Csvde to import and export data from Active Directory by using files that store data in the comma-separated
value (CSV) file format standard. Csvde also supports batch operations that are based on CSV.
To find more information about Csvde, see “Command-Line References” in Tools and Settings Collection.
Dsadd.exe: Dsadd
Category
This tool ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
You can use Dsadd to add specific types of objects to the directory.
To find more information about Dsadd, see “Command-Line References” in Tools and Settings Collection.
Dsget.exe: Dsget
Category
This tool ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
You can use Dsget to display the selected properties of a specific object in the directory.
To find more information about Dsget, see “Command-Line References” in Tools and Settings Collection.
Dsmod.exe: Dsmod
Category
This tool ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Can Be Run From Can Be Run Against
Computers running:
• Windows XP Professional
You can use Dsmod to modify an existing object of a specific type in the directory.
To find more information about Dsmod, see “Command-Line References” in Tools and Settings Collection.
Dsmove.exe: Dsmove
Category
This tool ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
You can use Dsmove to move a single object, within a domain, from its current location in the directory to a new location.
You can also use Dsmove to rename a single object without moving it in the directory tree.
To find more information about Dsmove, see “Command-Line References” in Tools and Settings Collection.
Dsquery.exe: Dsquery
Category
This tool ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
Can Be Run From Can Be Run Against
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
You can use Dsquery to query Active Directory according to specified criteria.
To find more information about Dsquery, see “Command-Line References” in Tools and Settings Collection.
Dsrm.exe: Dsrm
Category
This tool ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
You can use Dsrm to delete an object of a specific type, or any general object, from the directory.
To find more information about Dsrm, see “Command-Line References” in Tools and Settings Collection.
Ldifde.exe: Ldifde
Category
This tool ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows XP Professional
You can use Ldifde to create, modify, and delete directory objects on domain controllers. You can also use Ldifde to extend
the schema, export Active Directory user and group information to other applications or services, and populate
Active Directory with data from other directory services.
To find more information about Ldifde, see “Command-Line References” in Tools and Settings Collection.
Ldp.exe: Ldp
Category
This tool ships with Support Tools for Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
Servers running:
• Windows 2000 Server
• Windows Server 2003, Standard Edition
• Windows 2000 Advanced Server
• Windows Server 2003, Enterprise Edition
• Windows 2000 Datacenter Server
• Windows Server 2003, Datacenter Edition
• Windows Server 2003, Web Edition
Computers running:
• Windows XP Professional
Ldp is a Lightweight Directory Access Protocol (LDAP) graphical user interface (GUI) tool that you can use to perform
operations such as connect, bind, search, modify, add, and delete against any LDAP-compatible directory, such as
Active Directory. You can also use Ldp to view objects that are stored in Active Directory, along with their metadata, for
example, security descriptors and replication metadata.
You can use the online dbdump feature in Ldp to view values that are stored in the database while the domain controller is
running. You can trigger dbdump by modifying the dumpDatabase attribute on the rootDSE.
To find more information about Ldp, see “Support Tools Help” in Tools and Settings Collection.
Ntdsutil.exe: Ntdsutil
Category
This tool ships with Windows Server 2003.
Version compatibility
• Windows Server 2003, Standard Edition • Windows Server 2003, Standard Edition
• Windows Server 2003, Enterprise Edition • Windows Server 2003, Enterprise Edition
• Windows Server 2003, Datacenter Edition • Windows Server 2003, Datacenter Edition
You can use Ntdsutil to perform Active Directory database maintenance, manage and control single master operations, and
remove metadata left behind by domain controllers that are removed from the network without being properly uninstalled.
This tool is intended for use by experienced administrators.
To find more information about Ntdsutil, see “Command-Line References” in Tools and Settings Collection.
Top of page
Data Store Registry Entries
The following registry entries are associated with the data store.
The registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics control
the logging level for the component or process that is specified in the entry name. The value for each entry is set to an
integer from and including 0 (no logging) through 5 (most verbose logging).
The registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters control
or contain information about the configuration of the data store.
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied.
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry
are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be
stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such
as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the
registry, use extreme caution.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
The following registry entries are located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that result from communication between Active Directory and Microsoft Exchange clients.
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that result from communication between Active Directory and Microsoft Exchange clients.
6 Garbage Collection
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are generated when objects that are marked for deletion are actually deleted.
7 Internal Configuration
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of internal operations.
8 Directory Access
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of read and write operations to directory objects from all sources.
9 Internal Processing
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are related to internal directory service operations.
11 Initialization/Termination
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are generated by starting and stopping Active Directory.
12 Service Control
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of Active Directory service events.
13 Name Resolution
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are generated by the resolution of addresses and Active Directory names.
14 Backup
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are related to backing up Active Directory. Specifically, controls the logging of events that
occur when Extensible Storage Engine (ESE) database records are read or written during backup.
16 LDAP Interface Events
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are related to LDAP.
18 Global Catalog
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are related to the global catalog.
22 DS RPC Client
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are related to communication between Directory System Agents (DSAs). Examples of
such communication include replication and the forwarding of look-ups to a global catalog. Examples of logged events include
remote procedure call (RPC) errors, canceled calls, Domain Name System (DNS) resolution failures, and service principal
name (SPN)–related operations.
23 DS RPC Server
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are related to a DSA acting as an RPC server. A DSA acts as an RPC server, for example,
during outbound replication, replication setup operations, cross-domain moves, and membership queries or when a client
makes a look-up call.
24 DS Schema
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls the logging of events that are related to schema errors and operations. Such errors and operations include schema
additions, deletions, modifications, look-up errors, look-up failures, and caching errors.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
The following registry entries are located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
Configuration NC
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Contains the distinguished name of the configuration directory partition.
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Determines the directory that is used as the target directory when online backups of the directory database are performed.
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Determines the directory path that is used to store Active Directory log files.
Database Logging/Recovery
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Controls a Microsoft Jet database engine parameter called JET_paramRecovery that determines whether database operations
are logged.
DS Drive Mappings
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Used to track local drive mapping names, so that the database file can be located if drive mappings are modified.
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Determines the file that is used by the domain controller for storing Active Directory objects.
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Determines the working directory of Active Directory.
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Determines how frequently the hierarchy table for the directory database is built. The hierarchy table is used only by the
Messaging API (MAPI) interface.
Ldapserverintegrity
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Determines whether connection integrity is required (by means of checksum-signed packets) for LDAP connections.
Machine DN Name
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Contains the distinguished name of the computer on which the domain controller is running.
Root Domain
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Contains the distinguished name of the root domain of the Active Directory forest to which the domain controller is
connected.
Schema Version
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server;
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter
Edition.
Contains the schema version for which a particular operating system is configured.
System Schema Version
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and
Windows Server 2003, Datacenter Edition.
Contains the version of the schema at the time that a backup is taken. This value is used to prevent an incompatible schema
version from being restored from backup.
Top of page
Data Store Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with the data store.
Group Policy Settings Associated with the Data Store
Audit Directory When it is enabled, this Group Policy setting causes successful and failed directory access events to
Services Access be logged in the Directory Service event log.
Top of page
Data Store WMI Classes
The following table lists and describes the WMI classes that are associated with the data store.
WMI Classes Associated with the Data Store