The Active Directory data store (directory) is the database that holds all directory information such as

information on users, computer, groups, other objects, and the objects that users can access. It also
includes other network components. The Active Directory data store is stored on the servers hard
disk by means of the Ntds.dit file. The file has to be stored on a drive that is formatted with the NTFS
file system. The Ntds.dit file is placed in the Ntds folder in the systemroot. When changes are made
to the directory, these changes are saved to the Ntds.dit file. Because all the data in Active Directory
is stored in one distributed data store, data availability is improved. A centralized data store means
less duplication and needs less administration.
Because domain controllers manage domains, each domain controller within the domain hosts a
write copy of the Active Directory directory. This means that if one domain controller is unavailable,
users, computers, and programs are still able to access the Active Directory data store hosted on a
different domain controller in the particular domain. When changes are made to the data store on
one domain controller, these changes are replicated to the remainder of the domain controllers
within the domain. Because of Active Directory replication, domain controllers in a domain remain
synchronized with one another. Active Directory replication occurs automatically. Only domain data,
configuration data, and schema data are replicated.

Information stored in Active Directory is not all placed in the identical location. The different locations
wherein data is stored is called directory partitions. The domain partition holds information about the
domain such as users and resources in the domain. The configuration partition contains information
on the Active Directory structure such as the configuration of the domains, domain trees, and forests.
The schema partition stores information on object classes and attributes.

Active Directory Objects

All information on users, groups, computers, servers, and security policies in Active Directory are
organized and categorized into different Active Directory objects. An Active Directory object can be
defined as a group of attributes that represent a resource in the network. Each object has a unique
name or unique identifier called a distinguished name. Objects can also contain other objects. These
objects are known as containers. In the Active Directory Users and Computers console, the default
object types created in a new domain in Active Directory are:

Domain, Organizational Unit, User, Computer, Contact, Group, Shared Folder, and Shared
Printer

Active Directory Components

Domains, organizational units (OUs), domain trees and forests are considered logical structures.
Sites and domain controllers are considered physical structures.

Domains are the main logical structure in Active Directory because they contain Active
Directory objects. Network objects such as users, printers, shared resources, and more are
all stored in domains. Domains are also security boundaries. Access Control Lists (ACLs)
control access to objects in the domain. The domain functional level enables additional
Active Directory features. A user can do this by raising the domain controllers domain
functional level within the domain. In Windows 2000, the domain mode concept was used
and not the domain functional level. The domain functional levels that can be specified are
Windows 2000 Mixed, Windows 2000 Native, Windows Server 2003 Interim, and Windows
Server 2003.

Organizational Unit (OU): An OU is a container that enables users to organize objects such
as users, computers, and even other OUs in a domain to form a logical administrative group.
An OU is the smallest Active Directory component to which users can delegate
administrative authority. A domain can have its own unique OU hierarchy.

Domain Trees: When multiple domains are grouped into a hierarchical structure by adding
child domains to a parent domain, a domain tree is being created. Domains are regarded as
being part of the same domain tree when they have a contiguous naming structure. A twoway transitive trust relationship is automatically created between the parent domain and child
domains when the child domain is created.

Forests: A forest is the grouping of multiple domain trees into a hierarchical structure.
Domain trees in a forest have a common schema, configuration, and global catalog.
Domains within the forest are linked by two-way transitive trust. Through the forest functional
level, users can enable additional forest wide Active Directory features. The forest functional
levels that can be set are Windows 2000, Windows Server 2003 Interim, and Windows
Server 2003.

Sites: In Active Directory, sites are formed through the grouping of multiple subnets. Sites are
typically defined as locations in which network access is highly reliable, fast, and not very
expensive.

Domain Controllers (DCs): A domain controller is a server that stores a write copy of Active
Directory. They maintain the Active Directory data store. Certain master roles can be
assigned to domain controllers within a domain and forest. Domain controllers that are
assigned special master roles are called Operations Masters. These domain controllers host

a master copy of particular data in Active Directory. They also copy data to the remainder of
the domain controllers. There are five different types of master roles that can be defined for
domain controllers. Two types of master roles, forest-wide master roles, are assigned to one
domain controller in a forest. The other three master roles, domain-wide master roles, are
applied to a domain controller in every domain.

The Schema Master is a forest-wide master role applied to a domain controller that
manages all changes in the Active Directory schema.

The Domain Naming Master is a forest-wide master role applied to a domain

controller that manages changes to the forest, such as adding and removing a
domain. The domain controller serving this role also manages changes to the domain
namespace.

The Relative ID (RID) Master is a domain-wide master role applied to a domain

controller that creates unique ID numbers for domain controllers and manages the
allocation of these numbers.

The PDC Emulator is a domain-wide master role applied to a domain controller that
operates like a Windows NT primary domain controller. This role is typically
necessary when there are computers in ones environment running pre-Windows
2000 and XP operating systems.

The Infrastructure Master is a domain-wide master role applied to a domain controller

that manages changes made to group memberships.

