To scale to tens of millions of objects, a forest is partitioned into domains. Each Active Directory domain controller can be a member of one domain, and domain controllers within the same domain contain the same information. Domain controllers from different domains share the same configuration and schema data, but they do not share the same domain data. The means to distributing storage in this manner is the directory partition , which is also called a "naming context."
In Active Directory, a directory partition is a portion of the directory namespace. Each directory partition contains a hierarchy (subtree) of directory objects in the directory tree. The same directory partition can be stored as copies (replicas) on many domain controllers, and the copies are updated through directory replication.
Because a domain represents the logical boundary of objects that belong to the same administration, each domain is mapped to a different directory partition so that the objects belonging to two different domains can be maintained and replicated independently. Likewise, information that is relevant to the entire forest is replicated separately.
Directory Partition Subtrees
Every domain controller contains the following three directory partitions:
Configuration Contains the Configuration container, which stores configuration objects for the entire forest in cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest. Configuration objects store information about sites, services, and directory partitions. You can view the contents of the Configuration container by using ADSI Edit.
Schema Contains the Schema container, which stores class and attribute definitions for all existing and possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest. You can view the contents of the Schema container in the Active Directory Schema console.
Domain Contains a < domain > container (for example, the Reskit.com container), which stores users, computers, groups, and other objects for a specific Windows 2000 domain (for example, the Reskit.com domain). Updates to the < domain > container are replicated to only domain controllers within the domain and to Global Catalog servers if the update is made to an attribute that is marked for replication to the Global Catalog. The < domain > container is displayed in the Active Directory Users and Computers console. The hierarchy of domain directory partitions can be viewed in the Active Directory Domains and Trusts console, where trust relationships between domains can be managed.
Each directory partition is a contiguous portion of the directory tree, and each one starts at a single point (the directory partition head ) and spreads to either leaf nodes (for the schema and configuration directory partitions) or to the heads of other directory partitions below it (for domain directory partitions). Each directory partition, therefore, has exactly one directory partition immediately above it in the tree (except for a tree root domain directory partition, which has only the rootDSE above it) and possibly more directory partitions immediately below it. For domain directory partitions, this order manifests itself in the hierarchical infrastructure discussed in "Active Directory Logical Structure" in this book.
You cannot rename the topmost object in a directory partition, which means that you cannot rename a domain, the Schema container, or the Configuration container.
Directory Partition Hierarchy
There is an important distinction between the physical storage of a directory partition and its logical position in the directory tree. Physically, all objects are stored in a single database table, regardless of the directory partition to which they are assigned by virtue of their object names. Logically, the head of a directory partition appears in the naming hierarchy as the topmost object — that is, the < domain > container, the Configuration container, and the Schema container each has a distinguished name that identifies its position in the hierarchy. The respective directory partitions contain those objects, which are called "heads"; the domain directory partition contains an object named dc= domainName ; the Configuration directory partition contains an object named cn=configuration,dc= forestRootDomain ; and the schema directory partition contains an object named cn=schema,cn=configuration,dc= forestRootDomain .
Figure 2.5 shows a conceptual diagram of the directory tree hierarchy, including the directory root (rootDSE) and the default directory partitions below the directory root. In any Active Directory forest, the configuration directory partitions and schema directory partitions are always in these locations.
Figure 2.5 Default Active Directory Partitions
Each domain controller in the forest holds a master copy (replica) of the configuration and schema directory partitions, which are copied to a domain controller during domain controller promotion. All updates to configuration and schema directory partitions are replicated to every domain controller in the forest. In this way, site, service, domain, and schema information is kept consistent throughout the forest.
Forest Root Domain
Because the forest root domain is the first domain created in a forest, it is the root domain in the domain namespace hierarchy. In naming only, the topmost object of the configuration directory partition (the Configuration container) is the child of the forest root domain object in the hierarchy. The distinguished name of the Configuration container (cn=configuration,dc= forestRootDomain ) reflects this naming hierarchy.