Active Directory Schema

The Active Directory schema defines what types of objects can be stored in Active Directory. It also
defines what the attributes of these objects are. The following two types of schema objects or
metadata define the schema:

Schema class objects (schema classes): Define the objects that can be created and stored
in Active Directory. The schema attributes store information on the schema class object when
a new class is created. A schema class is therefore merely a set of schema attribute objects.

Schema attribute objects (schema attributes): Schema attributes provide information on

object classes. An objects attributes are also called the object properties.

Although Active Directory includes a large number of object classes, additional object classes can be
created if necessary. These additions are known as extensions to the schema. Extensions can only
be performed on the domain controller acting the Schema Master role.

The object classes that can be used on access control lists (ACLs) to protect security objects are
User, Computer, and Group. These object classes are called security principals. A security principal
has a Security Identifier (SID), which is a unique number. A security Principals SID consists of the
security Principals domain and a Relative ID (RID). The RID is a unique suffix.
A few other concepts associated with the Active Directory schema are:

Class Derivations: Set a way for forming new object classes with existing object classes.

Schema Rules: The Active Directory directory service implements a set of rules into the
Active Directory schema that control the manner in which classes and attributes are utilized
and what values, classes, and attributes can include. Schema rules are organized into
Structure Rules, Syntax Rules, and Content Rules.

Structure Rules: The structure rule in Active Directory is that an object class can have only
specific classes directly on top of it. These specific classes are called Possible Superiors.
Structure rules prevent users from placing an object class in an inappropriate container.

Syntax Rules: These rules define the types of values and ranges allowed for attributes.

Content Rules dictate what attributes can be associated with a particular class.

Global Catalog
The global catalog is a central information store on the objects in a forest and domain that improves
performance when searching for objects in Active Directory. The first domain controller installed in a
domain is designated as the global catalog server by default. The global catalog server stores a full
replica of all objects in its host domain and a partial replica of objects for the remainder of the
domains in the forest. The partial replica contains those objects that are frequently searched for. It is
generally recommended to configure a global catalog server for each site in a domain. Active
Directory Sites and Services console can be used to set up additional global catalog servers.

Group Policies and Active Directory

Active Directory enables users to perform policy based administration through Group Policy.
Through group policies, users can deploy applications and configure scripts to execute at startup,
shutdown, logon, or logoff. Users can also implement password security, control certain desktop
settings, and redirect folders. When users create new group policies in Active Directory, the policy is
stored as Group Policy Objects (GPOs). In Active directory, users can apply a GPO to a domain,
site, or Organizational Unit.

Active Directory Object Naming Schemes

Each object in the Active Directory data store must have a unique name. Active Directory supports a
number of object naming schemes for naming objects:

Distinguished name (DN): Each object has a DN. The DN uniquely identifies a particular
object and where the object is stored. The components that make up an objects DN are:

CN common name

OU organizational unit

DC domain component

A canonical name is merely a different manner of depicting the objects DN in a method that
is simpler to interpret.

Relative distinguished name (RDN): The RDN identifies a particular object within a parent
container or OU.

Globally unique identifier (GUID): A GUID is a unique hexadecimal number that is assigned
to an object at the time that the object is created. The GUID of an object never changes.

User principal name (UPN): The UPN is made up of the user account name of the user and a
domain name that identifies the domain that contains the user account.

Active Directory Replication

In Active Directory, replication ensures that any changes made to a domain controller within a
domain are replicated to all the other domain controllers in the domain. Active Directory utilizes
multi-master replication to replicate changes in the Active Directory data store to the domain
controllers. With multi-master replication, domains are considered peers to one another.
With Windows Server 2003, the Knowledge Consistency Checker (KCC) creates a replication
topology of the forest to ensure that the changes are replicated efficiently to the domain controllers.
A replication topology reflects the physical connections that domain controllers use to replicate the
Active Directory directory to domain controllers in a site or in different sites. Intra-site replication
occurs when the Active Directory directory is replicated within a site. When replication occurs
between sites, it is known as inter-site replication. Since the bandwidth between sites is typically
slow, information on site link objects identifies the most favorable link that should move replication
data between sites in Active Directory.

Active Directory Trust Relationships

In Active Directory, when two domains trust each other or a trust relationship exists between the
domains, the users and computers in one domain can access resources in the other domain. The
trust relationships supported in Windows Server 2003 are summarized below:

Parent/Child trust: A parent/child trust relationship exists between two domains in Active
Directory that have a common contiguous DNS namespace and belong to the identical
forest. This trust relationship is established when a child domain is created in a domain tree.

Tree Root trust: A tree root trust relationship can be configured between root domains in the
same forest. The root domains do not have a common DNS namespace. This trust
relationship is established when a new tree root domain is added to a forest.

Shortcut trust: This trust relationship can be configured between two domains in different
domain trees but within the same forest. Shortcut trust is typically utilized to improve user
logon times.

External trust: External trust relationships are created between an Active Directory domain
and a Windows NT4 domain.

Realm trust: A realm trust relationship exists between an Active Directory domain and a nonWindows Kerberos realm.

Forest trust: A forest trust can be created between two Active Directory forests.