Although the distinguished name of the Configuration container indicates that it is a child of the forest root domain object, the configuration directory partition is not physically part of the forest root domain directory partition but is a separate directory partition that is replicated to all domain controllers in the forest; in contrast to the configuration directory partition, the forest root domain directory partition is replicated to only domain controllers in that domain. Similarly, the topmost object in the schema directory partition (the Schema container) is the child of the Configuration container. The distinguished name of the Schema container (cn=schema,cn=configuration,dc= forestRootDomain ) shows the location of the schema to be within the forest root domain. Although the Schema container is a child of the Configuration container, the schema directory partition is not physically part of the configuration directory partition nor part of the forest root domain directory partition.
For more information about replication of directory partitions, see "Active Directory Replication" in this book.
Configuration Directory Partition
The configuration directory partition is created initially when the first Windows 2000 domain is created during the installation of Active Directory;thereafter, it is replicated to every domain controller in the forest. When a child domain or a new tree-root domain is created in the forest or when an additional domain controller is added to an existing domain, the configuration directory partition is copied to the new domain controller.
Viewing the Configuration Container
You can view the Configuration container by using ADSI Edit. When you open ADSI Edit, the Configuration container for the forest of the domain to which you are connected is displayed, along with the current domain directory partition and the Schema directory partition. Figure 2.6 illustrates the contents of the Configuration container as it is displayed in ADSI Edit.
Figure 2.6 Contents of the Configuration Container
The following objects are child containers within the Configuration container.
DisplaySpecifiers Contains the objects that define different user interfaces for each object class in the schema that requires a graphical user interface (for example, context menus and property pages). The display specification system uses the information that is stored in the display specifiers to form different user interfaces for administrators and for end users. One set of elements, such as property pages, context menus, and so forth, can be associated with administrative applications, and a different set of elements can be associated with end-user applications. For example, display specifiers are responsible for what you as an administrator see when you use ADSI Edit; they are also responsible for what a user sees in the product user interface. What you see and what the user sees are different, even though what is seen in both cases references the same objects. The display specification system stores information for property sheets, context menus, icons, creation wizards, and localized class and attribute names.
The DisplaySpecifiers container stores other containers that correspond to each locale that is supported by Windows 2000. A locale is either a language or a language in combination with a country/region. Windows 2000 supports more than 150 locales, such as French (Belgium), Arabic (Saudi Arabia), and so forth. The names of locale containers are the hexadecimal representations of the locale identifiers (LCIDs). For example the English (United States) locale container is 409.
Display specifier objects (class displaySpecifier ) are named by appending the LDAP Display Name of the class object with the string "-Display." For example, the user class has a corresponding display specifier object called "user-Display." Thus, when an Active Directory administrative tool displays an object of a particular class, the object is displayed according to information contained in the display specifier object whose name contains the same name as the respective class within the container for the current locale.
Because Active Directory allows the schema to be modified by creating new classes and attributes or modifying existing classes, display specifier objects can be modified to reflect any new user interface elements that schema modifications require. For more information about display specifiers, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources . Follow the links to the "Windows 2000 Active Directory Programmer's Guide."
Extended-Rights Contains the set of all extended rights for the forest, stored as controlAccessRight objects. Access control on custom actions or operations are called control access rights , or extended rights. Access control determines who is permitted to perform operations on Active Directory objects. Access to standard actions or operations is controlled by two major types of permissions container operations and attribute-based access. Other operations can have semantics that are not tied to specific attributes, and these operations might also require access control. For example, the user class can be granted a Send As right that can be used by Exchange Server, Outlook, or any other e-mail program, to determine whether a particular user can have another user send e-mail messages on their behalf. To add an extended right to Active Directory, you create a controlAccessRight object in the Extended-Rights container. For more information about extended rights, see "Access Control" in this book. For more information about creating extended rights objects, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources . Follow the links to the "Windows 2000 Active Directory Programmer's Guide."
LostAndFoundConfig Provides storage for global configuration objects that are being created in containers that are simultaneously being deleted elsewhere on the network. If an object has been created in or moved to a location that no longer exists after replication, the "lost" object is added to the LostAndFoundConfig container. A LostAndFound container in each domain directory partition serves the same purpose for domain-specific objects.
Partitions Stores the cross-references to every directory partition in the forest, including the configuration partition, the schema partitions, and all domain directory partitions. These cross-references to directory partitions make referrals to other domains possible during LDAP searches. Domain directory partitions can be viewed and managed in Active Directory Domains and Trusts.
Physical Locations [Is not implemented in Windows 2000, but is reserved for future use.]
Sites Identifies all of the sites in the enterprise network, the domain controllers in those sites, and the replication topology The contents take the form of transports between sites, subnets, and the first site created, which is called Default-First-Site-Name. The contents of the Sites container can be viewed and managed in Active Directory Sites and Services. For more information about Sites container objects, see "Active Directory Replication" in this book.
Services Stores network-wide, service-specific information that applications use to connect to instances of services in the forest, irrespective of the computer on which the service runs. This service information includes system volumes, network services, and routing and remote access services. The contents of the Services container can be viewed and managed in Active Directory Sites and Services. For more information about the Services container objects, see "Service Publication in Active Directory" in this book, and see Windows 2000 Server Help.
Well-Known Security Principals Contains the special identities that are defined by the Windows 2000 security system, such as Everyone, Local System, Principal Self, Authenticated User, and Creator Owner.
Although other information can be stored in the Configuration container, it is recommended that the following criteria apply to this data:
- The information is truly of global interest (for example, the default configuration and policy information for all instances of a given service in the enterprise).
- The information is highly available, such that referencing the information that is stored in another domain is not sufficient.
- The volatility of the information is very low.
- The volume of information is very small.
Global information should be stored in one of two places: in a child of the Services container or in a child of a site object.
Managing Configuration Data
Three administrative tools in Windows 2000 enable you to manage different portions of the Configuration container. The following tools are available on the Start menu; point to Programs and then to Administrative Tools , which is the default menu.
- Active Directory Sites and Services.
You can manage the objects in the cn=sites,cn=configuration,dc= ForestRootDomain container and the cn=services,cn=configuration,dc= ForestRootDomain container.
The Services node in Active Directory Sites and Services is hidden by default. To reveal the Services node, in Active Directory Sites and Services, right-click Active Directory Sites and Services , point to View , and then click Show Services Node .
- Active Directory Domains and Trusts.
You can manage the trust relationships between the domain directory partitions represented in the cn=partitions,cn=configuration,dc= forestRootDomain container. For more information about managing trust relationships, see "Active Directory Logical Structure" and "Authentication" in this book.
- Active Directory Schema.
You can manage classSchema and attributeSchema objects stored in the Schema container (cn=schema cn=configuration,dc= forestRootDomain ). Active Directory Schema is available as an MMC snap-in that you can install from the MMC Console menu. However, there are special requirements for installing this tool that do not apply to the installation of other MMC snap-ins. For more information about how to install the Active Directory Schema MMC snap-in and about managing the schema, see "Active Directory Schema" in this book.
For more information about managing configuration data, see "Active Directory Replication" and "Active Directory Diagnostics, Troubleshooting, and Recovery" in this book.
Schema Directory Partition
The schema for Active Directory consists of a set of object classes, attributes, and syntaxes. The schema also defines rules that ensure that objects are created and modified with consistency. Active Directory contains a default set of classes and attributes that cannot be modified. However, if you have the credentials to do so and if schema modification is enabled for the domain controller, you can extend the schema by adding new attributes and classes to represent application-specific classes. These changes must be targeted at the domain controller that holds the schema master role for the forest.
For more information about enabling schema modification and extending the schema, see "Active Directory Schema" in this book. For more information about single-master roles, see "Managing Flexible Single-Master Operations" in this book, and see Windows 2000 Server Help. For more information about default classes and the schema, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources .
If all of the conditions are in place for schema modification, you can install the Active Directory Schema MMC snap-in to manage the classSchema and attributeSchema objects. This snap-in is not available by default and must be installed separately. You can also use ADSI Edit to view the schema directory partition objects and properties. When you open ADSI Edit, the Schema container is displayed by default. Expand the container to view the attributes and classes.
For more information about installing the Active Directory Schema snap-in, see "Active Directory Schema" in this book. For more information about managing schema objects, see Windows 2000 Server Help.
Domain Directory Partitions
When you create a new domain, a domain directory partition is created in Active Directory as an instance of the class domainDns and is added to the list of domain partitions in the Partitions container.
Viewing the Contents of a Domain Directory Partition
The topmost object in each domain directory partition is a container object that is named for the DNS domain. The child containers of the domain container can be viewed in the Active Directory Users and Computers console.
A domain container has the following child containers:
Some containers are visible in the Active Directory Users and Computers console only in the Advanced Features view. To view all of the containers in Active Directory Users and Computers, on the View menu, click Advanced Features . In addition to displaying more containers, when viewing an object's properties in the Advanced Features view, object details and security property pages are also displayed. The Object tab displays class, creation, and modification information about the object The Security tab can be used to set permissions on an object so that unauthorized users do not have access to protected information.
Users Default storage area for new user accounts that are created through legacy APIs that are not Active Directory–aware. When a Windows NT 4.0 domain or a Windows NT 3.51 domain is upgraded to Windows 2000, the user accounts and groups are moved automatically to the Users container. The Users container also supports the Windows NT 4.0 tool User Manager (Usrmgr). This container cannot be renamed.
In client applications, the Users container and other special containers (such as Computers, System, Domain Controllers, Infrastructure, Deleted Objects, and LostAndFound) can be dependably located by using well-known GUID containers. For more information about using ADSI to locate special containers, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources .
System (Advanced Features) Built-in system settings for the various system service containers and objects. (For more information about the System container, see "Contents of the System Container" later in this chapter.)
LostAndFound (Advanced Features) Storage area for new domain objects whose containers were deleted elsewhere at the same time that the object was created. If an object has been created in or moved to a location that is missing after replication, the "lost" object is added to the LostAndFound container. The LostAndFoundConfig container in the configuration directory partition serves the same purpose for forest-wide objects.
Builtin Objects that represent the default built-in groups (for example, Builtin, Administrators).
Deleted Objects A special container, not visible in the UI, to which objects are moved when they are deleted. The deleted objects are stored as tombstones, which are eventually removed by garbage collection. The contents of the Deleted Objects container are visible if you search by using the 1.2.840.1135220.127.116.117 control, which enables you to see deleted objects. (For more information about viewing deleted objects and about LDAP searches, see "Name Resolution in Active Directory" in this book.)
Domain Controllers Default container for new Windows 2000 domain controllers. The Domain Controllers container cannot be renamed.
Infrastructure Holds information used by the domain controller that holds the infrastructure master role, which keeps interdomain object references up to date. The Infrastructure master creates deleted child objects in the Infrastructure container. When these deleted objects replicate, they have the effect of removing outdated phantom records. (For more information about phantom records, see "Phantom Records" later in this chapter.)
Computers Default storage area for "new" computer objects that were originally created through legacy APIs that are not Active Directory–aware. When a Windows NT 4.0 domain or a Windows NT 3.51 domain is upgraded to Windows 2000, the computer accounts are moved automatically to the Computers container.
ForeignSecurityPrincipals Proxy objects for security principals from Windows NT 4.0 domains or Windows NT 3.51 domains or from different forests that have been added to Windows 2000 groups.
Unlike the configuration and schema directory partitions, a full copy of the domain directory partition is replicated only among domain controllers within the same domain, not to other domains in the forest. A partial copy of domain objects (all objects, but a limited set of attributes that have been configured to replicate to the global catalog) is also replicated to all domain controllers that are configured to be Global Catalog servers.
You can use Active Directory Users and Computers to manage the contents of the domain directory partition. You can use ADSI Edit to manage properties that are not displayed in Active Directory Users and Computers. When you open ADSI Edit, the domain directory partition for the domain to which you are logged on is displayed by default.
Contents of the System Container
The System container stores per-domain operational information, which includes the default local security policy, file link tracking, network meetings, objects representing other trusted domains, and containers for RPC and Winsock connection points.
The System container has the following child containers:
- AdminSDHolder. Administrator security descriptor holder. Windows 2000 implements protection of administrative groups by a background task that computes the set of memberships and checks whether their security descriptors are well-known protected security descriptors. This task is executed only on the domain controller that has the primary domain controller emulator (PDC emulator) role. (For more information about security descriptors, see "Access Control" in this book. For more information about the PDC emulator role, see "Managing Flexible Single-Master Operations" in this book.)
- Default Domain Policy. Lists the security groups and default permissions for the domain. It stores policies for passwords, lockouts, Kerberos, Encrypting File System (EFS) data recovery, and trusted root certificates. It also holds the Application Categories container. Each application that is deployed has one or more associated categories that can be used to organize the applications in an organization. Categories appear when you add or change programs in Add/Remove Programs in Control Panel. A drop-down list displays all the categories. The object class of Application Category is classStore . The classStore is where COM components and applications are published. The Application Deployment wizard writes to the classStore. (For more information about the default domain policy, see "Group Policy" in this book.)
- Dfs Configuration. Lists the Fault Tolerant Distributed file system (Dfs) configuration and Dfs volume information. (For more information about Dfs, see "Distributed File System" in this book.)
- File Replication Service . Lists the Domain System Volume (SYSVOL share) and provides replication schedule from Sunday through Saturday 12:00 a.m. to 12:00 a.m. (For more information about the File Replication Service, see "File Replication Service" in this book.)
- FileLinks . Used by the Distributed Link Tracking Server service (TrkSvr) to store information about linked files that have moved across NTFS volumes. Includes the ObjectMoveTable, which tracks moved files, and the VolumeTable, which maps volume IDs to computer IDs. (For more information about distributed link tracking, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources
- IP Security . Contains the IP Security policies that are applied to local computers, domain member servers, domains, organizational units, or any Group Policy object in Active Directory. Depending upon your organization's guidelines, IP Security policies can store multiple security actions, called rules, so that one policy can be applied to multiple computers. These security specifications apply to all users who log on to the computer. (For more information about IP Security policies, see "Internet Protocol Security" in the TCP/IP Core Networking Guide .
- Meetings . Microsoft® NetMeeting® uses the "Meetings" folder to publish network meeting objects.
- MicrosoftDNS . Active Directory-integrated zone database records are created in this container, and the contents are replicated to all domain controllers in the domain. When DNS data is stored in Active Directory, each DNS zone is an Active Directory container object ( dnsZone ). The dnsZone object contains a dnsNode object for every unique name within that zone. The dnsNode object has a dnsRecord multivalue attributed that contains a value for every resource record associated with an object's name. (For more information about Active Directory-Integrated zones, see "Windows 2000 DNS" in the TCP/IP Core Networking Guide .
- Policies . Contains Group Policy objects, which specify user and computer configurations for groups of users and computers. This container is identified by GUID and includes version information that is used to ensure that information is synchronized with Group Policy template information; status information that indicates whether the Group Policy object is enabled or disabled; and a list of components, or extensions, that have settings in the Group Policy object. (For more information about Group Policy, see "Group Policy" in this book.)
In addition to the Policies container, Group Policy objects are also stored in a Group Policy template and are identified by a GUID. The Group Policy template is located in the system volume and is used to store file type data for the Group Policy object.
It is highly recommended that you do not make changes to the Policies container. Instead, use the Group Policy MMC snap-in to specify a desktop configuration for a particular Group Policy object.
- RpcServices . Includes the Remote Procedure Call (RPC) name service lookup for domains by using versions of Windows earlier than Windows 2000.
- WinsockServices . Windows Sockets services that publish themselves using the registration and resolution (RnR) APIs are published in this container.
For more information about services that are published in the System container, see "Service Publication in Active Directory" in this book.